Middlebury

Difference between revisions of "Multi-Factor Authentication"

m (Can I use Multi-Factor Authentication without a Smartphone?)
m (Spacing)
 
(58 intermediate revisions by 3 users not shown)
Line 1: Line 1:
=== What is Multi-Factor Authentication? ===
 
Multi-Factor Authentication is a security technology that helps protect your Middlebury and GMHEC accounts from potential compromise by requiring the use of more than just a username and password to prove your identity during login.
 
  
 +
=== What is Multi-factor Authentication? ===
  
=== How does Multi-Factor Authentication work? ===
+
If you are unfamiliar with the concept of multi-factor authentication, please visit our [[Multi-Factor_Authentication_Overview|overview page]] to learn more.
Middlebury's implementation of Multi-Factor Authentication has been designed so that you can easily protect your account. Here is how it works...
 
  
* If you are logging in to a Multi-Factor Authentication protected service from '''within''' the Middlebury or Monterey networks, you will '''not''' be prompted for verification. All account compromises that have occurred in the last year have been from outside our networks.
+
 
* If you are logging in to a Multi-Factor Authentication protected service from '''outside''' our networks, there is one additional step. After correctly entering your Middlebury email address and password at the login screen of the service you wish to access, you will then be prompted to verify that it is actually you trying to log in. This verification can come to you in the form of a phone call, text message, or mobile app notification or code. <br>
 
::'''Important note:''' During the login process you can click the checkbox to '''remember my device for 30 days'''. With this setting enabled, you won’t be prompted again for Multi-Factor Authentication from that application on that device for another thirty days.
 
<br>
 
<br>
 
=== Why do I need Multi-Factor Authentication? ===
 
Multi-Factor Authentication helps safeguard your Middlebury and GMHEC accounts from online criminals who would steal your credentials and use them to launch cyber attacks from our technology services and/or steal sensitive and confidential information.
 
<br>
 
<br>
 
  
=== How do I prepare for Multi-Factor Authentication? ===
+
=== What should I do to prepare for MFA? ===
'''The following tips will help ensure that your Multi-Factor Authentication setup goes smoothly.'''
 
  
====== Tip #1: Install the Microsoft Authenticator app on your smartphone ======
+
Check out our [[Multi-Factor_Authentication_Readiness|readiness info page]] for details. You'll learn useful '''tips''' and find details about '''how to sign up''' when you're all set to go.
Consider installing the official Microsoft Authenticator app on your smartphone. The Authenticator app is not required, but it is very easy to configure and use, and it is the recommended alternative to SMS text-based authentication.
 
<br><br>
 
Visit our [[Microsoft_Authenticator_App|'''Microsoft Authenticator app''']] wiki page for setup instructions.
 
<br><br>
 
  
====== Tip #2: Install the Microsoft Outlook app on your mobile device(s) ======
+
&nbsp;
Consider installing the official Microsoft Outlook app on your smartphone and tablet. The Outlook mobile app includes built-in support for Multi-Factor Authentication.  It also provides remote access to Middlebury’s directory, which is particularly handy when you are on the road and need to look up someone’s contact information.
 
*[https://itunes.apple.com/us/app/microsoft-outlook-email-calendar/id951937596 Microsoft Outlook on the Apple App Store]
 
*[https://play.google.com/store/apps/details?id=com.microsoft.office.outlook&hl=en Microsoft Outlook on the Google Play store]
 
<br />
 
<br />
 
  
=== Can I use Multi-Factor Authentication without a Smartphone? ===
+
=== How do I set up MFA? ===
'''YES!''' You can still use Multi-Factor Authentication even without a smartphone. Contact [mailto:infosec@middlebury.edu?subject=mfa-nophone Middlebury Information Security] for help getting setup.
 
