Enabling Multi-Factor Authentication (MFA) and Passwordless Sign-In
Why do I want MFA and Passwordless Sign-In?
Passwords are terrible. They are one of the oldest security methods, and one of the least secure, and greatly increases the chances that someone other than you can get access to your account. Relying on passwords is also incredibly time consuming and frustrating for you, as a user, with so many passwords to remember, constant updating, and different rules on complexity and usage.
USJ has decided to allow use of Microsoft’s MFA and Passwordless Sign-In to help remove the day to day use of passwords and make system access both easier and more secure for our community. Because you will use your phone instead of a password, no one who gets access to your password will be able to access your USJ account.
This article will teach you about what MFA and Passwordless Sign-in are, help you set them up, and show how they will work for you each day when you need to log in.
Concepts
Multi-Factor Authentication (MFA)
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.
Azure AD Multi-Factor Authentication works by requiring two or more of the following authentication methods:
- Something you know, typically a password.
- Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key.
- Something you are - biometrics like a fingerprint or face scan.
Passwordless Sign-In
The Microsoft Authenticator app can be used to sign in to any Azure AD account without using a password. Microsoft Authenticator uses key-based authentication to enable a user credential that is tied to a device, where the device uses a PIN or biometric.
People who enabled phone sign-in from the Microsoft Authenticator app see a message that asks them to tap a number in their app. No username or password is asked for. To complete the sign-in process in the app, a user must next take the following actions:
- Match the number.
- Choose Approve.
- Provide their PIN or biometric.
Getting Started
You’ll need two things to get started:
- Be at a computer, with Internet access
- An iPhone or Android based smartphone
Step 1 – Get the App
- From your smartphone, go to either the App Store or Google Play Store, depending on your device
- Search for the Microsoft Authenticator app
- Select the app to ensure that it is the one published by Microsoft Corporation, then download and install it
- There is no cost to the app, but you may be prompted for credentials to download it. This is either your AppleID and password, or Play Store ID and password, not your USJ credentials
- Once the app is installed, open the App
- Wait at this screen on your phone, and proceed to Step 2 from your computer
Step 2 – Add the App to your sign-in options in O365
- Sign into Office365 in the web browser of your choice from myoffice.usj.edu
- This sign in will be with your USJ email address and password
- At the main O365 page, click on the Me Menu (a circle with your initials or picture in the upper right of the screen,) then click on View Account
- Under Security Info, click Update Info
- Sign in again if prompted
- Choose Add Method, then select Authenticator App from the dropdown
- Follow along with the setup wizard, and complete the steps it asks you to do on the phone
- If prompted, allow notifications. Then add an account, and select "Work or school".
- When your phone prompts you to choose, select Scan QR code, then scan the generated code with your phone camera
- After you scan the code, you will see the entry for USJ appear in your Authenticator App. On the webpage, click Next to continue
- The system will send a test verification to your App, you will need to Approve this notification to ensure the App is working
- In the webpage, click Next again to close the popup and return you to the Security Options page
Step 3 – Change your default sign-in method and enable Passwordless Sign-in
- On the Security Info webpage in O365, above your listed sign-in methods you will see the Default Sign-In Method setting
- Click the Change button to the right of the current default method, then choose Microsoft Authenticator – notification from the dropdown and Confirm
- In the App on your phone, click on the University of Saint Joseph entry to open its settings
- Choose the Enable phone sign-in option, then press continue
Your phone and account are now set up to use MFA and passwordless sign-in on all sites that support it.
Testing Sign in
You can try out and test the sign-in by opening a new web browser and navigating to a site that requires your USJ credentials, such as Blackboard at bb.usj.edu. You will now see a sign-in box similar to:
Enter your USJ email address
The next screen will show you a number, and you will receive a notification on your phone offering you three numbers to choose. Simply click on the corresponding number shown on the screen in your App, and you will be signed in.
NOTE: If you don’t have access to your Microsoft Authenticator app, you can click on the Use your password instead link and you will be able to log in with your password. The Can’t access your account? link can be used if your password isn’t working.