Skip to main content

Microsoft 365 Multi-Factor Authentication

What is Multi-Factor Authentication?

Multi-factor authentication (MFA) increases account security by requiring multiple forms of verification to prove your identity when signing into an application. CU Boulder faculty, students, and staff can now securely log in and use Microsoft 365 with MFA. 

How to use Microsoft 365 MFA

When registering for MFA, enter a phone number to receive a text message or phone call. After registering with a phone, you can install the Microsoft Authenticator Mobile App which allows you to click a button on your phone or smart watch to quickly and easily login, when prompted. 

Upon your next login to Microsoft 365, you will be prompted to register for multi-factor authentication. Follow the Register and set up MFA instructions for step-by-step instructions for registering. For additional information, please see our Multi-Factor Authentication FAQ.

Please note: After your account is enabled for MFA you may be prompted to re-authenticate to multiple Microsoft 365 servers (e.g. Teams, Outlook, etc.).

Multi-Factor Authentication FAQ

Why is CU Boulder using MFA?

One of our campus’s largest attack vectors is through collaboration services; especially email accounts using older protocols. MFA adds an additional layer of security, making it harder for attackers to log in as if they were you. Your information is safer because thieves would need to steal both your password and your phone to access services protected by MFA. MFA has been shown to block 99.9 percent of compromised-credential attacks, which in turn will help to safeguard the university’s data, finances, and reputation.

What is Multi-Factor Authentication?

Multi-factor authentication (MFA) is a simple way to increase account security by requiring multiple forms of verification to prove your identity when signing into an application. This is generally something you know, like a password, and something you have, like a personal phone. Many institutions and applications use some form of MFA to login, especially when using a new device. Microsoft 365 multi-factor authentication will increase the protection on all Microsoft 365 services and applications, including Office desktop applications, email, Teams, OneDrive, and Sharepoint. For your convenience, your sign-in session on your regular devices will not require you to login or use multi-factor often, but it will protect your account if any suspicious attempts to login are detected. 

Am I required to use MFA?

Yes, everyone using CU Boulder's Microsoft 365 instance will be required to use MFA. 

Why should I have to use my personal phone for this, when CU Boulder doesn’t pay for it?

Multi-factor authentication ensures that users are who they say they are by requiring that they provide two pieces of evidence to prove their identity. This is generally something you know, like a password, and something you have, like a personal phone. Since mobile phones are so ubiquitous and we seldom go anywhere without one, they are the most popular choice for multi-factor authentication. If using a mobile phone isn’t an option for you, please contact the IT Service Center to discuss other options. 

I have concerns about sharing my phone number with Microsoft. What happens with the information I share through MFA?

Both CU Boulder and Microsoft are not permitted to use this information for marketing, tracking, or data mining purposes. We have contractual agreements with Microsoft that protect your personal information. Your phone number will only be used to validate that you are who you say you are when using the Microsoft 365 services. MFA is an additional security measure that is designed to protect your personal information.

Can I use YubiKeys or other FIDO2 tokens with MFA?

FIDO2 tokens are physical devices that provide a second factor during the multi-factor authentication process. They may be a good option if you are unable to use a mobile phone for MFA. 

Please note that OIT cannot provide support for the use of FIDO2 tokens – it is your responsibility to purchase, configure, and keep track of your token. Before purchasing a token, it’s recommended to review Microsoft’s FIDO2 token requirements.

If you decide to use FIDO2 tokens, it is highly recommended to register a backup method, such as a phone, in addition to your token in case you misplace it. Learn how to edit backup methods for MFA in the beginning of our registering and using the authenticator app tutorial.

How often should I expect to be prompted to use MFA once registered?

To give campus users the right balance of security and ease of use, we've enabled a setting which takes into account many factors to determine if a login attempt is suspicious or not. If you mostly access Microsoft apps using the same devices and patterns, you should rarely if ever be prompted with MFA. However, if you frequently travel internationally, log in to your Microsoft apps and email on these trips or use public computers or kiosks, you could expect to be prompted on a higher frequency that corresponds to these activities which appear to be more risky.

Where can I download the Authenticator App?

Before using the Authenticator app, OIT recommends registering a phone number for authentication. If you only use the authenticator app you may be locked out of your account temporarily if you lose or replace your mobile phone. 

Once a phone number is registered, use OIT's instructions registering and using the authenticator app. You can download the Authenticator app directly from Microsoft's Authenticator App page.

What will happen if I haven’t registered during the 14-day registration period?

On the 14th day you will be required to register at least one device (a phone, the Authenticator App or FIDO2 token) before being allowed to login to Microsoft applications. 

The most recent groups to have MFA enabled were CU Boulder students and alumni on April 8. Learn more about this enrollment window. 

I lost my phone and/or got a new device and am unable to authenticate.

If you're unable to log in or change your authentication information (see How can I update my phone number or change authentication preferences? below), please contact the IT Service Center at 303-735-4357 or for assistance resetting MFA.

How can I update my phone number or change my authentication preferences?

There are several ways to update or change your authentication information:

I am an international student or I will be traveling abroad. Which authentication method should I choose?

OIT recommends configuring the Microsoft Authenticator App in case your country code is not available. However, when enrolling your device, you’ll find that there is a comprehensive list of international calling codes that are available to select from.