First Time MFA Setup
Accessing Your MFA Settings
Supported MFA Verification Methods
Using the Microsoft Authenticator App
Using Phone/SMS (Text Message)
Using a Security Key
Frequently Asked Questions (FAQ)
In an effort to promote secure practices and to protect your account, we have implemented Multi-Factor Authentication (MFA). We encourage you to create a strong MFA strategy. To do this, you should set up an authenticator app on more than one device and/or use an additional phone number to allow access to your account in the event that your primary verification method is inaccessible.
Visit the Frequently Asked Question (FAQ) section below for more information on MFA.
(Click on images throughout the article to enlarge)
First Time MFA Setup
If you have not previously set up MFA, you will receive a prompt (pictured below) the next time you log in.
Clicking "Next" will bring you to the MFA registration page.
There are three ways to proceed:
- The Microsoft Authenticator app is the recommended method. Click "Next" to begin.
- Or, if you prefer a different authenticator app, click "I want to use a different authenticator app" to follow that process.
- The final choice, if you'd like to see other available options, is to click "I want to set up a different method."
After you have set up your first method, it is highly recommended to add a secondary option, such as an Authenticator App on another device.
Accessing Your MFA Settings
You may access or modify your MFA settings by visiting the Security info page.
Supported MFA Verification Methods
- Authenticator app (Microsoft Authenticator): used to generate a one-time verification code and/or allow you to approve/block login attempts.
- Phone call: receive a phone call and press # to verify.
- SMS (text message): receive a one-time verification code via text.
- Security Key*: hardware device used to prove identity (* important information, see details in section below)
Note: While the Email method is listed as an option on the Security info page, it cannot be utilized as an MFA method. For more information on the purpose of the Email method, please see the Setting Up Recovery Methods for Self-Service Password Reset article.
On the Security info page, click the "+ Add sign-in method" button.
Choose “Authenticator app” and click Add, and then click next twice.
To install the app on your mobile device, start by going to your app store (Play Store on Android or App Store on iOS) and searching for Microsoft Authenticator. To help you identify the app, this is what the icon looks like:
Open the Microsoft Authenticator app and Scan the QR code. If you cannot scan the code for any reason, click "Can't scan image?" and manually enter the code that is provided.
You may get a notification stating “App Lock enabled,” click OK
Now, look back to your computer screen that has the QR code. Click Next, it will check activation status.
Once complete, it will show that the app has been configured, the “Set up” button will gray-out, and the “Next” button will light up. Click “Next.”
A random number will show up on your screen and a notification will be sent to your device.
Enter the number on your device app "Are you trying to sign in" prompt and click "Yes." Note: you may be prompted for your PIN, fingerprint, facial recognition, or whichever form of security is setup on your phone/tablet.
Finally, you will either need to sign-in first, or will be immediately directed to your settings page. Here you can set up other methods and adjust your default verification method.
It is highly recommended to include a secondary phone number for unlocking your account. In the event that your main device is lost or broken, this will provide another verification method.
Your authenticator app is now configured and ready for use the next time you log in.
NOTE: if you get a new phone/tablet or reinstall the application on your current phone/tablet you will need to repeat the registration process detailed above before you can use the app for verification.
Passwordless sign-in using the Microsoft Authenticator App is now available. While using this feature, there may be instances where you must provide your password. Microsoft has security measures in place that control the ability to login passwordless. IT cannot override situations where Microsoft is prompting for password entry.
To setup Passwordless, open your Microsoft Authenticator App. Tap your account entry and then select "Set up phone sign-in (sign in without a password)." Press "Continue" on the registration page. Sign into your account, if prompted. Next, click "Register" and then "Finish." You always have the option to disable this from your app. Please note that the first time you go to login, after entering your user name and arriving at the password screen, you may need to click "Other ways to sign in" and then "Approve a request on my Microsoft Authenticator app."
Select a phone method and verify it via a phone call or a text message. Press pound for the phone call, or enter the SMS code into the prompt.
Note: When Call or Text are set as a default option, you will be prompted to select your method upon login. The following screen may differ, based on the MFA options you have configured:
Remember, you can visit the Security info page at any time to set your default method and update your MFA verification methods.
Using a Security Key
A security key* is a small device, similar in size to a USB flash drive, that can be registered to your account and provides a unique way of granting access. Microsoft is specifically employing an authentication standard called FIDO2. As well as being an MFA option, it adds the benefit of passwordless* sign-in for some situations. In these instances, when you click the “Sign-in options” button, choose “Sign in with a security key” to access the feature.