<br>
 
<br>
 
  
=== How do I sign up for Multi-Factor Authentication? ===
+
Upon receipt of your Multi-Factor Authentication sign-up request, ITS will enable MFA on your account, then send you a “Middlebury Multi-Factor Authentication Enrollment” email containing links to Microsoft’s MFA Setup page and our [http://go.middlebury.edu/mfaguide Security Info Quick Setup] guide. Follow the instructions presented to set up authentication methods you wish to use with your account.
If you are interested in taking advantage of Multi-Factor Authentication, simply [http://go.middlebury.edu/getmfa submit the request here] to let ITS know that you would like Multi-Factor Authentication enabled for your account. You will receive a followup email containing setup instructions.
 
<br><br>
 
  
=== How do I set up Multi-Factor Authentication? ===
+
'''Important:'''
Upon completion of your Multi-Factor Authentication sign-up request, you will receive a “Middlebury Multi-Factor Authentication Enrollment” email. The enrollment email will include a link to [https://aka.ms/MFASetup Microsoft’s Multi-Factor Authentication Setup page].  Follow the instructions included in the link to enable Multi-Factor Authentication for your account.
 
* Please note that any device that you wish to configure to use MFA must have a working network connection at the time of setup.
 
* By clicking the "Set it up now" button, you are activating Multi-Factor Authentication and you must complete the setup process or you may be unable to access your account, including your email.
 
<br />
 
<br />
 
==== What are the Multi-Factor Authentication verification options? ====
 
There are several different options for completing Multi-Factor Authentication verification. Choose the one that makes the most sense for your situation and follow the on-screen instructions.
 
  
Please note that the Microsoft Authenticator app is the recommended choice for Multi-Factor Authentication verification. You install this app on your mobile device. The Microsoft Authenticator App offers two verification methods, “Notify me through app” and “Use verification code from app”.
+
*ITS must first enable MFA on your account '''before '''you proceed with the setup!
+
*Any device you wish to configure to use MFA must have a working network connection at the time of setup.
====== Use verification code from app *Recommended - always works* ======
+
*By clicking the "Set it up now" button, you are activating Multi-Factor Authentication and you must complete the setup process or you may be unable to access your account, including your email.  
You enter your Middlebury email address and password at an online service’s login screen and then you are prompted to enter the code displayed in the Microsoft Authenticator app.
 
  
====== Text code to my authentication phone ======
+
&nbsp;
You enter your Middlebury email address and password at an online service’s login screen and then you are prompted to enter the code that the Multi-Factor Authentication service has texted to your mobile phone.
 
  
====== Call my authentication phone ======
+
=== Which MFA setup method should I choose? ===
You enter your Middlebury email address and password at an online service’s login screen and then you receive an automated call to either your primary or alternate telephone number prompting you to “verify“ the authentication request by pressing the "#" key on your phone.
 
* This option may be preferable for individuals with limited texting plans, no home computer or device, or those who may not have a mobile phone.
 
* You may choose to configure your office phone as your "alternate" authentication phone
 
  
====== Notify me through app *Not Recommended* ======
+
Here are descriptions of the most common scenarios, along with our MFA setup recommendations for each one.&nbsp; Please visit our [[Multi-Factor_Authentication_Verification_Methods|MFA verification wiki page]] for additional details about specific options.
You enter your Middlebury email address and password at an online service’s login screen and then you receive a push notification to the Microsoft Authenticator app  on your mobile device prompting you to “verify “or “deny”  the authentication request.
 
  
====== Call my office phone ======
+
'''Scenario A:&nbsp; I have a Smartphone -- and I travel internationally and/or travel in areas without cellular coverage.'''
The "Call my office phone" option is not currently configured to work properly.  Please choose another verification option.
 
<br />
 
<br />
 
  
==== App Passwords ====
+
*<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal; font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre; white-space:pre-wrap">Choose Microsoft's Authenticator app with a <u>code</u>.</span>
Apple Mail, iOS Mail, Android E-mail, Thunderbird, and other email clients that do not have built-in support for multi-factor authentication require a special “App Password” to work with MFA.
 
   
 
'''This means that if you have enabled multi-factor authentication and you are are attempting to use a non-Microsoft email client, Gmail's "send as" feature, or another non-browser app, you will not be able to connect until you configure an App Password.''' 
 
