MFA - Frequently Asked Questions (FAQ)
- What is MFA? How does it work?
- Why is MFA required?
- What services require MFA?
- What authentication/sign-in methods can I use for MFA?
- How can I add an authentication/sign-in method for MFA to my account?
- Where can I get a security key or hardware token?
- Can I add more than one authentication/sign-in method to my account?
- How can I change the default authentication/sign-in method for my account?
Troubleshooting and Security
- What can I do if I no longer have access to one of my authentication/sign-in methods?
- I setup MFA but I'm not being prompted for it - am I doing something wrong?
- My security key is not working on my MacOS computer - what can I do?
- What should I do when I get a verification request that I do not recognize?
- How do I know if a phone call or text is actually an MFA prompt from Microsoft?
- Travel Considerations - What do I need to consider when traveling outside of Canada?
- Can the Microsoft Authenticator app control my phone or monitor me?
- What can I do if I get the error 'You've hit our limit on verification calls/text verification codes' during sign-in?
- What can I do if I get the error 'Sorry, we're having trouble verifying your account' during sign-in?
- Why am I not receiving the verification code sent to my mobile device?
- Does having MFA mean that I will no longer need to change my password?
- I can login to Courselink and Email but I am getting an error for Web Advisor - AADSTS75011 .
You can find more FAQs on this Microsoft page.
MFA stands for multi-factor authentication. It is a best-practice security measure used to protect user accounts by requiring two or more authentication methods to be used to access an account.
Single factor authentication is what most people are familiar with – you access a service by providing a username and a password. The username identifies who you are claiming to be, and the password helps you prove that you are who you are claiming to be. This proof to an identity claim is an authentication method. There are 3 categories of authentication methods:
- Something you know, like a password or PIN (personal identification number).
- Something you have, such as a trusted device like a phone or hardware key.
- Something you are (biometrics like a fingerprint or face scanner).
MFA helps increase the confidence in your identity claim by requiring that you provide more than one proof of your identity. It also works best when you require identity proofs, or authentication methods, from different categories, with the most common combination being something you know (usually a password) and something you have (a phone or hardware key).
MFA is required for all students, staff, and faculty at Guelph-Humber and the University of Guelph.
After you register for MFA, the first time you sign in on a device or app and enter your firstname.lastname@example.org or email@example.com and password as usual, you will get prompted to enter your second authentication factor to verify your identity.
MFA helps increase the confidence that the person trying to access a service is the actual person that should be accessing the service. Passwords alone have proven to not be sufficient in protecting access to services. A malicious actor can obtain passwords in many ways:
- Phishing - pretending to be someone else (often someone in a position of authority, like the CRA, a manager, an IT admin, etc) and getting the user to provide their password in order to avoid some consequence.
- Malware/Viruses - compromising user devices by installing malware or viruses. These programs allow a malicious actor to spy on the device or steal data from the device, including passwords.
- Infiltrating online services - this can be done through privilege escalation, exploiting known software vulnerabilities, and many other ways. Once a malicious actor has access to a service, they can steal data, including user passwords.
- Password attacks - are different ways to guess passwords until the correct password is guessed. These include brute force attacks (repeatedly guess random passwords), credential stuffing (using stolen credentials since users often re-use passwords across platforms), dictionary attacks, password spraying, etc.
With MFA enabled on your account, even if a malicious actor finds out your password, it is highly unlikely they would also be able to obtain your additional authentication factor, especially if it’s something you have (your phone or a hardware key) or something you are (your fingerprints or face).
It is estimated that MFA reduces the number of compromised accounts by 99.9% (source: https://www.microsoft.com/en-us/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/).
MFA is currently required for the following services:
- GryphMail and all Microsoft 365 services, which includes Outlook, Teams, OneDrive, Sharepoint, Office apps (Word, Excel, PowerPoint, etc)
- VPN - limited to staff and faculty, or upon department approval for Graduate/Undergraduate students and other accounts.
- Web Advisor as of August 17th, 2023
- Courselink as of August 30th, 2023
- Course Reserves (ARES)
- Library Off Campus Access
The UofG has enabled the following authentication/sign-in methods for use with MFA:
This is the recommended authentication method for use with MFA. It is a free app that can be downloaded from the Apple Store or Google Play store (see our "Setting up Azure MFA - Autheticator App" page or the "Download and install the Microsoft Authenticator app" support page from Microsoft). The Authenticator App is supported on Android 8.0 and later, iOS 14 or later and Windows 10 mobile 14393.0 or later. WatchOS is no longer supported (January 2023). You can use other authenticator apps (Google, Authy, Duo etc) but the product we support is the Microsoft Authenticator App and other apps are best effort support.
