MFA on O365
What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (MFA) is widely adopted as a way to tighten security during login to major or sensitive systems. It requires the user to provide what he knows (e.g. password) and what he has (e.g. a registered mobile phone). This means that when you log in to certain online services, you will be asked to provide your password and confirm your identity with a separate media such as SMS, phone call or a designated device like your mobile phone.
This additional identification step will block hackers from logging into your account even when your password is compromised/leaked. You will also be notified when someone tries to login with your password. As a result, information in systems covered by MFA is better protected. MFA is commonly deployed in universities as well as in Internet banking. At EdUHK, test run of Microsoft's Multi-Factor Authentication for O365 services started in Jan 2019. We plan to implement MFA in all information systems for all staff in the near future.
How it works?
When you access services covered by MFA:
- Enter username and password.
- Use your designated device to verify your identity (e.g. your mobile phone or tablet) as the second verification step.
- You are securely logged in.
After you have enrolled in multi-factor authentication, you will need to login using your username / password and then verify your identity with your designated device to access the service/application covered by MFA.
The second step verification can be done through one of the following:
- Mobile app on a mobile device (This is highly recommended as you can bring your mobile with you wherever you go.)
- SMS with verification code to a registered phone number, either mobile or land line.
- Phone call to a registered phone number, either mobile or land line
How to enable the MFA for O365 services via the Microsoft Authenticator app?
It is crucial that all staff members use MFA to login major and sensitive systems. Setting up of the MFA feature takes only a few moment. Users should then follow the setup procedures below.
- Update your clients to a version which supports modern authentication. Supported clients include:
OS Office / Mail clients Windows OS: ‐ Office 2016 Mac OS: ‐ Outlook 2016 for Mac
- Mail app on macOS Mojave (10.14.x)
iOS: ‐ iOS 11 or above + native mail client (bundled in iOS) / Outlook App Android OS: ‐ Android 6 or above + Outlook App (Note: native mail client is NOT supported)
- The user account must be enabled by OCIO to use MFA. (Users will be notified separately.)
- A designated mobile device with ‘Microsoft Authenticator’ app installed.
Install and configure MFA Mobile App for O365 services
Please follow the procedures below to install the MFA app - Microsoft Authenticator and turn on notification for this app:
- Setting up Microsoft Authenticator app on mobile device.
- Do I need to approve every login?
You will not be asked to approve every time when you login the desktop software or application (e.g. Outlook, Outlook app for mobile, Skype for Business, and OneDrive sync client). Once you have successfully logged in the software on your office PC, the approved session will continue to be valid unless it is inactive for 90 days, meaning you have not logged in in 90 days.
However, if you access O365 using a browser, you have to approve login on your app every time you sign in. There is an option called "Stay signed in" but it is not recommended especially when you are using a shared or public computer.
- Ways to verify your identity
Once your account has been enabled to use multi-factor authentication for Office 365, the easiest verification method to use is Microsoft Authenticator as a security token. It's just one click instead of typing in a 6-digit code. And if you travel, you won't incur roaming fees when you use it.
If you are looking for other possible ways to verify your identity, please visit FAQ: How many ways I can use to verify my identity for Microsoft MFA? for details.
- What if I do not have my mobile with me when login or I want to change the MFA verification method?
You can switch to authenticate via a different device. Please see FAQ: Can I change the MFA verification method for O365?.
How to access Outlook Web App (OWA) with MFA
Once you have configured the MFA with the Microsoft Authenticator app, you can access Office 365 service with MFA using your phone as a security token. For details, please visit FAQ: Using Outlook Web App (OWA) with MFA.
What if the email client software I use does not support MFA?
If the software you use (e.g. Android's native email client, Thunderbird mail client) does not support modern authentication like MFA, you need to generate an "App Password" for authentication. Please visit FAQ: Create an app password for non-browser clients for details.
Applications currently covered by MFA at EdUHK
Currently, MFA is implemented in Office 365 services (e.g. email, OneDrive, Skype for Business) for staff and the rollout will be done on a departmental basis. OCIO will notify colleagues when MFA is enabled. We plan to implement MFA in all information systems for all staff in the near future.