What is Multi-factor Authentication?
Multi-factor Authentication (MFA) is an approach to online security that requires you to provide more than one type of authentication for a login or other transaction.
Also known as ‘Two-step Verification’, MFA adds an extra layer of protection to your account and is used on a regular basis for many online transactions such as banking, shopping, or PayPal.
MFA requires you to authenticate using:
- Something you know: your username and password
- Something you have: a trusted device, such as your mobile phone, on which to receive and respond to verification requests
You must complete both authentication steps in order to access your University Microsoft 365 account when off campus or on eduroam.
Why do I need to use MFA?
Attackers are getting better at obtaining passwords (e.g. by phishing attacks). MFA adds a second layer of security to your account, making sure your account stays secure, even if someone else obtains your password. MFA is considered best practice by IT security and industry professionals.
When will I have to use MFA?
When using a device that is off campus - this includes on the eduroam network - you will be required to use MFA when logging into Microsoft 365 services (previously known as Office 365), such as Outlook (desktop client and web app), SharePoint Online and OneDrive for Business.
You will be required to use MFA when your sign-in properties are considered high risk or unusual. This includes logging in from a new location, a new device, or a new application. When this happens, you will be informed that something unusual was detected about your sign-in and prompted to verify your identity by completing MFA registration as shown below.
There are also circumstances where your user account might be considered high risk; for example, if there are suspicious activities detected or your account details have been leaked. If this happens, you will need to prove your identity by completing MFA with one of your previously registered methods. Additionally, since someone else may have had access to your account, you will be required to change your password.
Setting up Multi-factor Authentication
Multi-factor Authentication is fast becoming essential to secure cloud-based services. For this reason, you are required to set up MFA on your University Microsoft 365 account.
We recommend you set up two or more of these authentication methods:
- Use the Microsoft Authenticator app on a mobile device (recommended)
- Receive a code by text
- Receive a call by phone
Consult the user guide that corresponds to the authentication method that you want to use.
We recommend that you download the PDF guide(s) to a convenient location (e.g. desktop) for future reference, and open links in a new window in your preferred browser.
- Set up MFA (Multi-factor Authentication) using Microsoft Authenticator App
- Set up MFA (Multi-factor Authentication) using Phone
MFA Fatigue Attacks
Multi-factor authentication (MFA) fatigue attacks are also known as MFA bombing or MFA spamming. This is a social engineering strategy where attackers repeatedly push authentication requests to your phone or registered device to overwhelm and trick you into approving access to your account.
If you receive a notification asking to approve a login and you are not accessing your account:
- Do not approve the notification.
- Change your password at www.abdn.ac.uk/password-reset (further guidance can be found in our Password Reset guide).
- You can check your recent login activity by using https://mysignins.microsoft.com/.
If you are unable to reset your password due to the volume of notifications, have further concerns or are looking for advice, please contact the IT service desk - chat online at myit.abdn.ac.uk or email
- Do I need to keep the Microsoft Authenticator app after first set up?
Yes. You must keep the Microsoft Authenticator app as you will need to use it to approve/authenticate when you sign into your University Microsoft 365 account when off campus or on the eduroam network.
- I changed my registered phone number – what should I do?
If the phone number that is recorded as a method of authentication for you is incorrect you will need to re-setup your Security Info.
- If you have an alternative method of authentication such as the Microsoft Authenticator app, use that to sign in and then delete your old phone number and set up your new one.
- If you are unable to access this webpage because you cannot authenticate, please use MyIT to report an issue with the IT Service Desk.
- It is recommended that you set up two or more methods of authentication.
- I received an email to say my account is blocked or email/calendar no longer work on a smartphone - what can I do?
The mail/calendar app on your device may not be compatible with MFA. Consider installing the Outlook iOS/Android app, which does support MFA. See configuration guides on Toolkit.
If you want to continue to use the iOS Mail app try removing your University mail account and re-adding it. Configure your mail account by signing in as instructed in the guide for iOS devices.
- My method of accessing email is no longer working – what can I do?
If you have been using an email app or client that uses Basic Authentication (e.g. Outlook 2013; some native email clients on mobiles) this will no longer work.
You will now only be able to access your Microsoft 365 email account using an app or client that supports Modern Authentication such as:
- Outlook 2016 or later (PC or Mac)
- Outlook app (iOS and Android)
- Apple Mail (MacOS 10.14+; iOS 11+)
- Android Mail (Versions 6 and above)
See configuration guides on Toolkit.
Alternatively, you can use Outlook on the web in any browser.
- I’m changing the mobile device I use for MFA – what should I do?
If you replace the mobile device that your code or verification request is sent to you will need to re-setup your Security Info.
- If you have your old device use that to authenticate before setting up methods on your new device.
- If you don’t have the old device but have retained a number that was used as a method of authentication, check that works on your new device before setting up other methods.
- Once you have set up methods on your new device, delete all methods pointing to the old device and (if relevant) delete your account in the Microsoft Authenticator app on your old device, before passing it on or disposing of it.
If you are unable to access this webpage because you cannot authenticate, please use MyIT to report an issue with the IT Service Desk.
- How do I change my method of authentication (or add another method)?
You can do this via the setup Security Info website.
- What is the Microsoft Authenticator app?
This is a dedicated app that allows you to set up your smartphone or tablet as a means of authenticating access to your University Microsoft 365 account when off campus or on the eduroam network. It will not add your University email account to your device.
- There is a minimum requirement of iOS11 to install on an iPhone or iPad.
Check if your device is listed by Apple as being supported.
- The requirement on Android is Version 6 or above.
- There is a minimum requirement of iOS11 to install on an iPhone or iPad.
- Do I need to have a smartphone to use MFA?
No, you can also use a mobile phone or tablet. However, we recommend that if you have a smartphone, you use the Microsoft Authenticator app as this is the simplest way to approve an authentication prompt.
- My phone number was already there when I set up MFA for the first time. Why?
This is because you provided your phone number when registering for Self-Service Password Reset (SSPR) and the MFA and SSPR identity systems are closely linked.
- Do I need an Internet connection or phone signal?
No. If you have set up the Microsoft Authenticator app as an authentication method, it can generate a passcode without an internet connection or phone signal. Simply open the app to access the passcode. To avoid charges when overseas, you may want to use this authentication method.
If you have chosen to receive a passcode by text or phone call you will require a phone signal but not an internet connection.
- I have set this up but only been prompted once for MFA, how can I check I have done this properly?
Once you’ve set up an authentication method, you can login into the setup Security Info website as it is locked behind an MFA prompt.
- I have dyscalculia, so receiving a code isn’t the best for me. Is there another option available?
The Microsoft Authenticator app allows you to choose Approve or Deny rather than enter a series of digits. You can download the Microsoft Authenticator app from your App store.