O365 Multi-Factor Options

From WSU Technology Knowledge Base
Jump to: navigation, search

Winona State University will be implementing an Office 365 security feature this fall called Multi Factor Authentication. Usually referred to as just MFA, Multi Factor Authentication is a pre-set agreement with the system that your password alone isn't enough to prove your true identity when you log in. The system will ask for more proof analogous to a special knock or a secret handshake before it will let you in the door. The type of handshake or knock you choose can have an impact on how and where your account can be used, so we want you to be well-informed before you decide what is best for you.

We are going to provide you an overview of these options and ask that you complete a short survey afterwards to let us know what you are most likely to select during the deployment for our planning. Keep in mind that some of these options can be used at the same time to give you additional flexibility. You should also know that MFA doesn't request your special handshake every time you log in from your office or other "trusted" computers, only when it detects something has changed or your account is being used someplace it hasn't yet seen.

Some of the types of Secret Handshakes and Special Knocks that will be available to you:

Option 1 --Smartphone Notification App

This is generally the easiest option for people who have a smartphone and is presented as "Notify me through app". When the system needs additional assurance to verify your password was really entered by you, an popup is seen on your phone that asks you "Do you approve this login Y/N" All you need to do is press Y or N to confirm you expected that login and the rest is automatic. This application is easy to configure, easy to monitor and consumes very little data and battery. The up-side of this option is that it makes your Office 365 account accessible to you wherever you bring your smartphone. If you need to access your account on your home computer… Press Y on your phone. If you need to access your account from a hotel lobby kiosk… Press Y on your phone. The only negative to this option is that not everyone has a smartphone or is willing to use their smartphone for anything work-related. This is why there are other options

Option 2 --Cell Phone Text

This is the next easiest way for most people to verify their identify when the need arises but either don't have a smartphone or don't want the overhead of the application. The "text a code to my phone" option will simply text you a seemingly random 6 digit number that you will be prompted to enter after your password. When you enter the correct numbers it sent, the system is relatively certain it is you and not a hacker with a stolen password and will let you in. This option is again very easy to setup and requires very little setup and only basic texting service. While it is isn't quite as easy as the notification app, it does provide people with the ability to access their account while not at work or on a work laptop which can be important to some people. While not required, leveraging a personal cellular device does provide you the most flexibility in accessing your work account when not at work.

Option 3 --Smartphone Code Generating App

Similar to the 6 digit codes sent via text to your cell-phone, the code generator app is a way to verify your identity but without the data requirements of option1 or even cellular sms signal of option 2. It will work in the basement of a fallout shelter. Though not as easy as pressing Y or N it does provide users a good option if they are frequently in a location where cellular service is poor, but receive Internet access through a different provider.

Option 4 --Call My Phone

This option is for anyone who wants to be able to access their account from off-campus but doesn't have a smartphone or cell phone capable of receiving a text. This option works on any home phone or basic cell phone. When the system doesn't recognize you logging in, you will receive a phone call with an automated voice asking you to approve this logon attempt. If you weren't expecting this call you would obviously not approve it, but if you had just typed your password into your home computer you would press a number to finish the logon process. This isn't an ideal option for most people because it is much slower and less mobile that the others, but it can be very helpful in a pinch.

Option 5 --Call My Office Phone

Just like option 4, the system has your university office number pre-populated and can call you to confirm your logon. If you forgot your phone at home, or dropped it in the river over the weekend, this option is a fail-safe that will allow you to get logged in when you return on Monday morning. Again, this option can be cumbersome and will not facilitate access on a home computer or anywhere that isn't within arm's reach of your desk phone, but it does assure you can get your work done on your work computer when you are at work.

Option 6 --University Laptop or Tablet as Code Generating App

Exactly like option 3, it is possible to install a code generator application on a university laptop or tablet that will function as extra "proof" it is you when you log in. This option may look appealing; however we don't feel it will be overly helpful for most people. After all, if you have your university laptop at home why try to check your mail on your home computer? It will already be working on your laptop! There may be a few specific use cases however that this will make sense. Perhaps someone doesn't have a cell.

More Info

Google data shows 2-factor authentication blocks 100% of automated bot hacks - The Next Web

Why You Should Start Using Two-Factor Authentication Now - Heimdal Security

How to Secure Your Accounts with Better Two-Factor Authentication - Wired.com