What is Multi-Factor Authentication (MFA)?
The Multi-Factor Authentication (MFA) is intended to tighten the security during login by asking the user what he knows (e.g. password) and what he has (e.g. a registered mobile phone). This means that when you log in to certain online services, besides your password, you will be asked to confirm your identity by a separate method such as SMS, phone call or a designated device (e.g. your mobile).
This additional identification step will block hacker from logging into your account even though your password are compromised/leaked and also let you know when someone try to login with your password without your knowledge. As a result, the information in that system covered by MFA is well protected. MFA is commonly deployed in many universities as well as for Internet banking. In EdUHK, we employ Microsoft's "Multi-Factor Authentication (MFA)". Currently not all information system are covered by MFA. We started with staff email on Office 365 and we are planning to implement MFA in all login if possible.
How it works?
When you access any services covered by MFA:
- Enter username and password
- Use your physical device to verify your identity (e.g. your mobile phone or tablet)
- You are securely logged in
After you have enrolled for two-factor authentication and access to applications supporting MFA, you will need to login using your username / password and then use your device to verify your identity.
Applications covered by MFA
- Applications to be integrated with Microsoft MFA:
- Office 365 services (e.g. email, OneDrive, Skype for Business).
How to enable the MFA?
It is crucial all staff use MFA to login so that we don't leave any back door. OCIO will notify user individually when MFA is enabled. The MFA feature may take few minutes to hours to be available for use then user should follow the setup procedures below.
- Updated clients to a version which supports modern authentication.
OS Office / Mail clients Windows OS: ‐ Office 2016 Mac OS: ‐ Outlook 2016 for Mac iOS: ‐ iOS 11 or above + native mail client (bundled in iOS) / Outlook App
‐ iOS 10 or above + Outlook App
Android OS: ‐ Android 6 or above + Outlook App (Note: native mail client is NOT supported)
- User account must be enabled to use MFA
- An enrolled mobile device with ‘Microsoft Authenticator’ app installed.
Install and configure MFA Mobile App
Please follow the procedures below to install the MFA Mobile App (Microsoft Authenticator):
- Setting up Microsoft Authenticator app on mobile device.
How to access Outlook Web App (OWA) with MFA
Once you have configure the MFA with the Microsoft Authenticator app, you can access Office 365 service with MFA using you phone as a security token. For details, please visit Using Outlook Web App (OWA) with MFA.
What if my software does not support MFA
If you have any software (e.g. Thunderbird mail client) does not support modern authentication like MFA, you need to generate a "App Password" for authentication. Please visit Create an app password for non browser clients for details.
Do I need to approve every login?
You don't need to approve login every time when you open the desktop software or application (e.g. Outlook, Outlook app for mobile, Skype for Business, and OneDrive sync client). Once you have successfully login the software, the session will keep on valid until it becomes inactive in 90 days.
However, if you are accessing services using a browser, you have to approve it every time you sign in. Or you can choose to use "Stay signed in" when login through browser. This will minimize the prompt for sign-in approval, but it is not recommended to use the stay signed in option when you are using a shared or public computer.