Microsoft multi-factor authentication

Starting in the 2021 fall semester, Purdue is implementing Microsoft's multi-factor authentication process to help protect University email and your personal information from security risks.

How to configure Multi-Factor Authentication

Step 1: Sign up for Microsoft MFA by filling out the form found here

Step 2: Within an hour of signing up, you will receive an email with further instructions on how to set up Microsoft MFA. 

If you do not receive an email to register for Microsoft MFA, sign into https://portal.office.com and then follow the simple instructions found here (if you are already signed into your Microsoft account, you'll need to sign out and log back in).

If you need additional instructions, they can be found in the video below:

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as entering a code on their cell phone or providing a fingerprint scan.

If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

MFA Frequently Asked Questions

Setting up MFA

Who is currently impacted by MFA?

Microsoft MFA is available for all faculty, staff and students on the West Lafayette campus.

All faculty and staff will be required to use MFA by the end of January 2022. ITaP will work with students and student organizations to implement it for all students during the spring 2022 semester. 

What if I don't have a smartphone?

Microsoft multi-factor authentication allows users to verify authentication using three methods: the Microsoft Authenticator App, SMS text messaging, or an audio phone call.

 

Users without a smartphone should follow the instructions in the video above, but instead of selecting "Authenticator App" they should select "phone." Users will then be prompted to choose if they want to receive an authentication code via text message or a phone call. Follow the prompts provided by Microsoft to complete the enrollment processes. 

 

Why isn't MFA/email working on my phone?

Depending on your phone and email client, Microsoft MFA may not work with your smartphone’s email application.  

In some cases, already established mail profiles can't make the transition to MFA from single factor authentication and users should remove the email from your mail client on your phone, then re-add it to enable MFA security.  

Microsoft's Outlook App is a proven option that works with MFA; you can learn more about the Outlook App here.

What applications/systems are protected by MFA?

Current Applications that are protected by MFA:

  • Outlook (University email)
  • Teams
  • OneDrive
  • Office 365 applications 
What are my authentication options?

Microsoft Authenticator app (Preferred Method)

  • Microsoft authenticator is the preferred solution for approving MFA requests. It provides simple push notifications so the user does not have to enter codes into the authentication dialogue, and can generate 6 digit codes if needed.

SMS Codes

  • Users can receive text messages / SMS containing codes they an enter to approve the authentication.

Phone Calls

  • Users can register a cell or landline phone number to receive a call that prompts them to approve the authentication.
How do I change my authentication method?

You can update your authentication methods by going to https://mysignins.microsoft.com/security-info

 

What if I need help setting up MFA?
Contact the ITaP Customer Service Center at itap@purdue.edu or 765-494-4000.

General information about MFA

Is Microsoft MFA the same as BoilerKey?
BoilerKey is a separate two-factor authentication system for many of the University's tools and services. Microsoft MFA is meant to protect email and other services provided by Microsoft.
How often will I get prompted to use MFA?
Purdue requires users to log in using their MFA credentials once every 90 days. Users who sign out of their Microsoft account, clear their browser cache, or log in from a new device will also be prompted to use MFA when signing in again. 
Will MFA be required for Purdue retirees email?
ITaP is working with the Purdue University Retirees Association to implement multi-factor authentication for retiree accounts; additional information will be announced soon. However, retirees may also sign up now following the instructions listed above.  
How will Microsoft MFA protect my email account?

Multi-factor authentication means that anyone logging into your email account must know both the password and have something with them – like a cell phone or access to your landline telephone number.  

If your account becomes compromised – say because of phishing or someone stealing your password – they still won’t be able to access your account because they are unable to provide the second required authentication factor.  

To learn more, visit this page from Microsoft which explains more fully how MFA works

Will MFA stop phishing attempts at Purdue?

No, but it should greatly reduce them.  

Most phishing emails and other email-based scams sent to Purdue accounts are caught by spam filters. Occasionally, however, a phishing attack is successful, and the scammer gains access to a compromised account and uses it to send out additional emails to users within the Purdue system. Once 100 percent of our students, staff, and faculty have MFA, there will be very low likelihood of any additional compromised accounts thus drastically reducing successful phishing campaigns. However all email users should continue to be wary and follow the phishing advice found here