Frequently asked questions about multi-factor authentication for Office 365
This list of frequently asked questions about multi-factor authentication (MFA) for Office 365 was gathered by Winona State University Information Technology Services staff from students and employees. The list is checked regularly and modified as needed. Please direct suggestions for additional questions to the Technical Support Center (TechSupport@winona.edu, 507-457-5240, Somsen Hall 207).
Why should I use multi-factor authentication?
MFA is the best way to prevent someone who steals your password from accessing your account. Even if thieves have your password, they will not have the secondary form of verification required to approve access to your account (e.g., your mobile phone). In addition to your Winona State University Office 365 account, you should enable MFA on any account that allows it (e.g., online banking, Amazon, Facebook, Google).
What are the chances of my password being stolen?
It has probably happened already. Given the scope of recent breaches of such popular services as Dropbox, Chegg, Experian, MyFitnessPal, Target, Adobe, Quora, and Marriott, everyone should assume that their password has been stolen at some point. Although it was probably encrypted, the thieves have been busy trying to break the encryption. If you didn't use a strong password, they have probably already cracked it. In addition to being caught in data breaches, you might have revealed your password in a phishing scam or by writing it on a piece of paper that someone found on your desk, in your wallet, or in the dumpster. You might have unwittingly installed malware on your laptop that is recording your keystrokes and sending them to thieves online. Maybe your password was intercepted when you were using that free, unsecured WiFi network at the coffee shop, airport, or hotel.
Why can't I just change my password if it's stolen?
Thieves don't usually tell you that they stole your password and, in the time it takes you to change your password, a thief can make off with all of your private data.
What if my password and my laptop get stolen?
First, report your stolen laptop to the Technical Support Center (TechSupport@winona.edu, 507-457-5240, Somsen Hall 207) immediately. They can disable your laptop remotely, preventing anyone from accessing it. Second, never leave your laptop open and logged in unattended. Always log out. If someone who knows your StarID password steals your laptop, they will be required to verify their credentials if they attempt to log in to Office 365 from an unfamiliar network. This will always trigger verification.
I don't have anything valuable in Office 365, so why should I worry?
You probably do have valuable information stored in Winona State University Office 365 services, including confidential email messages, attachments, and contact information in Outlook, private files in OneDrive and Teams folders, or personal notes in OneNote. The risk extends beyond stealing data. Posing as you for example, someone could send malicious email from your account and engage in other behavior harmful to you and others.
Is multi-factor authentication the same as two-factor authentication?
Although these refer to the same basic security practice, some accounts only allow you to enable a single, additional verification method, while others allow you to enable several methods simultaneously as fail-safes in case your preferred method is unavailable. Depending on the account, this option may be called two-factor authentication (2FA) or two-step verification.
Must I verify my credentials every time I access Office 365 services?
In most cases, no. When you successfully log in to Office 365, the authentication token or key saved to that device that unlocks your access lasts from 14 to 30 days. After that token expires, you will be prompted to log in, using MFA if enabled. There are several things that can trigger a new login sooner:
- You change your StarID password
- You log in using a device that has never accessed your Office 365 account before
- You log in using an unsecure device (e.g., a personally-owned device)
- You log in from another geographical location
- You manually signed out of your Office 365 account the last time you used it
- WSU or Minnesota State system administrators force a fresh log in
If my laptop saves my credentials, then what's the point of MFA?
MFA is intended to thwart people who have your password, not your Winona State University laptop. If thieves have both your laptop and your StarID password, then they would be able to log in to your laptop and use it to access your Office 365 account if your authentication token was still valid. If it expired, then they would be confronted with MFA and would not be able to access your Office 365 account via your stolen laptop.
Does MFA apply to desktop versions of Office applications?
Once MFA is enabled, you will use a second verification method any time you are asked for your credentials while using any component of Office 365. Although you are not queried frequently when using the installed versions of Office 365 applications, it does happen occasionally.
What if I'm offline?
On those occasions when you have no cellular, WiFi, or wired Internet access and are prompted to verify your Office 365 credentials, you can still use the Microsoft Authenticator app on your phone to view a rolling, one-time password that you can enter as verification. These one-time passwords are generated even when your phone is offline.
What if I don't have access to a phone?
On those occasions when you have no direct access to your mobile or alternate phone and are prompted to verify your Office 365 credentials, ...
Can I turn MFA off temporarily? Permanently?
Once enabled, you cannot disable MFA on your Winona State University Office 365 account. Contact the Technical Support Center (TechSupport@winona.edu, 507-457-5240, Somsen Hall 207) for help disabling it.
Am I required to use MFA?
Staff using Winona State University computers must enable MFA on their Office 365 accounts. Students and faculty are not required to do so. However, the benefits of MFA far outweigh the costs and all services that house important and potentially private data will require MFA eventually, so you should be using it on all accounts that offer it.
Does this apply to D2L Brightspace?
No. Currently, D2L does not offer its Brightspace customers an MFA option. Someone with your StarID password would be able to log into Brightspace as you and access all of your courses. This illustrates why MFA is so important and why you should enable it on every account that offers it.