Middlebury

Difference between revisions of "Multi-Factor Authentication"

m
 
(182 intermediate revisions by 8 users not shown)
Line 1: Line 1:
Multi-Factor Authentication (or MFA) helps protect your Middlebury account from potential compromise. MFA works by complementing your password, "something you know", with "something you have", like your phone or mobile device. Read on to learn more about MFA.
 
  
=== What is Multi-Factor Authentication ===
+
If you are unfamiliar with the concept of multi-factor authentication (MFA), please visit our [[Multi-Factor_Authentication_Overview|overview page]] to learn the basics first before continuing.
Multi-Factor Authentication (or MFA for short) is a security technology which leverages something you know, such as a password, and something you have, such as your phone, to increase the protection of accounts and services. The general idea of MFA is that you start by authenticating against the service with your usual user ID and password and then you are prompted for a second form of authentication, such as a text or voice message that is sent to your phone or a verification code generated by a mobile application on your device. This use of multiple factors of verification to prove the authenticity of the user, delivers greatly improved security for accounts and services.
 
  
For more information on MFA please see this PDF presentation: [http://www.middlebury.edu/system/files/media/Information%20Security%20Awareness%20-%20-MFA%20-%2008262016.pdf What is MFA] and/or watch this short video: [https://www.youtube.com/watch?v=__ytuEiY-Aw Azure Multi-Factor Authentication Video (3m 25s)]
+
=== What should I do to prepare for MFA? ===
  
=== Signing up for Multi-Factor Authentication ===
+
Check out our [[Multi-Factor_Authentication_Readiness|readiness info page]] for details. You'll learn useful '''tips''' and find details about '''how to sign up''' when you're all set to go.
If you would like to sign up for MFA, please submit a Web Help Desk ticket requesting that MFA be enabled for your account (Request Type: Information Security/Multi-Factor Authentication) or simply visit: [http://go.middlebury.edu/getmfa http://go.middlebury.edu/getmfa].
 
  
Newer versions of Microsoft Outlook and Microsoft Office include built in support for Multi-Factor Authentication. '''We strongly recommend upgrading to Microsoft Office 2016 before enrolling in MFA.''' Contact the Helpdesk for instructions on updating your MS Office Suite to 2016, or visit this link: [http://mediawiki.middlebury.edu/wiki/LIS/Office_2016#College-Owned_Computers http://mediawiki.middlebury.edu/wiki/LIS/Office_2016#College-Owned_Computers].
+
 
  
After MFA has been enabled for your account, '''iOS Mail and Android Mail have to be reconfigured to use special [[#App Passwords]]'''. Details, including a brief video tutorial are available below.
+
=== How do I set up MFA? ===
  
=== Enabling Multi-Factor Authentication ===
+
Upon receipt of your Multi-Factor Authentication sign-up request, ITS will enable MFA on your account, then send you a “Middlebury Multi-Factor Authentication Enrollment” email containing links to Microsoft’s MFA Setup page and our [http://go.middlebury.edu/mfaguide Security Info Quick Setup] guide. Follow the instructions presented to set up authentication methods you wish to use with your account.
Upon completion of your MFA sign-up request, you will receive a “Middlebury Multi-Factor Authentication Enrollment” email. The enrollment email will include a link to [https://aka.ms/MFASetup Microsoft’s MFA Setup page]. Follow the instructions included in the link to enable MFA for your account.
 
  
Here's a '''[https://channel9.msdn.com/posts/Multi-Factor-Account-Setup short video]''' that demonstrates how to setup multi-factor authentication as well as how to configure App Passwords: [https://channel9.msdn.com/posts/Multi-Factor-Account-Setup How To Set Up Multi-Factor for Your Account]. 
+
'''Important:'''
  
Please note that any device that you wish to configure to use MFA must have a working network connection.
+
*ITS must first enable MFA on your account '''before '''you proceed with the setup!
 +
*Any device you wish to configure to use MFA must have a working network connection at the time of setup.
 +
*By clicking the "Set it up now" button, you are activating Multi-Factor Authentication and you must complete the setup process or you may be unable to access your account, including your email.  
  
