A change is being made to how we do Multi-Factor Authentication (MFA) here at Utah Tech.
What is MFA?
MFA is when you use something in addition to a password to authenticate to a system, usually your phone. MFA is a current best practice for protecting accounts from compromise. You’ve likely seen banks and other online services providing this functionality to better protect customer accounts. If you're currently using it, you likely interact with a Push notification, receive a text message with a number or code, or have to enter a one-time password (OTP) from an app such as Google Authenticator.
What if I'm already using DUO?
We have previously been utilizing DUO to provide MFA for full-time employees, using either a smart phone or a hardware token. However, it has now become necessary to two-factor ALL employees and ALL students and it is cost prohibitive to continue to use DUO for everyone. Starting Feb. 1st, we will be migrating to use Microsoft’s MFA solution. Employees will be enrolled during February, and students will start being enrolled on March 1st.
What methods are supported with Microsoft's MFA?
The new solution will give us more flexibility, and you’ll now be able to authenticate via the Microsoft Authenticator mobile app (the easiest method), with another "authenticator" app such as Google Authenticator, by text message, by phone call, by email, or with a FIDO2 hardware token.
Who will be enrolled?
ALL employees and ALL current students will be enrolled. Starting Feb. 1st employees will be enrolled and students will start being enrolled on March 1st.
How will I know it's time?
A rolling migration will begin on February 1st for employees and on March 1st for students. This means that we will turn it on for a certain number of employees/students each day until it is enabled for everyone. Unfortunately, you won't know ahead of time which day your account will be enabled. The way you will know is that the next time you authenticate after having it enabled, it will prompt you to enroll.
What do I do with DUO?
Once you're enrolled in Microsoft's MFA, you will no longer need DUO for authenticating to UT systems. However, you may have DUO configured for MFA for other systems, so don't delete the app if you use it for other accounts.
DUO hardware tokens will not work with Microsoft MFA. Since there are now additional methods available such as another "authenticator" app like Google Authenticator, text, phone call, and email, the need for a token is practically eliminated. If you wish to continue to use a hardware token, please contact the IT Help Desk and let them know that you would like to use a hardware token to do MFA. This requires additional configuration for your account and allows us to schedule a time with you to deliver your token. The cost of the token will be charged back to your department, so please get approval from your Budget Administrator for a $25-$30 charge.
Which method should I use?
We recommend using the Microsoft Authenticator app as it is the easiest to use and supports other features that we’ll be enabling in the future, such as password-less logins and an easier way to do password resets. The Microsoft Authenticator app is free and gives you the best experience for our UT systems. Other "authenticator" apps can be used to generate one-time passwords (OTPs) but the Microsoft app provides the most functionality. Make sure you download the official Microsoft app as there are a number of “authenticator” apps available for download. It's the one that looks like this .
What if I don't have a phone?
If you don't have a mobile device that supports the app, and you don't have a phone that can receive a text message or receive a phone call, and you don't have access to an email account, then you can opt to use a hardware token that plugs into your computer. Existing DUO hardware tokens will not work, so a new token will need to be purchased. If you wish to use a hardware token, please contact the IT Help Desk and let them know that you would like to use a hardware token to do MFA. This requires additional configuration for your account and allows us to schedule a time with you to deliver your token. The cost of the token will be charged back to your department, so please get approval from your Budget Administrator for a $25-$30 charge.
What if I don't have access to any of my MFA methods?
If you don't have access to any of your methods, for example, you forgot your phone at home, you can contact the IT Help Desk, 435-879-4357, and they can give you a temporary code that is good for eight (8) hours.
Should I add another method?
It is recommended to set up at least one other method so you can still MFA if your default method isn't available. This KB article shows how to add other methods for MFA.
How do I configure a default method?
You can configure a default MFA method for convenience. This method will automatically be used when MFA is needed instead of prompting you which method to use every time. This KB article shows how to set a default method.
How do I use a hardware token to authenticate to UT systems?
If you want to use a hardware token, this KB article shows you how to use it to authenticate.
What does the enrollment process look like?