  
Once you have an app password, you use this in place of your regular Middlebury password with these 3rd-party email clients and non-browser apps.  
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas without consistent network access. When presented with an MFA challenge you will need to input the code displayed by the Authenticator app to complete your login.</span>
  
For example, if you are using multi-factor authentication and the native iOS mail app on your iPhone, you can use an App Password so that it can bypass multi-factor authentication and continue to work.
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Network access is <u>NOT</u> required for the MS Authentication app to provide you with a '''code'''.</span>
<br>
 
* It is recommended that you use one App Password per mobile device or application that requires one.
 
  
* '''You will also need to make sure that the server name in your account settings is changed to outlook.office365.com and is no longer mail.middlebury.edu.'''
+
&nbsp;
<br>
 
To create an app password, follow these instructions or watch [http://middmedia.middlebury.edu/media/cnorris/mp4/AppPasswords.mp4 this short video]:
 
 
# Log on to the [https://myapps.microsoft.com myapps.microsoft.com].
 
# In the top right corner click your '''profile picture''' and click '''Profile'''.
 
# Click the link '''Additional security verification''', you will get a MFA challenge.
 
# This will take you to the page that will allow you to change your settings and create App Passwords.
 
# At the top, next to additional security verification, click '''app passwords'''.
 
# Click '''Create'''.
 
# Enter a name for the app password and click '''Next'''.
 
# Enter the displayed app password into your account settings on your mobile device or 3rd-party email client.
 
<br />
 
<br />
 
  
=== How do I use Multi-Factor Authentication? ===
+
'''Scenario B:&nbsp; I have a Smartphone -- and I ''rarely ''travel in areas without cellular coverage.'''
Once you have completed Multi-Factor Authentication set up, here is what to expect.
 
  
When you sign in to a Multi-Factor Authentication protected online service (like webmail), from off-campus (or outside of the Middlebury networks), you will be prompted to verify the authentication request using the primary verification option that you selected during setup.
+
*<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Choose Microsoft's Authenticator app with <u>notifications</u>.</span>
  
For example, if you chose the "Notify me through the app" option, you would enter your Middlebury email address and password at an online service’s login screen and then you would receive a notification from the Microsoft Authenticator app on your mobile device prompting you to “verify “or “deny” the authentication request.
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas with consistent network access. When presented with an MFA challenge you will need to click '''Approve''' on your device to complete your login. '''Caution! '''Only click Approve when you have signed into a service you anticipate will trigger an authentication challenge.</span>
  
'''Caution''': Only approve verification requests that you have initiated! This is particularly relevant to the "Notify me through app" and "Call my authentication phone" verification options. Imagine that an online criminal has your password and is trying to access your account. Once Multi-Factor Authentication has been enabled for your account, this access attempt would generate an authentication verification request. If you approved this verification request, the criminal would be able to access your account. Remember, '''only approve verification requests that you have initiated.'''
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Network access cellular or wifi <u>IS</u> required for the MS Authentication app to provide a '''notification'''.</span>
  
 +
&nbsp;
  
=== How do I update my Multi-Factor Authentication settings? ===
+
'''Scenario C:&nbsp; I have a Flip or Feature phone.'''
It's easy to change your multi-factor authentication settings, should the need arise, once you've completed the enrollment process.
 
  
To update your multi-factor authentication settings:
+
*<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">Choose Phone then specify Call or Text.</span>
  
# Log on to the [https://myapps.microsoft.com myapps.microsoft.com]
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline;  white-space:pre;  white-space:pre-wrap">This method is recommended when you have a device that doesn’t support the Microsoft Authenticator app. When presented with an MFA challenge you will have to receive a phone call then press '''#''', or else receive an SMS text message then enter the provided code, in order to complete your login.</span>
# In the top right corner click your '''profile picture''' and click '''Profile'''.
 
