Since the start of the COVID-19 pandemic, there has been a substantial rise in scams/phishing attacks preying on people’s fears about COVID-19. In the University sector this has been widespread and some institutions have faced damaging ransomware attacks as a result of compromised accounts.
We have been seeking guidance from external advisory boards and looking to best practice guidelines from the National Cyber Security Centre (NCSC). After careful consideration, we have decided to do a rapid deployment of Office365 Multi-Factor Authentication (MFA).
We’ve done several rounds of testing within Information Services teams and now have the whole of IS using MFA with very little incident.
We are now ready to deploy MFA more widely across the organisation and will be rolling this out in phases to staff and students in phases.
You will be contacted by the Information Centre when MFA is being switched on for you.
What is MFA?
Multi-factor Authentication (MFA) is an approach to online security that requires you to provide more than one type of authentication for a login or other transaction.
Also known as ‘Two-step Verification’, MFA adds an extra layer of protection to your account and is used on a regular basis for many online transactions such as banking, shopping, or PayPal.
MFA requires you to authenticate using:
Something you know: your username and password
Something you have: a trusted device, such as your mobile phone, on which to receive and respond to verification requests
Why are we introducing MFA?
Using MFA significantly increases the security of your account and therefore your data. By using MFA, it is much harder for hackers to do damage to our network when somebody gives up their account details by means of a scam email, as they’d need to be in possession of the authentication device also to access the phished account.
What does this mean in practice?
When you go to access any of the Office365 apps like Outlook, OneDrive, SharePoint, Teams, you will first be asked to login as usual and then provide verification in a second step using your mobile.
Normally you would login using your Microsoft credentials: firstname.lastname@example.org and your network password.
With MFA, there’s an additional screen which asks you to confirm the login on your trusted device. If you use the Microsoft Authenticator App, a wee pop up will appear on your mobile device asking you if you want to allow the login request. Simply click ‘Allow’ to get logged in. You can also set MFA up to text you a code which you would enter on logging in, or to phone you on a landline with a code to be entered on login.
You won’t have to login every time you access O365, you will be asked whether you want to stay logged in to O365 on successful authentication – if click yes, this will minimise the number of login requests you will receive.
How to get set up for MFA
The first time you encounter MFA (after doing your usual login to Office 365), you will see a screen ‘More information required’. Click ‘Next’ and follow the on screen instructions to set up MFA. Have your mobile device to hand. Detailed instructions with screenshots are available in the PDF attached to this UniDesk knowledge item: http://stir.ac.uk/36f
What happens next
We will get in touch with you via email when it is your turn to get set up with MFA. It is a good idea to download the Microsoft Authenticator App ahead of time so that you are ready.
We are likely to introduce MFA to the remote desktop gateway and the VPN in future. Both of these will use the same Microsoft authentication method and will significantly improve security on our remote services. Testing is currently being done on both services prior to roll out but we will not implement until after the whole staff is using O365 MFA. Rollout to the wider staff community is likely to be phased in order for the Info Centre to be able to handle enquiries. Rollout to students will not be undertaken until after the exam period.
If you need any help, please contact the Info Centre as usual. We will be building our FAQs for the wider University community as your questions come in, so please don’t be afraid to ask us any questions. http://stir.ac.uk/36f
7 thoughts to “Office 365 Multi-Factor Authentication is coming!”
Colleagues: I do NOT use a touchscreen smartphone. How will MFA operate in my case?
You do not need a smartphone as there are other options available. You can get a text message sent to your phone instead containing a code that you need to enter in order to log in. If you do not have access to a mobile, you can also receive a phone call using a landline.
I hope this helps.
Do I understand this correctly? One must have a mobile phone? Certainly a landline is not very helpful if one works at home on some days and at the uni on others because these are different landlines. Or is one prompted each time for a (different) landline?
How about a personal email address for this code to be sent to?
It is more ideal if you use a mobile phone as it usually travels with you. However, when setting up MFA, you can set up multiple methods so that you can use a different landline/phone number as a backup should you not have access to your primary landline/phone.
Hope this helps.
Thanks. Yes, that should do the trick!
It turns out that one can supply only ONE number, not back-up number. So if I use a landline and have an old mobile (and cannot install an app), this is not good enough. Can one at least change it when one is somewhere else? And at which stage in the process?
I am sorry that you are having difficulties. Can you please log a call with the Information Centre so that one of our team members can assist you in more detail?
You can do so by sending an email to email@example.com or by submitting a request through the Unidesk self-service portal.