Multi-Factor Authentication (MFA)

Written by Christopher Lee

Last published at: October 16th, 2023

Overview

Account Security measures are becoming more and more important in every facet of ones digital presence.  

Educational institutes are being targeted more and more mostly because of the following:

  • Large amounts of data (student\parent\staff)
  • Many possible ways to access part of all data
  • Limited resources\training to prevent attacks\compromises

As result many insurance companies that provide Cyber Insurance are requiring systems to be protected by multi-factor \ 2-factor authentication (MFA\2FA).  

You may have encountered MFA when your online bank texts or emails you a code to enter for verification.

What is MFA?

What is Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is the process of using items from different sources to validate one's identity or account. Common sources include: 

  • Something you know: like a password or Personal Identification Number (PIN); 
  • Something you have: like a smart card, mobile token, or hardware token; and, 
  • Some form of biometric factor (e.g., fingerprint, palm print, or voice recognition). 

MFA Summary 


Analogy Time 

   Imagine you have a safe at home with lots of valuable possessions inside. The safe is protected with a code (something you know), which provides one layer of security. But let’s say someone gets a hold of that code. They can use it to open the safe. 

    Let’s say that in addition to a code, you also needed another element to open the safe ­– maybe a key (something you have) or fingerprint scanner (biometrics) . The fact that you need those additional steps to open the safe makes it more difficult for anyone else to open it.

 
 
 
 

Students / Parents

Not on road map

Currently there is no plan to force MFA on student\parent accounts.

 
 
 

Staff / Contractors

Authenticator App users

If choose to use an authenticator app any action that breaks/remove (ie: removing app, new phone) the registration between authenticator app and Microsoft will require it to be re-registered (contact Helpdesk to clear in valid registration)

 

Multiple Methods

Microsoft does allow setup of multiple methods in event one is unavailable/invalid.  

Example: Microsoft Authenticator App and cell phone number.

If event of new phone can still receive MFA code via text/call. This allows you to continue access but also clear old Microsoft Authenticator setup and re-register with new phone.

 

 

MFA Methods

Below is list of methods Microsoft currently supports. 

Listed in order of most secure to least.

  • Microsoft Authenticator App: 
    • Register app on your mobile device
    • Provides both online (have Internet/Cellular) and offline authentication
      • Online  -  Receives notifications from Microsoft for login verification (verify number on screen)
      • Offline - Can generate security key/code
  • Security key: 
    • Technology department sets up and issues a Key Fob that is associated to your account.
    • Provides offline authentication by generated security key/code
  • Mobile device text: 
    • Register mobile phone (requires Cellular service) to receive text message 
  • Mobile device or work phone call: 
    • Register mobile phone (requires Cellular service) \ Desk phone to receive call 
 
 

MFA User Settings - Setup

To properly use MFA you will need to have at least one sign-in method setup.

E-mail

You may find an appleid.shakopeeschools.org email registered.  You may remove this and enter a personal address if desired.

 

 

To setup sign-in methods visit MFA Portal either via 365 - MFA Portal located in Employee Self Service of ClassLink LaunchPad or at http://aka.ms/mfasetup.

  1. Click “Add Sign-In Method”
  2. Select desired method to setup and complete prompts
  3. Once at least one method configured select desired default sign-in method
    1.  
      This will vary depending on what methods are setup. 
      App based authentication is more secure then call/text.

Resources:

 
 

MFA FOB usage

When prompted for MFA code during account sign in press display button on your issued FOB to display the 6 digit code.

Code is good for 60 seconds. Doughnut in right indicates remaining life of the code, each section is 10 seconds.

 
 
 
 

Vendors

Implementing

Goal is by mid-school year ‘23-’24 all vendor accounts will be MFA'd

 
 
 

FAQ

I deleted the authenticator app and now unable to verify.

You will need to contact Helpdesk to:

  • Remove invalid authenticator registration and allow you to re-register authenticator app.
  • Issue temp pass code
 
 

I got a new phone and now authenticator isn't valid.

You will need to contact Helpdesk to:

  • Remove invalid authenticator registration and allow you to re-register authenticator app.
  • Issue temp pass code
 
 

I am not in building and cannot get confirmation call on desk phone.

You will need to contact Helpdesk to either:

  • Issue temp pass code have either remove 
  • Add additional phone #
 
 

Can I use more then 1 factor?

Yes, you can log into http://aka.ms/mfasetup and configure additional MFA factors in event one is unavailable/invalid (Reinstalling Authenticator App / New Phone).

Once signed in click

Select desired method (your list might very)

Complete steps on screen to complete setup.

 

To use alternate method

Look for option that either states unable to use Authenticator app or get a code a different way. 

Some Examples:

Select the alternate method available to you.