===  App Passwords ===
+
 
Apple Mail, iOS Mail, Android E-mail, Thunderbird, and other email clients that do not have built-in support for multi-factor authentication require a special “App Password” to work with MFA.
 
 
'''This means that if you have enabled multi-factor authentication and you are are attempting to use a non-Microsoft email client, or another non-browser app, you will not be able to connect until you configure an App Password.''' 
 
  
Once you have an app password, you use this in place of your regular Middlebury network password with these 3rd-party email clients and non-browser apps.
+
=== Which MFA setup method should I choose? ===
  
So for instance, if you are using multi-factor authentication and the Apple native email client on your phone, you can use an App Password so that it can bypass multi-factor authentication and continue to work.
+
Here are descriptions of the most common scenarios, along with our MFA setup recommendations for each one.  Please visit our [[Multi-Factor_Authentication_Verification_Methods|MFA verification wiki page]] for additional details about specific options.
  
To create an app password in our [https://portal.office.com/Home Office 365 portal]*:
+
'''Scenario A:  I have a Smartphone -- and I travel internationally and/or travel in areas without cellular coverage.'''
 
# Log on to the [https://portal.office.com/Home Office 365 portal].
 
# In the top right corner select the widget and choose Office 365 '''Settings'''.
 
# Click on '''Additional security verification'''.
 
# On the right, click the link that says '''Update my phone numbers used for account security'''.
 
# This will take you to the page that will allow you to change your settings.
 
# At the top, next to additional security verification, click on '''app passwords'''.
 
# Click Create.
 
# Enter a name for the app password and click Next.
 
# Write down the app password and be ready to enter it into your account settings on your iOS device.
 
# Let us know you are ready for MFA to be enabled.
 
  
It is recommended that you use one App Password per device.
+
*<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Choose Microsoft's Authenticator app with a <u>code</u>.</span>
  
'''You will also need to make sure that the server name in your account settings is changed to outlook.office365.com and is no longer mail.middlebury.edu.'''
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas without consistent network access. When presented with an MFA challenge you will need to input the code displayed by the Authenticator app to complete your login.</span>
  
Please see '''[https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-end-user-app-passwords/ What are App Passwords in Azure Multi-Factor Authentication?]''' for more details.
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Network access is <u>NOT</u> required for the MS Authentication app to provide you with a '''code'''.</span>
  
=== Supported versions of Microsoft Office and Outlook  ===
+
&nbsp;
Newer versions of Microsoft Outlook and Microsoft Office include built in support for Multi-Factor Authentication. '''We highly recommend upgrading to Microsoft Office 2016 before enrolling in MFA.'''
 
  
MFA will work with Outlook 2013 with a few minor tweaks to your Windows computer (one or two registry keys may have to be updated). The Help Desk team can assist with the necessary changes.
+
'''Scenario B:&nbsp; I have a Smartphone -- and I ''rarely ''travel in areas without cellular coverage.'''
  
MFA will work with Outlook 2010 for Windows, but requires the use of a [[#App Passwords]]. The same is true for Outlook 2011 for Mac. App Passwords are required for these legacy Outlook clients.
+
*<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Choose Microsoft's Authenticator app with <u>notifications</u>.</span>
  
MFA also works with Microsoft's Office 365 mobile applications, including Outlook for iOS and Outlook for Android.
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas with consistent network access. When presented with an MFA challenge you will need to click '''Approve''' on your device to complete your login. '''Caution! '''Only click Approve when you have signed into a service you anticipate will trigger an authentication challenge.</span>
  
{|
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Network access cellular or wifi <u>IS</u> required for the MS Authentication app to provide a '''notification'''.</span>
!Office client application
 
!Windows
 
!Mac OS X
 
!Windows Phone
 
!iOS
 
!Android
 
|-
 
|Office clients
 
|Available now for Office 2013 and Office 2016.
 
|Available now for Office 2016 Mac
 
|Available now
 
|Outlook, Word, Excel, and PowerPoint are available now.
 
|Android Phones: Word, Excel, and PowerPoint are available now.
 
