This article talks you through setting up and managing MFA, how to approve MFA requests and what to do if you get an unexpected MFA request.

The University is starting to implement MFA across a number of systems in order to protect students, staff, our systems and information from cyber security threats. It is well understood that having a second form of identification significantly reduces the risk of external attack and unauthorised access to systems and information. This is why many banks and financial services companies operate this process with their customers and its important that as a university we keep up with these threats in a similar way.

Setting up MFA

The MFA system used by the University is provided by Microsoft as part of the Microsoft 365 cloud.

You can access manage mode by going to mysecurityinfo or by going to Portal Office go to My Profile and then select Security info.

From there, you can add methods, delete or change existing methods, change the default method, and more.

Image
sign-in-digital-services


Click the '+ Add method' button.

Please use 'Authenticator app' as primary method and we recommend adding 'Phone' as a secondary method if you wish. Only one method is required, but having more does help with account problems if encountered.

Please note - The other options (such as Alternative phone, Email and Security questions) do not work with MFA but can be configured for self service password reset (SSPR) which we will be making available to all staff and students soon. SMS MFA is considered insecure as SMS messages can be intercepted easily and sim swap attacks are becoming more common.

You can now follow through the setup wizard to configure the chosen verification method.

Authenticator App

If you do not already use this, you will need to download the Microsoft Authenticator (or Google authenticator) app on your smartphone, which will then allow you to approve or deny any MFA requests as you log in to your account. Just go to your relevant app store on your phone and download it from there if required.

If you have a work provided smartphone, then you are welcome to install on that. You may wish to for convenience reasons install this on your personal smartphone - This may then also get you thinking about securing your personal accounts with MFA, thus making your personal digital life more secure too. The app is free and secure so there's no reason not to use it. It does not interfere with your device in any way. Once you have set it up once, it is configured. It also allows transferring of accounts linked to it if you change phone. It is not mandatory to install on a personal device but we do appreciate users that are willing to do this to help make the University data and infrastructure more secure.

If you are unwilling to use a personal smartphone and do not have a work smartphone provided, you may ask the Helpdesk or your Manager if your role requires a work provided smartphone. Failing that, you may use the alternative authentication method recommended above (phone) and provide your work landline as the phone number.

Approving an MFA Request with authenticator app

Once configured, when you try to sign in to a system to use MFA you will see a prompt like this:

Image
approve-sign-in-digital-services


You just then need to go to your phone, and either open the Authenticator app, or a pop up may appear requesting you to authorise the log in attempt (can also appear in the drop down menu of your phone).

Click Approve on your phone and it will log you into your account.

Timeout
If you fail to approve the request in time the request will time out and you will see a prompt to let you know like this:

Image
login-fail-digital-servies


If you need to, you can send another request from this prompt. You also have the option of selecting a second authentication method, if you have configured this.

Using phone as authentication method
If you have selected phone as an authentication method, when a request is generated, the phone will ring and you will be required to press the # key to approve the request. You may set your work landline as a method and to access this, you can use Jabber. Instructions for setting this up are in Solve Knowledge article - KI 0137 - Jabber: Quick Start Guide An audio guide is also located at KI 0145 - Audio Settings for Jabber and MS Teams.

If you receive an unexpected MFA Request
If you receive an MFA request that you are not expecting you should deny the request as it may be someone trying to access your account. You should report this to Digital Services using the built in reporting tools.

If you are using the Microsoft Authenticator App you can report the request after it has been denied.

If you are using phone based MFA you can report fraud during the initial greeting by pressing 5 and then # (hash/pound key).

Extra Reading - What exactly is an authenticator app?
Don't worry, this app only links to your University account, or any other added personal accounts and does not affect your smartphone in any way. It has been created by Microsoft (or Google) depending on which one you install and has no control over your device. As mentioned, it is best practice to set up MFA for any and all online accounts such as social media or online shopping that support it to protect these accounts from being hacked or taken over by a malicious user. An ever increasing number now require this as standard which is great to keep you secured.

Why is it needed?
Without MFA enabled, all it takes is for a company you are registered with to have a data breach and your details harvested (such as username and password) by the bad actors. This info can then be sold on the dark web and be misused by anyone willing to buy said information. Then these people could use that account by simply logging in with no extra checks being performed.

But by adding MFA, it adds a second layer of security that sense checks who you are and immediately stops any attacks like this. It also gives you visibility if someone is trying to hack your account as you get an authentication request, which is also really useful.

Other useful Microsoft MFA guides