MFA - Frequently Asked Questions (FAQ)

Overview

You can find more FAQs on this Microsoft page.

Overview

What is MFA?

MFA stands for multi-factor authentication. It is a best-practice security measure used to protect user accounts by requiring two or more authentication methods to be used to access an account.

Single factor authentication is what most people are familiar with – you access a service by providing a username and a password. The username identifies who you are claiming to be, and the password helps you prove that you are who you are claiming to be. This proof to an identity claim is an authentication method. There are 3 categories of authentication methods:

Something you know, like a password or PIN (personal identification number).
Something you have, such as a trusted device like a phone or hardware key.
Something you are (biometrics like a fingerprint or face scanner).

MFA helps increase the confidence in your identity claim by requiring that you provide more than one proof of your identity. It also works best when you require identity proofs, or authentication methods, from different categories, with the most common combination being something you know (usually a password) and something you have (a phone or hardware key).

MFA is required for all students, staff, and faculty at Guelph-Humber and the University of Guelph.

How does MFA work?

After you register for MFA, the first time you sign in on a device or app and enter your username@uoguelph.ca or username@guelphhumber.ca and password as usual, you will get prompted to enter your second authentication factor to verify your identity.

Why is MFA required?

MFA helps increase the confidence that the person trying to access a service is the actual person that should be accessing the service. Passwords alone have proven to not be sufficient in protecting access to services. A malicious actor can obtain passwords in many ways:

Phishing - pretending to be someone else (often someone in a position of authority, like the CRA, a manager, an IT admin, etc) and getting the user to provide their password in order to avoid some consequence.
Malware/Viruses - compromising user devices by installing malware or viruses. These programs allow a malicious actor to spy on the device or steal data from the device, including passwords.
Infiltrating online services - this can be done through privilege escalation, exploiting known software vulnerabilities, and many other ways. Once a malicious actor has access to a service, they can steal data, including user passwords.
Password attacks - are different ways to guess passwords until the correct password is guessed. These include brute force attacks (repeatedly guess random passwords), credential stuffing (using stolen credentials since users often re-use passwords across platforms), dictionary attacks, password spraying, etc.

With MFA enabled on your account, even if a malicious actor finds out your password, it is highly unlikely they would also be able to obtain your additional authentication factor, especially if it’s something you have (your phone or a hardware key) or something you are (your fingerprints or face).

It is estimated that MFA reduces the number of compromised accounts by 99.9% (source: https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/).

What services require MFA?

MFA is currently required for the following services:

GryphMail and all Microsoft 365 services, which includes Outlook, Teams, OneDrive, Sharepoint, Office apps (Word, Excel, PowerPoint, etc)
VPN - limited to staff and faculty, or upon department approval for Graduate/Undergraduate students and other accounts.
Web Advisor as of August 17th, 2023
Courselink as of August 30th, 2023
Course Reserves (ARES)
Omni
Library Off Campus Access

What authentication/sign-in methods can I use for MFA?

The UofG has enabled the following authentication/sign-in methods for use with MFA:

Authentication/Sign-Method

Description

Microsoft Authenticator app (Recommended)

This is the recommended authentication method for use with MFA. It is a free app that can be downloaded from the Apple Store or Google Play store (see our "Setting up Azure MFA - Autheticator App" page or the "Download and install the Microsoft Authenticator app" support page from Microsoft). The Authenticator App is supported on Android 8.0 and later, iOS 14 or later and Windows 10 mobile 14393.0 or later. WatchOS is no longer supported (January 2023). You can use other authenticator apps (Google, Authy, Duo etc) but the product we support is the Microsoft Authenticator App and other apps are best effort support.

When you try to login to an MFA protected service, after entering your username and password, you will get an approval notification on your phone – if it’s you trying to access your account, you press approve and you’ll automatically be logged in to the service you were trying to access.

If you have no internet connection on your phone, the app can still be used to give a one-time password code (a 6-digit number, similar to the code you would get when using SMS/text messages).

Office and/or home phone

When using your office or home phone, you will receive a phone call and you will be asked to press the pound (#) key to approve the authentication request. The downside to using office and home phones for MFA is that they are not portable – you must physically be at your home or at your office in order to receive the call. For people using these options, it is recommended to use both a home and office phone so that you have a method available to use at either location.

Cell or mobile phone

This method uses your phone number on your cell/mobile phone to either receive a notification via a SMS/text message, or a phone call. The phone call acts similar to using an office or home phone. The SMS/text message provides a 6-digit one-time passcode (all numbers) that you type into the MFA prompt.

WARNING:This method works only if you have cell service and your phone number works. It will NOT work if you are traveling to another country and do not maintain cell service with your current SIM and phone number.

This method is also less secure than the authenticator app. For more information, read this blog post by Microsoft's Director of Identity Security: It's Time to Hang Up on Phone Transports for Authentication

Security keys or hardware tokens

Note: Security keys require that you have an additional authentication/sign-in method already enabled on your account in order to add them to your account. If you are unable to add an additional authentication/sign-in method to your account, please contact the IT Help Centre for alternative setup methods.