# Click the link '''Additional security verification''', you will get a MFA challenge.
 
# Click '''Update your phone numbers used for account security'''.
 
  
Note that there is a shortcut to the Office 365 Account settings screen, that you can get to without first logging into web mail. Try [https://portal.office.com/account/ https://portal.office.com/account].
+
<span style="font-size:11pt;  font-family:Arial;  color:#000000;  background-color:transparent;  font-weight:400;  font-style:normal;  font-variant:normal;  text-decoration:none;  vertical-align:baseline; white-space:pre;  white-space:pre-wrap">Travel to areas without cellular coverage is '''not '''supported by this method.</span> &nbsp;
  
If you would like to configure the Microsoft Authenticator app as the preferred authentication method, then your next steps would be to:
+
&nbsp;
  
# Select '''Use verification code from app''' from the verification option drop-down list
+
=== How do I use Multi-factor Authentication once I have it set up? ===
# Click the '''Configure''' button displayed next to the Authenticator app option.
 
  
[[Category:Helpdesk Documentation]]
+
Once you complete your MFA set up, here is what to expect.
[[Category:Public Search]]
+
 
[[Category:MFA]]
+
*When you log in to an MFA-protected service from '''within''' the Middlebury or Monterey networks, you will '''not''' be prompted for verification.
[[Category:Security]]
+
 
 +
*When you log in to an MFA-protected service (such as Webmail or Google) from '''outside''' our networks, there is one additional step. After correctly entering your Middlebury email address and password at the login screen of the service you wish to access, you will be prompted to verify your login request.&nbsp; This could be in the form of a phone call, text message, or mobile app notification or code, depending on the option you specified during the setup process.
 +
**For example, if you chose the "Notify me through the app" option, you would enter your Middlebury email address and password at the online service’s login screen, then you would receive a notification from the Microsoft Authenticator app on your mobile device prompting you to “Approve" or “Deny” the login request. 
 +
 
 +
'''Important notes:'''
 +
 
 +
*During the login process you can click the checkbox to '''remember my device for 30 days'''. With this setting enabled, you won’t be prompted again for Multi-Factor Authentication from that application on that device for another thirty days.
 +
*'''Caution!&nbsp; Only approve verification requests that you initiate!'''&nbsp; This is relevant to the "Notify me through app" and "Call my authentication phone" verification options. Imagine an online criminal has your password and is trying to access your account. Once Multi-Factor Authentication has been enabled for your account, this access attempt would generate a login verification request. If you approved this verification request, the criminal would be able to access your account!&nbsp;&nbsp;
 +
 
 +
&nbsp;
 +
 
 +
=== How do I set up MFA to access Oracle? ===
 +
 
 +
Your Oracle account is provided by GMHEC rather than Middlebury, and it requires a separate MFA setup.&nbsp; If you are off-campus and you already have MFA protection for your Middlebury account, you will be prompted to enroll in GMHEC's multi-factor authentication (MFA) if you haven’t already enrolled.&nbsp; See “[https://drive.google.com/uc?export=view&id=16ADPj7Qt9dF6aushMVTBbvFrvD-_g6FO Enrolling in GMHEC Multi-Factor Authentication]” for information. &nbsp;
 +
 
 +
&nbsp;
 +
 
 +
=== How do I adjust my MFA settings if my situation changes? ===
 +
 
 +
It's easy to change your multi-factor authentication settings.&nbsp; Here's how:
 +
 
 +
#Visit [http://go.middlebury.edu/mfasetup http://go.middlebury.edu/mfasetup].&nbsp; You will receive an MFA challenge.
 +
#From the ''Security Info ''page, you'll find links that allow you to '''change''' or '''delete '''methods you set up previously, including your default method for receiving MFA challenges.
 +
 
 +
[[Category:Helpdesk Documentation]] [[Category:Public Search]] [[Category:MFA]] [[Category:Security]]

Latest revision as of 08:54, 22 July 2019

What is Multi-factor Authentication?

If you are unfamiliar with the concept of multi-factor authentication, please visit our overview page to learn more.

 

What should I do to prepare for MFA?

Check out our readiness info page for details. You'll learn useful tips and find details about how to sign up when you're all set to go.

 

How do I set up MFA?

