Multi-factor authentication (MFA) - FAQs

Table of Contents:

General Questions

Using multi-factor authentication

General Questions

What is multi-factor authentication (MFA)?

Multi-factor authentication, also referred to as "Two-Factor Authentication" or “Two-Step Verification,” is a technology designed to protect your accounts from hackers by requiring you to provide two pieces of information when signing into a website or application. After you set up MFA, you’ll sign in to your account in two steps using:

Something you know, like your password

Something you have, like your phone

Example: You sign in to a website or application with your username and password (credentials) from a computer you've never used before. This action generates a verification code sent to a phone that you authorized. You enter the code to complete the sign-in process. 

More Information: What is Multi-factor Authentication (source: Microsoft); Two Factor Auth (2FA) (source: BrainStation). 

Why is multi-factor authentication (MFA) required by SUNY?

Many institutions rely on web-based systems today, such as Office 365 and Gmail, to share files and information. This includes higher education institutions, which have become one of the prime targets of phishing and ransomware attacks in recent years. Multi-factor authentication (MFA) is vital in the protection against these types of attacks, as a single password is no longer sufficient in preventing unauthorized access to campus resources and data.   

Who will use multi-factor authentication (MFA)?

Multi-factor authentication will be enabled for all faculty, staff, emeriti, campus community members, and student accounts. 

Why is SUNY Fredonia transitioning from Duo MFA to Microsoft MFA?

Microsoft MFA will provide an overall better user experience and a more secure environment for the campus community.

When will SUNY Fredonia transition from Duo (MFA) to Microsoft (MFA)?

  • On Monday, October 30, 2023, current Virtual Private Network (VPN) users will be upgraded to the new version of the VPN client and enrolled in Microsoft MFA.  

  •  Beginning on October 31, 2023, the rest of the faculty, staff, and campus community members who do not use VPN will be able to opt-in early to transition from Duo MFA to Microsoft MFA. Users simply need to fill out the Microsoft MFA Early Adoption Request Form

  • Beginning on November 6, 2023, all current students will be able to opt-in early to transition from Duo MFA to Microsoft MFA. Users simply need to fill out the Microsoft MFA Early Adoption Request Form.

  • Beginning on Monday, February 12, 2024 campus web applications will require users to use Microsoft MFA when signing in to all SUNY Fredonia web applications. This will include services like FredLearn, Gmail, etc.

Why become an early adopter of Microsoft MFA?

By using Microsoft MFA, you will be prompted much less compared to using the current Duo MFA system. With Microsoft MFA, users can expect to be prompted to MFA every 2 weeks when accessing Fredonia online services.

What will happen if I don't set up Microsoft Multi-Factor Authentication (MFA) before the deadline?

If you don't set up multi-factor authentication (MFA) before the deadlines listed above, the next time you sign in to a site that requires Microsoft MFA verification, you will be prompted to start the registration process.

More Information Required sign in screen

Which SUNY Fredonia systems will require multi-factor authentication (MFA)?

All SUNY Fredonia web applications that currently require MFA.

Who do I contact for help with transitioning from Duo MFA to Microsoft MFA?

If you have questions about multi-factor authentication, you can contact the ITS Service Center at ITS Service Center or (716) 673-3407.

Using multi-factor authentication

How does multi-factor authentication (MFA) work?

After setting up MFA, anytime you sign in to your account from a new device (from off campus), you'll be prompted to confirm the sign-in using the verification method you selected during the setup process. For example, if you choose to use an authenticator app like Microsoft Authenticator, the app will generate a random code that you will use to complete the sign-in process.

What devices can I use with multi-factor authentication (MFA)?

Your cell phone is the ideal device because it's something you always have with you and it allows you to access email, voice, and app features that can be used for MFA. Any device capable of at least one of these can be used. So for example, a tablet can be set up with the authenticator app, or you can use a computer to access a separate email account to receive the verification code.
NOTE: You are strongly encouraged to set up at least two methods of authentication. To do this, follow this guide on Adding Multiple Sign-in Methods to Microsoft MFA.

How do I set up Microsoft MFA?

Please follow these steps to set up multi-factor authentication. This video demonstrates how to register for multi-factor authentication using the Microsoft Authenticator app.