These are little hardware devices or cards that you carry around with you. NOTE: The Fido Security key will not currently work for the MFA login to Web Advisor (waiting on a fix by the vendor).

They can look and function differently, depending on the token type:

USB Security Keys	These USB security keys are inserted into a USB port on whatever device you are trying to access a service on. When prompted to use these for MFA, you'll need to enter a PIN (which is setup when first registering the USB security key with your account) and then to press a physical button on the security key. The PIN gives added security so if you lose the security key, someone still cannot use it unless they also know the PIN.
NFC Security Keys	NFC security keys, or "Near Field Communication" security keys, allow you to present the token near to a device in order to authenticate. This is the technology used by Interac Tap that allows you to tap your debit card, credit card, or phone in order to pay for purchases at stores. NFC security keys can only work on devices that support NFC - cell phones or tablets would be the common use case: when needing MFA you would tap the NFC security key on your phone or tablet.
TOTP Cards or Tokens	Time-based One-Time Password (TOTP) Cards or Tokens are physical cards or tokens that can be used as alternatives to other authenticator apps (like Google Authenticator). Setting them up is a little more challenging and requires a cell phone. The cell phone is used to "burn" a seed onto the card or token in order to connect it to your account. Once it is connected to your account, you press a button on the card or token and a 6-digit PIN will appear; you then enter this 6-digit PIN into the Microsoft MFA prompt.

CCS Information Security has approved the following additional hardware tokens:

HYPERFIDO Pro FIDO2 Security Key - Available for purchase at the University of Guelph Bookstore or Amazon
YubiKey Security Key – Amazon or Yubico

Authentication methods for MFA vs Self-Service Password Reset

The following table identifies which authentication methods can be used for MFA and which can be used for Self-Service Password Reset:

Authentication Method	MFA	Self-Service Password Reset
Microsoft Authenticator app	Yes	Yes
Office and/or home phone	Yes	Yes
Cell or mobile phone	Yes	Yes
Security keys or hardware tokens	Yes	Yes
External Email	No	Yes
Security Questions	No	Yes

How can I add an authentication/sign-in method for MFA to my account?

To manage your authentication methods in a web browser navigate to https://aka.ms/mysecurityinfo. If you are already logged into GryphMail via the Outlook web app, do the following:

Click on your initials in the circle near the top-right of the screen.
Click on “View account”.
On the “Security info” tile, click on “UPDATE INFO”.

This “Security info” page allows you to manage your authentication methods. If you already have at least one authentication method registered to your account, you will be prompted to login using MFA.

To add an authentication method/sign-in method to your account, click on “Add sign-in method”.

decorative image

Where can I get a security key or hardware token?

The security key option for MFA uses security keys, or hardware tokens, using the Fast Identity Online (FIDO2) passwordless authentication protocol. These can be purchased from many different businesses, including the Bookstore in the McNaughton Building on the University of Guelph campus. Prices can range anywhere from $8 to $100+, depending on what you are looking for.

CCS Information Security has approved the following additional hardware tokens:

HYPERFIDO Pro FIDO2 Security Key - Available for purchase at the University of Guelph Bookstore or Amazon
YubiKey Security Key – Amazon or Yubico

Staff and faculty can speak with their department to see if they can provide a security or hardware token.

Can I add more than one authentication/sign-in method to my account?

Yes, you can register more than one authentication method to your account. It is recommended to add more than one, just in case you lose access to your first authentication method. For staff and faculty, it is recommended you add an office phone extension in case you forget your mobile. When prompted for MFA, your default method will be presented first. However, you can click the “I can’t use my <default authentication method> right now" to be presented with a list of all the methods registered on your account.

decorative image

How can I change the default authentication/sign-in method for my account?

On the “Security info” section for your account (see the "How can I add an authentication/sign-in method for MFA to my account?" question for instructions on how to get to the "Security info" section), click on “Change” next to the “Default sign-in method: ” option located above the list of authentication/sign-in methods registered on your account.

decorative image

Troubleshooting and Security

What can I do if I no longer have access to one of my authentication/sign-in methods?

As long as you have one available authentication/sign-in method available to you on your account, you can use that to remove any authentication/sign-in method that you no longer have access to. You can manage your authentication/sign-in methods on the "Security info" section of your account (see the "How can I add an authentication/sign-in method for MFA to my account?" question for instructions on how to get to this section).

If you do not have access to any of the authentication/sign-in methods registered on your account, please contact the IT Help Centre. As administrators of Microsoft 365, CCS can remove any authentication/sign-in methods from your account for you. Once all are removed, you can register new authentication/sign-in methods onto your account.

I setup MFA but I'm not being prompted for it - am I doing something wrong?

Once you have one authentication/sign-in method added to your account, you will need to use that method to access your "Security info" in Microsoft 365. If you are looking to test whether MFA will work for your account, accessing your "Security info" is a good way to do so. Instructions on how to get to "Security info" can be found under the "How can I add an authentication/sign-in method for MFA to my account?" question.

My security key is not working on my MacOS computer - what can I do?

