Microsoft multi-factor authentication

In 2022, Purdue adopted Microsoft Multi-Factor Authentication for all personal University email accounts. This page provides information about setting up Microsoft MFA, as well as answers to frequently asked questions. 

How to configure Multi-Factor Authentication

If you do not receive an email to register for Microsoft MFA, sign into https://portal.office.com and then follow the simple instructions found here (if you are already signed into your Microsoft account, you'll need to sign out and log back in).

If you need additional instructions, they can be found in the video below:

What is Multi-Factor Authentication (MFA)?

Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as entering a code on their cell phone or providing a fingerprint scan.

If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.

Microsoft MFA number matching

In 2023, Microsoft is adding "number matching" to MFA as an additional security measure to protect your account. 

To combat “MFA fatigue,” the Authenticator app will now require users to type a number displayed on the screen to complete the authentication process. The measure is designed to prevent accidental approvals and attacks where users are bombarded with approval requests.  

When a user responds to an MFA push notification using the Authenticator app, they will be presented with a number. They need to type that number into the app to complete the approval. 

Number matching will show a number provided by Microsoft and users will have to type that number into their app to complete authentication.

Users who use text messaging or a phone call to complete authentication will not be affected by the change. 

 

MFA Frequently Asked Questions

Setting up MFA

What if I don't have a smartphone?

Microsoft multi-factor authentication allows users to verify authentication using three methods: the Microsoft Authenticator App (default method), SMS text messaging, or an audio phone call.

Users without a smartphone should follow the instructions in the video above, but instead of selecting "Authenticator App" they should select "phone." Users will then be prompted to choose if they want to receive an authentication code via text message or a phone call. Follow the prompts provided by Microsoft to complete the enrollment processes. 

 If you do not own a smartphone, or plan to be in a part of the world where you will not have Internet access and are therefore unable to use Microsoft Authenticator, a physical token may be utilized. To learn more, see "How do I obtain a physical token (FOB) for MFA?" in the Purdue iT knowledge base. 

Can my Apple device use Microsoft MFA?

MFA works on iPhone and Mac devices without issue if the device is up to date. If you are experiencing issues accessing your email on these devices, while using the included mail application, this means you either need to update the device, or re-add your mail account to the application. At this time, the only mail client we support fully is Outlook. However, we have had no issues with current mail clients provided by Apple, as they support modern authentication.

What are my authentication options?

Microsoft Authenticator app (Default Method)

  • Microsoft authenticator is the preferred solution for approving MFA requests. It provides simple push notifications so the user does not have to enter codes into the authentication dialogue, and can generate 6 digit codes if needed.

SMS Codes

  • Users can receive text messages/SMS containing codes they can enter to approve the authentication.

Phone Calls

  • Users can register a cell or landline phone number to receive a call that prompts them to approve the authentication. 

Physical token (FOB) for MFA

  • If you do not own a smartphone, or plan to be in a part of the world where you will not have Internet access and are therefore unable to use Microsoft Authenticator, a physical token may be utilized. Learn more by reading "How do I obtain a physical token (FOB) for MFA?" in the Purdue iT Knowledge Base. 

 

Why isn't MFA/email working on my desktop or mobile email client (i.e. phone)?

Microsoft and Purdue IT highly recommend using the Outlook Web App (OWA), Outlook email client, or the Outlook mobile app to access your Purdue Office 365 email.

Depending on your phone and/or email client, Microsoft MFA may not work with unsupported desktop and third-party email applications and are not recommended. Changes to Microsoft MFA and security policies may affect the ability to use these clients after enrollment.

In some cases, already established mail profiles can't make the transition to MFA from single factor authentication and users should remove the profile from their mail client on their phone, then re-add it to enable MFA security.

For the best experience and complete support, Microsoft recommends connecting through one of the following ways:

  • connecting to the Outlook Web App (OWA) using a web browser and the link below:
  • via Exchange within the most current version of the Outlook desktop client or using the most current version of Outlook App for iOS/Android

Microsoft's mobile Outlook App is a proven option that works with MFA; you can learn more by visiting the link below:

  • https://www.microsoft.com/en-us/microsoft-365/outlook-mobile-for-android-and-ios

Microsoft DOES NOT recommend the use of other clients with Office 365, as there are often significant limitations in client functionality as a result.

Because of this, Purdue IT is only able to offer best-effort support for non-Microsoft supported clients, and certain issues may require the use of a Microsoft client to be resolved.

To find help with other clients, please visit:

What applications/systems are protected by MFA?

Current Applications that are protected by MFA:

  • Outlook (University email)
  • Teams
  • OneDrive
  • Office 365 applications 
How do I change my authentication method?

You can update your authentication methods by going to https://mysignins.microsoft.com/security-info

 

What if I need help setting up MFA?
Contact the Purdue IT Service Desk.

General information about MFA

How often will I get prompted to use MFA?
Purdue requires users to log in using their MFA credentials once every 90 days. Users who sign out of their Microsoft account, clear their browser cache, or log in from a new device will also be prompted to use MFA when signing in again. 
How will Microsoft MFA protect my email account?

Multi-factor authentication means that anyone logging into your email account must know both the password and have something with them – like a cell phone or access to your landline telephone number.  

If your account becomes compromised – say because of phishing or someone stealing your password – they still won’t be able to access your account because they are unable to provide the second required authentication factor.  

To learn more, visit this page from Microsoft which explains more fully how MFA works

Will MFA stop phishing attempts at Purdue?

No, but it should greatly reduce them.  

Most phishing emails and other email-based scams sent to Purdue accounts are caught by spam filters. Occasionally, however, a phishing attack is successful, and the scammer gains access to a compromised account and uses it to send out additional emails to users within the Purdue system. Once 100 percent of our students, staff, and faculty have MFA, there will be very low likelihood of any additional compromised accounts thus drastically reducing successful phishing campaigns. However all email users should continue to be wary and follow the phishing advice found here