When you try to login to an MFA protected service, after entering your username and password, you will get an approval notification on your phone – if it’s you trying to access your account, you press approve and you’ll automatically be logged in to the service you were trying to access.
If you have no internet connection on your phone, the app can still be used to give a one-time password code (a 6-digit number, similar to the code you would get when using SMS/text messages).
|Office and/or home phone
|When using your office or home phone, you will receive a phone call and you will be asked to press the pound (#) key to approve the authentication request. The downside to using office and home phones for MFA is that they are not portable – you must physically be at your home or at your office in order to receive the call. For people using these options, it is recommended to use both a home and office phone so that you have a method available to use at either location.
|Cell or mobile phone
This method uses your phone number on your cell/mobile phone to either receive a notification via a SMS/text message, or a phone call. The phone call acts similar to using an office or home phone. The SMS/text message provides a 6-digit one-time passcode (all numbers) that you type into the MFA prompt.
WARNING:This method works only if you have cell service and your phone number works. It will NOT work if you are traveling to another country and do not maintain cell service with your current SIM and phone number.
This method is also less secure than the authenticator app. For more information, read this blog post by Microsoft's Director of Identity Security: It's Time to Hang Up on Phone Transports for Authentication
|Security keys or hardware tokens
Note: Security keys require that you have an additional authentication/sign-in method already enabled on your account in order to add them to your account. If you are unable to add an additional authentication/sign-in method to your account, please contact the IT Help Centre for alternative setup methods.
These are little hardware devices or cards that you carry around with you. NOTE: The Fido Security key will not currently work for the MFA login to Web Advisor (waiting on a fix by the vendor).
They can look and function differently, depending on the token type:
CCS Information Security has approved the following additional hardware tokens:
To manage your authentication methods in a web browser navigate to https://aka.ms/mysecurityinfo. If you are already logged into GryphMail via the Outlook web app, do the following:
- Click on your initials in the circle near the top-right of the screen.
- Click on “View account”.
- On the “Security info” tile, click on “UPDATE INFO”.
This “Security info” page allows you to manage your authentication methods. If you already have at least one authentication method registered to your account, you will be prompted to login using MFA.
To add an authentication method/sign-in method to your account, click on “Add sign-in method”.
The security key option for MFA uses security keys, or hardware tokens, using the Fast Identity Online (FIDO2) passwordless authentication protocol. These can be purchased from many different businesses, including the Bookstore in the McNaughton Building on the University of Guelph campus. Prices can range anywhere from $8 to $100+, depending on what you are looking for.
CCS Information Security has approved the following additional hardware tokens:
- HYPERFIDO Pro FIDO2 Security Key - Available for purchase at the University of Guelph Bookstore or Amazon
- YubiKey Security Key – Amazon or Yubico
Staff and faculty can speak with their department to see if they can provide a security or hardware token.
Yes, you can register more than one authentication method to your account. It is recommended to add more than one, just in case you lose access to your first authentication method. For staff and faculty, it is recommended you add an office phone extension in case you forget your mobile. When prompted for MFA, your default method will be presented first. However, you can click the “I can’t use my <default authentication method> right now" to be presented with a list of all the methods registered on your account.
On the “Security info” section for your account (see the "How can I add an authentication/sign-in method for MFA to my account?" question for instructions on how to get to the "Security info" section), click on “Change” next to the “Default sign-in method: ” option located above the list of authentication/sign-in methods registered on your account.
Troubleshooting and Security
As long as you have one available authentication/sign-in method available to you on your account, you can use that to remove any authentication/sign-in method that you no longer have access to. You can manage your authentication/sign-in methods on the "Security info" section of your account (see the "How can I add an authentication/sign-in method for MFA to my account?" question for instructions on how to get to this section).
If you do not have access to any of the authentication/sign-in methods registered on your account, please contact the IT Help Centre. As administrators of Microsoft 365, CCS can remove any authentication/sign-in methods from your account for you. Once all are removed, you can register new authentication/sign-in methods onto your account.
Once you have one authentication/sign-in method added to your account, you will need to use that method to access your "Security info" in Microsoft 365. If you are looking to test whether MFA will work for your account, accessing your "Security info" is a good way to do so. Instructions on how to get to "Security info" can be found under the "How can I add an authentication/sign-in method for MFA to my account?" question.