If you cannot use your security key when signing into your account in Safari or Firefox, try signing into your account using Google Chrome instead. If you do not have Google Chrome installed, download and install Google Chrome and try signing in with your security key there.

What should I do when I get a verification request that I do not recognize?

When you receive a push notification for a log on that you did not initiate, select DENY to prevent unauthorized access to your account. In these cases, your password may be compromised, and we recommend that you change your password immediately. Learn more at Infosec's blog on MFA requests you did not initiate.

How do I know if a phone call or text is actually an MFA prompt from Microsoft?

Phone call MFA prompts should be sent from (855)330-8653. Text MFA prompts can come from a variety of five-digit numbers (i.e. 37107 or 69525). Text prompts will not be sent from a full ten-digit phone number.

Travel Considerations - What do I need to consider when traveling outside of Canada?

Can I access GryphMail and Microsoft 365 services while traveling outside of Canada?

If any MFA methods were set up on your account by November 3rd 2022 or earlier, you will be able to access Microsoft 365 services outside of Canada as you would in Canada. Otherwise, a global access ban on GryphMail and Microsoft 365 services may still be in effect on your account. If you think this is the case, please contact your department admin or IT admin and they can request a global access exemption on your behalf from CCS. This exemption only has to be requested once. Once you are exempted from the access ban, you will remain exempted.

If you have access to the University VPN (staff and faculty only, please request access to VPN prior to your travels), you can connect to the VPN using the “2-Full Tunnel” option to access GryphMail and any Microsoft 365 services from anywhere in the world, without needing to request a global access exemption.

What MFA authentication/sign-in method should I use while traveling?

It is recommended to use the Microsoft Authenticator app. If this is not possible, a security key or hardware token is recommended.

The Microsoft Authenticator app will work whether you have an internet connection or not. If you have an internet connection on your phone - this can be through a cell network (even with a different SIM and phone number) or a wifi connection - you will still receive a notification to approve the access request. If you do not have an internet connection, you can go into the app and get a one-time password code that you can use to authenticate instead. Most people will travel with their cell phone since they use it for so many things, so it may be the easier option to remember to bring.

Security keys or hardware tokens are physical items that you bring with you - as long as you remember to bring the security key or hardware token with you, you can use it for MFA. Since the security key or hardware token is only used for MFA, it can be easier to forget to pack.

Home and office phones are only useful in the locations they are used in, so they are not suitable for use when traveling.

Using cell phones via SMS/text or phone calls for MFA will not work if you are visiting a country where your phone number doesn't work or you do not have cell service.

Can the Microsoft Authenticator app control my phone or monitor me?

MFA is only used to verify your identity and ensure the security of your account. It will not be used for monitoring activity and does not provide the University access to your device. If you have questions about privacy related to MFA, please consult the resources below:

What can I do if I get the error 'You've hit our limit on verification calls/text verification codes' during sign-in?

Microsoft may limit repeated authentication attempts that are performed by the same user in a short period of time.

Wait a few minutes and try to sign in again if you are using the call or text verification method to authenticate your sign-in.
This limitation does not apply to the Microsoft Authenticator, so if you have configured the app you can try using it to sign in using that method.

What can I do if I get the error 'Sorry, we're having trouble verifying your account during sign-in'?

Microsoft may limit or block voice or SMS authentication attempts that are performed by the same user, phone number, or organization due to a high number of failed voice or SMS authentication attempts.

If you are using the SMS authentication method, ensure that the verification you are entering is the six-digit code inside the text message, not the number you are receiving the text from.

decorative image

If you are still experiencing this error, you can try another method, such as the Microsoft Authenticator App.

Why am I not receiving the verification code sent to my mobile device?

If you are not receiving the verification code on your mobile device, try the following:

Make sure your mobile device has notifications turned on and ensure these modes create an alert that is visible on your device.
Make sure you haven't turned on the 'do not disturb' feature on your mobile device.
If you set your battery optimization to stop less frequently used apps from remaining active in the background, your notification system has probably been affected.
- Try turning off battery optimization for both your authentication app and your messaging app. Then try to sign in to your account again.
Make sure your phone calls and text messages get through to your mobile device. You can test this by getting a friend to call and send a text message to you to make sure you receive both.
- If you don't receive the call or text, first check to make sure your mobile device is turned on. If your device is turned on, but you're still not receiving the call or text, there's probably a problem with your network. You'll need to talk to your provider.
- If you often have signal-related problems, we recommend you install and use the Microsoft Authenticator app on your mobile device as it works over the mobile network and Wi-Fi.
Try restarting your mobile device.

Does having MFA mean that I will no longer need to change my password?

No - your password can still be compromised. We recommend you use a unique and strong password that does not contain any dictionary words, uses a variety of character sets, and does not contain your previous password. Password complexity requirement is different from multifactor authentication. You still need to change your U of G Single Sign On (SSO) password when required. It is best practice to change your password at least once a year.

Get FREE knowledgebase

MFA - Frequently Asked Questions (FAQ)

How does MFA work?

Can I access GryphMail and Microsoft 365 services while traveling outside of Canada?

What MFA authentication/sign-in method should I use while traveling?