*Please note that using a security key, as well as passwordless options, may not always be available. Depending on your device’s operating system, application/browser, or specific requirements of the service you are signing in to, you may need another method. We recommend having more than one MFA method setup for your account as a work around during this time where FIDO2 isn't supported everywhere. In our testing, keys were most compatible with Chrome, Firefox, and Edge browsers on Windows, as well as Chrome on MacOS. Anything beyond these combinations (such as mobile devices and/or other browsers) may be possible, but are outside the scope of what IT will provide support for at this time.
Setting Up a Security Key
Navigate to the Security info page, click the "+ Add sign-in method" button.
Choose “Security Key” and click Add. Select USB device (on devices that support NFC, the key can still be used via that interface later). There will be a series of prompts to follow. These may differ depending on the operating system and browser you are using.
For this example, the following steps are using Chrome on Windows 10:
Click "Next" on the screen about having your key ready. On the prompt to "Create a passkey," select "External security key or built-in sensor." A Windows Security dialog now appears to state the service you are setting up a sign-in to and also displays your username, click "OK." A second Windows Security dialog appears to let you know what information will go to Microsoft and what will be stored on your security key. Click "OK" again. Next, you will be prompted to create or enter a PIN for the security key. (This is required.) Enter the PIN and press "OK." Touch your security key, when prompted. Enter a descriptive name for your security key (this is something of your choosing, and useful if you end up adding multiple security keys), and press "Next." On the final message, click "Done."
- Why is MFA being implemented?
Protecting our users and their information is a priority. In today’s environment, we identify a user by their provided username and password. However, what happens if that password is stolen or compromised? MFA allows us to use a second ‘different’ factor. Something you: Know (your password) and something you Have (your smartphone). As a result, if your password is compromised, your account is still protected by the second authentication method.
- When MFA is activated, will my accounts stay signed in?
Any account that is actively signed in via a browser will remain active until the browser is closed. The next time the account is accessed in a new browser session, you will be prompted for MFA verification. Accounts that are signed in via apps (i.e., Gmail on a cellphone) will not require MFA until you manually sign out or are required to sign back in, due to a password change.
- What if I can't log into my account because of an issue with the MFA options I have configured?
Contact the ITSC via email at itsc@baker.edu or phone at (800) 645-8350.
- Will I need to use MFA on my smartphone/tablet?
Yes. Any app that utilizes single sign-on (SSO) will prompt for MFA verification.
- Will I need to use MFA to access my email?
Yes, all services/applications that use single sign-on (SSO) will prompt for MFA. Examples are: Gmail, Zoom, My Baker, My St. Francis School of Law, Canvas, etc.
- Will I need to use MFA to connect to Baker College Wireless?
No, not at this time.
- What happens if I lose my phone/tablet/security key or get a new one?
It is highly recommended to include a secondary authentication method, on a separate device, for unlocking your account. In the event that your main device is replaced, lost or broken, this will provide another method to access your account. During sign-in, on the verification screen, click "Sign in another way" or "I can't use my Microsoft Authenticator app right now" (text may vary depending on the default option you have set) to access your list of other methods. If you need to add the new device as a method, once you are logged in, you can update the Security info page
- Will I ever need to re-verify my MFA setup?
Occasionally Microsoft will prompt you to check that the Security info page still has what you would like to use. If you happen to see an old phone number or other outdated authentication methods, you should update it to keep your account secure and ensure accessibility.
- Can I use an alternate email address or token as my MFA method?
While other MFA verification options exist, the current MFA methods approved are: phone call, text (SMS), the Microsoft authenticator app, or security keys (with limited support). No other MFA methods are supported by IT at this time.
- What number will phone or SMS verification come from?
Voice call MFA verification will come from +1 (855) 330-8653. Note: sometimes the calls are routed through a carrier that doesn't support caller ID. Because of this, caller ID isn't guaranteed.
Microsoft uses SMS short codes when sending MFA codes. There is no guarantee of consistent SMS short code numbers due to route adjustments to improve SMS deliverability.
- How do I choose a security key?
There are many brands available with various features at different price-points. Be sure to pick one that is FIDO2 Certified. IT has tested several models from two vendors that we recommend: YubiKey (by Yubico) and TrustKey (by TrustKey Solutions). You can choose from USB-A or USB-C keys. Some even support NFC.
- Passwordless sign-in suddenly isn't working with my Microsoft Authenticator App. How do I turn it back on?
Microsoft employs many techniques for security. Even while using passwordless authentications, sometimes you will be prompted for your password, as well as number matching. Often these cases may occur after a failed passwordless challenge or attempt by someone other than yourself to access your account. After a successful login with your password, you should be able to then select "Other ways to sign in" and choose "Approve a request on my Microsoft Authenticator app" again.