MS Authenticator

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (MFA) is widely adopted as a way to tighten security during login to major or sensitive systems. It requires the user to provide what he knows (e.g. password) and what he has (e.g. a registered mobile phone). This means that when you log in to certain online services, you will be asked to provide your password and confirm your identity with a separate media such as SMS, phone call or a designated device like your mobile phone.

This additional identification step will block hackers from logging into your account even when your password is compromised/leaked. You will also be notified when someone tries to login with your password. As a result, information in systems covered by MFA is better protected. MFA is commonly deployed in universities as well as in Internet banking. At EdUHK, test run of Microsoft's Multi-Factor Authentication for O365 services started in Jan 2019. We plan to implement MFA in all information systems for all staff in the near future.



How it works?

When you access services covered by MFA:

  1. Enter username and password.
  2. Use your designated device to verify your identity (e.g. your mobile phone or tablet) as the second verification step.
  3. You are securely logged in.
How MFA works

After you have enrolled in multi-factor authentication, you will need to login using your username / password and then verify your identity with your designated device to access the service/application covered by MFA.

The second step verification can be done through one of the following:

  • Mobile app on a mobile device (This is highly recommended as you can bring your mobile with you wherever you go.)
  • SMS with verification code to a registered phone number, either mobile or land line.
  • Phone call to a registered phone number, either mobile or land line



How to enable the MFA for O365 services via the Microsoft Authenticator app?

It is crucial that all staff members use MFA to login major and sensitive systems. Setting up of the MFA feature takes only a few moment. Users should then follow the setup procedures below.


- Checklists

  1. Update your clients to a version which supports modern authentication. Supported clients include:
    OSOffice / Mail clients
    Windows OS:‐ Office 2016
    Mac OS:‐ Outlook 2016 for Mac
    iOS:‐ iOS 11 or above + native mail client (bundled in iOS) / Outlook App
    ‐ iOS 10 or above + Outlook App
    Android OS:‐ Android 6 or above + Outlook App (Note: native mail client is NOT supported)
  2. The user account must be enabled by OCIO to use MFA. (Users will be notified separately.)
  3. A designated mobile device with ‘Microsoft Authenticator’ app installed.



Install and configure MFA Mobile App for O365 services

Please follow the procedures below to install the MFA app - Microsoft Authenticator and turn on notification for this app:

 


Get the "Microsoft Authenticator" App for your system: Apple App Store Google Play Store


- Steps to configure MFA

Though it may take a moment, you only need to configure once. Click here for the instructions on video or follow the steps below:

  1. Login O365 on a web browser.
  2. You will then see the following screen. Click “Next”.
    Office 365 sign in

  3. Choose “Mobile app” as the primary verification media.
  4. Select “Receive notifications for verification” and click “Set up”.
    MFA setup

  5. When you see the following screen, open the Microsoft Authenticator app on your mobile.
    MFA configure with QR code

  6. Click “+” to add an account and choose “Work or school account”.
    Add account on Authenticator appAdd account on Authenticator app

  7. Scan the QR code on the computer. You will be shown a six-digit code and your account is added.
    Scan QR code from Authenticator app iconAuthenticator app icon

  8. Click “Next” on your computer and wait for the configuration to complete.
  9. You will then receive a notification on your mobile.
    Authenticator app icon

  10. Click “Approve” on the app as the second step of verification.
    Authenticator app icon

  11. Complete the setup procedure as instructed on the computer.
    MFA configure with QR code


  12. - Do I need to approve every login?

    You will not be asked to approve every time when you login the desktop software or application (e.g. Outlook, Outlook app for mobile, Skype for Business, and OneDrive sync client). Once you have successfully logged in the software on your office PC, the approved session will continue to be valid unless it is inactive for 90 days, meaning you have not logged in in 90 days.

    However, if you access O365 using a browser, you have to approve login on your app every time you sign in. There is an option called "Stay signed in" but it is not recommended especially when you are using a shared or public computer.


    - What if I do not have my mobile with me when login or I want to change the MFA verification method?

    You can switch to authenticate via a different device. Please see FAQ: Can I change the MFA verification method for O365?.



    How to access Outlook Web App (OWA) with MFA

    Once you have configured the MFA with the Microsoft Authenticator app, you can access Office 365 service with MFA using your phone as a security token. For details, please visit FAQ: Using Outlook Web App (OWA) with MFA.



    What if the email client software I use does not support MFA?

    If the software you use (e.g. Thunderbird mail client) does not support modern authentication like MFA, you need to generate an "App Password" for authentication. Please visit FAQ: Create an app password for non-browser clients for details.



    Applications currently covered by MFA at EdUHK

    Currently, MFA is implemented in Office 365 services (e.g. email, OneDrive, Skype for Business) for staff and the rollout will be done on a departmental basis. OCIO will notify colleagues when MFA is enabled. We plan to implement MFA in all information systems for all staff in the near future.



    Note: If you have any questions about Multi-Factor Authentication (MFA), please visit the FAQ or Microsoft Two-step verification Help for details.