Microsoft multi-factor authentication

In 2022, Purdue adopted Microsoft Multi-Factor Authentication for all personal University email accounts. This page provides information about setting up Microsoft MFA, as well as answers to frequently asked questions. 

How to configure Multi-Factor Authentication

If you do not receive an email to register for Microsoft MFA, sign into https://portal.office.com and then follow the simple instructions found here (if you are already signed into your Microsoft account, you'll need to sign out and log back in).

If you need additional instructions, they can be found in the video below:

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as entering a code on their cell phone or providing a fingerprint scan.

If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

MFA Frequently Asked Questions

Setting up MFA

What if I don't have a smartphone?

Microsoft multi-factor authentication allows users to verify authentication using three methods: the Microsoft Authenticator App, SMS text messaging, or an audio phone call.

 

Users without a smartphone should follow the instructions in the video above, but instead of selecting "Authenticator App" they should select "phone." Users will then be prompted to choose if they want to receive an authentication code via text message or a phone call. Follow the prompts provided by Microsoft to complete the enrollment processes. 

 

Can my Apple device use Microsoft MFA?

MFA works on iPhone and Mac devices without issue if the device is up to date. If you are experiencing issues accessing your email on these devices, while using the included mail application, this means you either need to update the device, or re-add your mail account to the application. At this time, the only mail client we support fully is Outlook. However, we have had no issues with current mail clients provided by Apple, as they support modern authentication.

Why isn't MFA/email working on my desktop or mobile email client (i.e. phone)?

Microsoft and ITaP highly recommend using the Outlook Web App (OWA), Outlook email client, or the Outlook mobile app to access your Purdue Office 365 email.

Depending on your phone and/or email client, Microsoft MFA may not work with unsupported desktop and third-party email applications and are not recommended. Changes to Microsoft MFA and security policies may affect the ability to use these clients after enrollment.

In some cases, already established mail profiles can't make the transition to MFA from single factor authentication and users should remove the profile from their mail client on their phone, then re-add it to enable MFA security.

For the best experience and complete support, Microsoft recommends connecting through one of the following ways:

  • connecting to the Outlook Web App (OWA) using a web browser and the link below:
  • via Exchange within the most current version of the Outlook desktop client or using the most current version of Outlook App for iOS/Android

Microsoft's mobile Outlook App is a proven option that works with MFA; you can learn more by visiting the link below:

  • https://www.microsoft.com/en-us/microsoft-365/outlook-mobile-for-android-and-ios

Microsoft DOES NOT recommend the use of other clients with Office 365, as there are often significant limitations in client functionality as a result.

Because of this, ITaP is only able to offer best-effort support for non-Microsoft supported clients, and certain issues may require the use of a Microsoft client to be resolved.

To find help with other clients, please visit:

What applications/systems are protected by MFA?

Current Applications that are protected by MFA:

  • Outlook (University email)
  • Teams
  • OneDrive
  • Office 365 applications 
What are my authentication options?

Microsoft Authenticator app (Preferred Method)

  • Microsoft authenticator is the preferred solution for approving MFA requests. It provides simple push notifications so the user does not have to enter codes into the authentication dialogue, and can generate 6 digit codes if needed.

SMS Codes

  • Users can receive text messages / SMS containing codes they an enter to approve the authentication.

Phone Calls

  • Users can register a cell or landline phone number to receive a call that prompts them to approve the authentication.
How do I change my authentication method?

You can update your authentication methods by going to https://mysignins.microsoft.com/security-info

 

What if I need help setting up MFA?
Contact the ITaP Customer Service Center at itap@purdue.edu or 765-494-4000.

General information about MFA

Is Microsoft MFA the same as BoilerKey?
BoilerKey is a separate two-factor authentication system for many of the University's tools and services. Microsoft MFA is meant to protect email and other services provided by Microsoft.
How often will I get prompted to use MFA?
Purdue requires users to log in using their MFA credentials once every 90 days. Users who sign out of their Microsoft account, clear their browser cache, or log in from a new device will also be prompted to use MFA when signing in again. 
How will Microsoft MFA protect my email account?

Multi-factor authentication means that anyone logging into your email account must know both the password and have something with them – like a cell phone or access to your landline telephone number.  

If your account becomes compromised – say because of phishing or someone stealing your password – they still won’t be able to access your account because they are unable to provide the second required authentication factor.  

To learn more, visit this page from Microsoft which explains more fully how MFA works

Will MFA stop phishing attempts at Purdue?

No, but it should greatly reduce them.  

Most phishing emails and other email-based scams sent to Purdue accounts are caught by spam filters. Occasionally, however, a phishing attack is successful, and the scammer gains access to a compromised account and uses it to send out additional emails to users within the Purdue system. Once 100 percent of our students, staff, and faculty have MFA, there will be very low likelihood of any additional compromised accounts thus drastically reducing successful phishing campaigns. However all email users should continue to be wary and follow the phishing advice found here