Microsoft 365 Multi-Factor Authentication

One of our campus’s largest attack vectors is through collaboration services; especially email accounts using older protocols. MFA adds an additional layer of security, making it harder for attackers to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone to access services protected by MFA. MFA has been shown to block 99.9 percent of compromised-credential attacks, which in turn will help to safeguard the university’s data, finances, and reputation.

Multi-factor authentication (MFA) is a simple way to increase account security by requiring multiple forms of verification to prove your identity when signing into an application. This is generally something you know, like a password, and something you have, like a personal phone. Many institutions and applications use some form of MFA to login, especially when using a new device. Microsoft 365 multi-factor authentication will increase the protection on all Microsoft 365 services and applications, including Office desktop applications, email, Teams, OneDrive, and Sharepoint. For your convenience, your sign-in session on your regular devices will not require you to login or use multi-factor often, but it will protect your account if any suspicious attempts to login are detected. 

Yes, everyone using CU Boulder's Microsoft 365 instance will be required to use MFA. 

Multi-factor authentication ensures that users are who they say they are by requiring that they provide two pieces of evidence to prove their identity. This is generally something you know, like a password, and something you have, like a personal phone. Since mobile phones are so ubiquitous and we seldom go anywhere without one, they are the most popular choice for multi-factor authentication. If using a mobile phone isn’t an option for you, please contact the IT Service Center to discuss other options. 

Both CU Boulder and Microsoft are not permitted to use this information for marketing, tracking, or data mining purposes. We have contractual agreements with Microsoft that protect your personal information. Your phone number will only be used to validate that you are who you say you are when using the Microsoft 365 services. MFA is an additional security measure that is designed to protect your personal information.

FIDO2 tokens are physical devices that provide a second factor during the multi-factor authentication process. They may be a good option if you are unable to use a mobile phone for MFA. 

Please note that OIT cannot provide support for the use of FIDO2 tokens – it is your responsibility to purchase, configure, and keep track of your token. Before purchasing a token, it’s recommended to review Microsoft’s FIDO2 token requirements.

If you decide to use FIDO2 tokens, it is highly recommended to register a backup method, such as a phone, in addition to your token in case you misplace it. Learn how to edit backup methods for MFA in the beginning of our registering and using the authenticator app tutorial.

To give campus users the right balance of security and ease of use, we've enabled a setting which takes into account many factors to determine if a login attempt is suspicious or not. If you mostly access Microsoft apps using the same devices and patterns, you should rarely if ever be prompted with MFA. However, if you frequently travel internationally, log in to your Microsoft apps and email on these trips or use public computers or kiosks, you could expect to be prompted on a higher frequency that corresponds to these activities which appear to be more risky.

Before using the Authenticator app, OIT recommends registering a phone number for authentication. If you only use the authenticator app you may be locked out of your account temporarily if you lose or replace your mobile phone. 

Once a phone number is registered, use OIT's instructions registering and using the authenticator app. You can download the Authenticator app directly from Microsoft's Authenticator App page.

On the 14th day you will be required to register at least one device (a phone, the Authenticator App or FIDO2 token) before being allowed to login to Microsoft applications. 

The most recent groups to have MFA enabled were CU Boulder students and alumni on April 8. Learn more about this enrollment window. 

If you're unable to log in or change your authentication information (see How can I update my phone number or change authentication preferences? below), please contact the IT Service Center at 303-735-4357 or oithelp@colorado.edu for assistance resetting MFA.

There are several ways to update or change your authentication information:

• Log in to Microsoft 365 then go to the Additional Security Verification page to change or register a security verification option.
• You can also log in to Microsoft 365, open your account information, then click security info settings. These steps are outlined in both the register and set up MFA and set up the Microsoft authenticator app tutorials. 
• Visit Microsoft's additional security verification or change two factor verification and settings help pages for additional information. 

OIT recommends configuring the Microsoft Authenticator App in case your country code is not available. However, when enrolling your device, you’ll find that there is a comprehensive list of international calling codes that are available to select from.