If you cannot use your security key when signing into your account in Safari or Firefox, try signing into your account using Google Chrome instead. If you do not have Google Chrome installed, download and install Google Chrome and try signing in with your security key there.
When you receive a push notification for a log on that you did not initiate, select DENY to prevent unauthorized access to your account. In these cases, your password may be compromised, and we recommend that you change your password immediately. Learn more at Infosec's blog on MFA requests you did not initiate.
Phone call MFA prompts should be sent from (855)330-8653. Text MFA prompts can come from a variety of five-digit numbers (i.e. 37107 or 69525). Text prompts will not be sent from a full ten-digit phone number.
If any MFA methods were set up on your account by November 3rd 2022 or earlier, you will be able to access Microsoft 365 services outside of Canada as you would in Canada. Otherwise, a global access ban on GryphMail and Microsoft 365 services may still be in effect on your account. If you think this is the case, please contact your department admin or IT admin and they can request a global access exemption on your behalf from CCS. This exemption only has to be requested once. Once you are exempted from the access ban, you will remain exempted.
If you have access to the University VPN (staff and faculty only, please request access to VPN prior to your travels), you can connect to the VPN using the “2-Full Tunnel” option to access GryphMail and any Microsoft 365 services from anywhere in the world, without needing to request a global access exemption.
It is recommended to use the Microsoft Authenticator app. If this is not possible, a security key or hardware token is recommended.
The Microsoft Authenticator app will work whether you have an internet connection or not. If you have an internet connection on your phone - this can be through a cell network (even with a different SIM and phone number) or a wifi connection - you will still receive a notification to approve the access request. If you do not have an internet connection, you can go into the app and get a one-time password code that you can use to authenticate instead. Most people will travel with their cell phone since they use it for so many things, so it may be the easier option to remember to bring.
Security keys or hardware tokens are physical items that you bring with you - as long as you remember to bring the security key or hardware token with you, you can use it for MFA. Since the security key or hardware token is only used for MFA, it can be easier to forget to pack.
Home and office phones are only useful in the locations they are used in, so they are not suitable for use when traveling.
Using cell phones via SMS/text or phone calls for MFA will not work if you are visiting a country where your phone number doesn't work or you do not have cell service.
MFA is only used to verify your identity and ensure the security of your account. It will not be used for monitoring activity and does not provide the University access to your device. If you have questions about privacy related to MFA, please consult the resources below:
- Microsoft Authenticator App FAQ
- University Acceptable Use Policy
- University Employee Electronic Monitoring Policy
Microsoft may limit repeated authentication attempts that are performed by the same user in a short period of time.
- Wait a few minutes and try to sign in again if you are using the call or text verification method to authenticate your sign-in.
- This limitation does not apply to the Microsoft Authenticator, so if you have configured the app you can try using it to sign in using that method.
Microsoft may limit or block voice or SMS authentication attempts that are performed by the same user, phone number, or organization due to a high number of failed voice or SMS authentication attempts.
- If you are using the SMS authentication method, ensure that the verification you are entering is the six-digit code inside the text message, not the number you are receiving the text from.
- If you are still experiencing this error, you can try another method, such as the Microsoft Authenticator App.
If you are not receiving the verification code on your mobile device, try the following:
- Make sure your mobile device has notifications turned on and ensure these modes create an alert that is visible on your device.
- Make sure you haven't turned on the 'do not disturb' feature on your mobile device.
- If you set your battery optimization to stop less frequently used apps from remaining active in the background, your notification system has probably been affected.
- Try turning off battery optimization for both your authentication app and your messaging app. Then try to sign in to your account again.
- Make sure your phone calls and text messages get through to your mobile device. You can test this by getting a friend to call and send a text message to you to make sure you receive both.
- If you don't receive the call or text, first check to make sure your mobile device is turned on. If your device is turned on, but you're still not receiving the call or text, there's probably a problem with your network. You'll need to talk to your provider.
- If you often have signal-related problems, we recommend you install and use the Microsoft Authenticator app on your mobile device as it works over the mobile network and Wi-Fi.
- Try restarting your mobile device.
No - your password can still be compromised. We recommend you use a unique and strong password that does not contain any dictionary words, uses a variety of character sets, and does not contain your previous password. Password complexity requirement is different from multifactor authentication. You still need to change your U of G Single Sign On (SSO) password when required. It is best practice to change your password at least once a year.