Android Tablets: Word, Excel, and PowerPoint are coming soon.
 
|-
 
|Outlook
 
|Included in Office Client.
 
|Available now.
 
|Coming soon.
 
|Available now.
 
|Available now.
 
|-
 
|Native Apps
 
|
 
|
 
|
 
|iOS Mail require [[#App Passwords]]
 
|Android Mail require [[#App Passwords]]
 
|-
 
|Legacy Clients
 
|Office 2010 and Office 2007 do no support MFA.
 
|Office for Mac 2011 does not support MFA.
 
|Windows Phone 7 does not support MFA.
 
|There are no plans to enable older Outlook iOS clients
 
|There are no plans to support older Outlook Android clients
 
|}
 
  
''Source: [https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/ Updated Office 365 modern authentication]''
+
&nbsp;
 +
 
 +
'''Scenario C:&nbsp; I have a Flip or Feature phone.'''
 +
 
 +
*<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Choose Phone then specify Call or Text.</span>
 +
 
 +
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">This method is recommended when you have a device that doesn’t support the Microsoft Authenticator app. When presented with an MFA challenge you will have to receive a phone call then press '''#''', or else receive an SMS text message then enter the provided code, in order to complete your login.</span>
 +
 
 +
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Travel to areas without cellular coverage is '''not '''supported by this method.</span> &nbsp;
 +
 
 +
&nbsp;
 +
 
 +
=== How do I use Multi-factor Authentication once I have it set up? ===
 +
 
 +
Once you complete your MFA set up, here is what to expect.
 +
 
 +
*When you log in to an MFA-protected service from '''within''' the Middlebury or Monterey networks, you will '''not''' be prompted for verification.
 +
 
 +
*When you log in to an MFA-protected service (such as Webmail or Google) from '''outside''' our networks, there is one additional step. After correctly entering your Middlebury email address and password at the login screen of the service you wish to access, you will be prompted to verify your login request.&nbsp; This could be in the form of a phone call, text message, or mobile app notification or code, depending on the option you specified during the setup process.
 +
**For example, if you chose the "Notify me through the app" option, you would enter your Middlebury email address and password at the online service’s login screen, then you would receive a notification from the Microsoft Authenticator app on your mobile device prompting you to “Approve" or “Deny” the login request. 
 +
 
 +
'''Important notes:'''
 +
 
 +
*During the login process you can click the checkbox to '''remember my device for 30 days'''. With this setting enabled, you won’t be prompted again for Multi-Factor Authentication from that application on that device for another thirty days.
 +
*'''Caution!&nbsp; Only approve verification requests that you initiate!'''&nbsp; This is relevant to the "Notify me through app" and "Call my authentication phone" verification options. Imagine an online criminal has your password and is trying to access your account. Once Multi-Factor Authentication has been enabled for your account, this access attempt would generate a login verification request. If you approved this verification request, the criminal would be able to access your account!&nbsp;&nbsp;
 +
 
 +
&nbsp;
 +
 
 +
&nbsp;
 +
 
 +
=== How do I set up MFA to access Oracle or Blackbaud? ===
 +
 
 +
Oracle and Blackbaud acounts are provided by '''GMHEC '''rather than Middlebury, and they require a <u>separate</u> MFA setup.&nbsp; If you are off-campus and you already have MFA protection for your Middlebury account, you will be prompted to enroll in GMHEC's multi-factor authentication (MFA) if you haven’t already enrolled.&nbsp; See “[https://drive.google.com/uc?export=view&id=16ADPj7Qt9dF6aushMVTBbvFrvD-_g6FO Enrolling in GMHEC Multi-Factor Authentication]” for information. &nbsp;
 +
 
 +
&nbsp;
 +
 
 +
=== How do I adjust my MFA settings if my situation changes? ===
 +
 
 +
It's easy to change your multi-factor authentication settings.&nbsp; Here's how:
 +
 
 +
#Visit [http://go.middlebury.edu/mfasetup http://go.middlebury.edu/mfasetup].&nbsp; You will receive an MFA challenge.
 +
#From the ''Security Info ''page, you'll find links that allow you to '''change''' or '''delete '''methods you set up previously, including your default method for receiving MFA challenges.
 +
 
 +
[[Category:Helpdesk Documentation]] [[Category:Public Search]] [[Category:MFA]] [[Category:Security]]

Latest revision as of 13:51, 22 November 2019

If you are unfamiliar with the concept of multi-factor authentication (MFA), please visit our overview page to learn the basics first before continuing.