Upon receipt of your Multi-Factor Authentication sign-up request, ITS will enable MFA on your account, then send you a “Middlebury Multi-Factor Authentication Enrollment” email containing links to Microsoft’s MFA Setup page and our Security Info Quick Setup guide. Follow the instructions presented to set up authentication methods you wish to use with your account.

Important:

  • ITS must first enable MFA on your account before you proceed with the setup!
  • Any device you wish to configure to use MFA must have a working network connection at the time of setup.
  • By clicking the "Set it up now" button, you are activating Multi-Factor Authentication and you must complete the setup process or you may be unable to access your account, including your email.

 

Which MFA setup method should I choose?

Here are descriptions of the most common scenarios, along with our MFA setup recommendations for each one.  Please visit our MFA verification wiki page for additional details about specific options.

Scenario A:  I have a Smartphone -- and I travel internationally and/or travel in areas without cellular coverage.

  • Choose Microsoft's Authenticator app with a code.

This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas without consistent network access. When presented with an MFA challenge you will need to input the code displayed by the Authenticator app to complete your login.

Network access is NOT required for the MS Authentication app to provide you with a code.

 

Scenario B:  I have a Smartphone -- and I rarely travel in areas without cellular coverage.

  • Choose Microsoft's Authenticator app with notifications.

This method is recommended when you have a device that supports Microsoft's Authenticator app and you will be in areas with consistent network access. When presented with an MFA challenge you will need to click Approve on your device to complete your login. Caution! Only click Approve when you have signed into a service you anticipate will trigger an authentication challenge.

Network access cellular or wifi IS required for the MS Authentication app to provide a notification.

 

Scenario C:  I have a Flip or Feature phone.

  • Choose Phone then specify Call or Text.

This method is recommended when you have a device that doesn’t support the Microsoft Authenticator app. When presented with an MFA challenge you will have to receive a phone call then press #, or else receive an SMS text message then enter the provided code, in order to complete your login.

Travel to areas without cellular coverage is not supported by this method.  

 

How do I use Multi-factor Authentication once I have it set up?

Once you complete your MFA set up, here is what to expect.

  • When you log in to an MFA-protected service from within the Middlebury or Monterey networks, you will not be prompted for verification.
  • When you log in to an MFA-protected service (such as Webmail or Google) from outside our networks, there is one additional step. After correctly entering your Middlebury email address and password at the login screen of the service you wish to access, you will be prompted to verify your login request.  This could be in the form of a phone call, text message, or mobile app notification or code, depending on the option you specified during the setup process.
    • For example, if you chose the "Notify me through the app" option, you would enter your Middlebury email address and password at the online service’s login screen, then you would receive a notification from the Microsoft Authenticator app on your mobile device prompting you to “Approve" or “Deny” the login request.

Important notes:

  • During the login process you can click the checkbox to remember my device for 30 days. With this setting enabled, you won’t be prompted again for Multi-Factor Authentication from that application on that device for another thirty days.
  • Caution!  Only approve verification requests that you initiate!  This is relevant to the "Notify me through app" and "Call my authentication phone" verification options. Imagine an online criminal has your password and is trying to access your account. Once Multi-Factor Authentication has been enabled for your account, this access attempt would generate a login verification request. If you approved this verification request, the criminal would be able to access your account!  

 

How do I set up MFA to access Oracle?

Your Oracle account is provided by GMHEC rather than Middlebury, and it requires a separate MFA setup.  If you are off-campus and you already have MFA protection for your Middlebury account, you will be prompted to enroll in GMHEC's multi-factor authentication (MFA) if you haven’t already enrolled.  See “Enrolling in GMHEC Multi-Factor Authentication” for information.  

 

How do I adjust my MFA settings if my situation changes?

It's easy to change your multi-factor authentication settings.  Here's how:

  1. Visit http://go.middlebury.edu/mfasetup.  You will receive an MFA challenge.
  2. From the Security Info page, you'll find links that allow you to change or delete methods you set up previously, including your default method for receiving MFA challenges.
Powered by MediaWiki