How to register for Microsoft Entra Multi-Factor Authentication

Important: Please note that SUNY Fredonia does not permit the use of text messaging codes for MFA. SMS MFA intercept attacks pose a significant threat because they can bypass the additional layer of security provided by MFA.

How many devices should I add?

When setting up your verification options, it is strongly recommended that you add at least two verification methods, but certainly as many as you can, to provide a backup method if you do not have your primary method available. For example, you can add your cellphone as one authentication method and the Microsoft Authenticator app and/or your office landline as a second authentication method. To add sign-in methods, follow this guide on Adding Multiple Sign-in Methods to Microsoft MFA.

Do I need to have a smartphone to use multi-factor authentication (MFA)?

While a smartphone isn't required to use multi-factor authentication, using a smartphone is recommended because it's something you always have with you. Other devices like a tablet or landline phone (such as your office or home phone) can also be used with MFA but aren't recommended as the primary method because these are not things that you always have access to.
For example, if you try to sign in to Gmail or Office 365 from a computer in a hotel or public library, you won't be near your office or home phone to receive the verification code. 

What if I forget my smartphone at home?

You are encouraged to register at least two authentication methods, but we strongly recommend setting up more authentication methods with MFA. This way you will have a backup method to choose from if one method is unavailable. For example, you could set up your smartphone for push verifications and your office and home phones to do callback. 

What happens if I lose my smartphone?

If you lose your phone or suspect it's been stolen, you should contact the ITS Service Center immediately at 716-673-3407. The ITS Service Center will remove your MFA methods and reset any sessions that might be open which will allow you to access the MFA setup page to add new MFA verification methods.

Can I use the Microsoft Authenticator app internationally?

The Microsoft Authenticator app is designed to work internationally. If you are traveling to another country and won't have cellular service, you can configure the Authenticator app to generate an OATH verification code that can be entered (if and when you need to sign in to your Office 365 account). If you will have cellular service while traveling, the Authenticator app can also be configured for push notifications (e.g. you just need to approve the app prompt on your phone if and when you need to sign in to your account).

Can the system handle international phone numbers?

Yes, Microsoft MFA can handle international phone numbers. When you add your phone number on the MFA setup page, select your country from the drop-down list and then enter your 10-digit phone number. 

Prompt for phone number screen

How often will I be prompted for my verification code?

You can choose to have the authenticator app remember your device and browser for 14 days. You need to check the box next to “Don’t ask again for 14 days” before you approve the sign-in request. You should only be prompted for your MFA verification code once within 14 days in that device and browser.

If I use a hardware token with Duo, will it work with Microsoft MFA?

It depends on which hardware token you are using”

If you are using the Duo-branded button token, we could issue an appropriate replacement if you need to continue using a hardware token with Microsoft MFA.

Employees who have been issued a Yubico USB hardware token could continue to use the token if they wish by installing the Yubico Authenticator app on their computers and registering it in their account as an additional authentication option for Microsoft MFA. Follow the instructions found at Using YubiKeys with Azure MFA OATH-TOTP.

Can I use my own security key with Microsoft MFA?

No, we are not able to support personal security keys at this time.

How can I add other devices to my Microsoft MFA account?

To add/modify/remove additional sign-in methods, or to change the default method, access your Account Security info at My Sign-Ins, select Add sign-in method and follow the prompts. For more detailed information, please read this guide on Adding Multiple Sign-in Methods to Microsoft MFA.

Are you having an issue with the “Don’t ask again for 14 days” option?

There is an option on some browsers to automatically clear cookies and other site data whenever you close the browser. This is why Microsoft MFA doesn’t “remember” that you checked this option. Please follow this article to change your browser settings.

If your browser settings are correct, and the 14 days option is still not working, please note that the 14 days will only apply to the specific computer and browser you are using. For example, if you check this option on your laptop, and then sign in on a lab computer within 14 days, you will still have to use Microsoft MFA on the lab computer. If you sign in on Google Chrome and then sign in again on Microsoft Edge within 14 days, you will have to verify with Microsoft MFA on Microsoft Edge. This is a feature of all secure multi-factor authentication software.

What are some common problems with two-step verification?

Some common two-step verification problems seem to happen more frequently than any of us would like. Microsoft Support created the Most Common Problems with Two Step Verification article to describe fixes for the most common problems.