What should I do to prepare for MFA?

Check out our readiness info page for details. You'll learn useful tips and find details about how to sign up when you're all set to go.

 

How do I set up MFA?

Upon receipt of your Multi-Factor Authentication sign-up request, ITS will enable MFA on your account, then send you a “Middlebury Multi-Factor Authentication Enrollment” email containing links to Microsoft’s MFA Setup page and our Security Info Quick Setup guide. Follow the instructions presented to set up authentication methods you wish to use with your account.

Important:

  • ITS must first enable MFA on your account before you proceed with the setup!
  • Any device you wish to configure to use MFA must have a working network connection at the time of setup.
  • By clicking the "Set it up now" button, you are activating Multi-Factor Authentication and you must complete the setup process or you may be unable to access your account, including your email.

 

Which MFA setup method should I choose?

Here are descriptions of the most common scenarios, along with our MFA setup recommendations for each one.  Please visit our MFA verification wiki page for additional details about specific options.

Scenario A:  I have a Smartphone -- and I travel internationally and/or travel in areas without cellular coverage.

  • Choose Microsoft's Authenticator app with a code.

This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas without consistent network access. When presented with an MFA challenge you will need to input the code displayed by the Authenticator app to complete your login.

Network access is NOT required for the MS Authentication app to provide you with a code.

 

Scenario B:  I have a Smartphone -- and I rarely travel in areas without cellular coverage.

  • Choose Microsoft's Authenticator app with notifications.

This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas with consistent network access. When presented with an MFA challenge you will need to click Approve on your device to complete your login. Caution! Only click Approve when you have signed into a service you anticipate will trigger an authentication challenge.

Network access cellular or wifi IS required for the MS Authentication app to provide a notification.

 

Scenario C:  I have a Flip or Feature phone.

  • Choose Phone then specify Call or Text.

This method is recommended when you have a device that doesn’t support the Microsoft Authenticator app. When presented with an MFA challenge you will have to receive a phone call then press #, or else receive an SMS text message then enter the provided code, in order to complete your login.

Travel to areas without cellular coverage is not supported by this method.  

 

How do I use Multi-factor Authentication once I have it set up?

Once you complete your MFA set up, here is what to expect.

  • When you log in to an MFA-protected service from within the Middlebury or Monterey networks, you will not be prompted for verification.
  • When you log in to an MFA-protected service (such as Webmail or Google) from outside our networks, there is one additional step. After correctly entering your Middlebury email address and password at the login screen of the service you wish to access, you will be prompted to verify your login request.  This could be in the form of a phone call, text message, or mobile app notification or code, depending on the option you specified during the setup process.
    • For example, if you chose the "Notify me through the app" option, you would enter your Middlebury email address and password at the online service’s login screen, then you would receive a notification from the Microsoft Authenticator app on your mobile device prompting you to “Approve" or “Deny” the login request.

Important notes:

  • During the login process you can click the checkbox to remember my device for 30 days. With this setting enabled, you won’t be prompted again for Multi-Factor Authentication from that application on that device for another thirty days.
  • Caution!  Only approve verification requests that you initiate!  This is relevant to the "Notify me through app" and "Call my authentication phone" verification options. Imagine an online criminal has your password and is trying to access your account. Once Multi-Factor Authentication has been enabled for your account, this access attempt would generate a login verification request. If you approved this verification request, the criminal would be able to access your account!  

 

 

How do I set up MFA to access Oracle or Blackbaud?

Oracle and Blackbaud acounts are provided by GMHEC rather than Middlebury, and they require a separate MFA setup.  If you are off-campus and you already have MFA protection for your Middlebury account, you will be prompted to enroll in GMHEC's multi-factor authentication (MFA) if you haven’t already enrolled.  See “Enrolling in GMHEC Multi-Factor Authentication” for information.  

 

How do I adjust my MFA settings if my situation changes?

It's easy to change your multi-factor authentication settings.  Here's how:

  1. Visit http://go.middlebury.edu/mfasetup.  You will receive an MFA challenge.
  2. From the Security Info page, you'll find links that allow you to change or delete methods you set up previously, including your default method for receiving MFA challenges.
Powered by MediaWiki