The different authentication options available in the My Profile under “My Security Info” page exist to let users prove their identity using multiple methods, which strengthens account security and provides flexibility during sign‑in or account recovery. Instead of relying only on a password—which can be stolen or guessed—these options (such as the Microsoft Authenticator app or passkeys) add extra verification factors so that access requires something you know, have, or are. This layered approach, commonly called multi‑factor authentication (MFA), significantly reduces the risk of unauthorized access because even if one factor (like a password) is compromised, an attacker cannot sign in without the additional method, and users can choose or maintain backup methods to ensure they can still access their account if one method is unavailable.
If your account is enabled for MFA, you must set up at least one authentication method in addition to your password. By default, your password is considered your first factor—something you know. The second factor should be something you have (for example, a smartphone) or something you are (such as a fingerprint). While a single additional factor satisfies the MFA requirement, it is strongly recommended to configure more than one. Having multiple authentication methods provides flexibility during sign-in, allowing you to choose an alternate option if your default method is unavailable. When multiple methods are configured, the most secure option will be used as the default in your account profile.
The following authentication methods are currently supported:
- Passkey in Microsoft Authenticator - most secure
- Microsoft Authenticator
- Approve sign-in requests on your smartphone
- Use one-time codes
- Passkey
- Hardware token
NOTE: The "Phone – Text Me a Code" option is no longer secure and is being phased out.
To configure your authentication options for MFA:
- Navigate to Microsoft's My Account site (myprofile.microsoft.com) in a web browser and sign in with your UwinID@uwindsor.ca and your UWin Account password.
- Once signed in, click Security Info on the left.
- Click on + Add sign-in method button to add an authentication method. You can also use this screen to change or delete one of your existing authentication methods.
Note that while there are several different authentication options that are available, the most secure one will be designated as a default method.
Microsoft Authenticator App on Your Mobile Device
Download the Microsoft Authenticator app to your phone. You will need to be at a computer and have your smartphone with you to set up this option. Go to the myprofile.microsoft.com on your computer (not the smart phone) and follow these instructions. You will be prompted to scan the QR code presented on your computer screen using the authenticator app.
Case: with data or WiFi
How: Once this is setup, when the second factor is needed, you are prompted to accept or deny the sign-on from your phone. Note you will need an iOS or Android mobile device that can install apps.
For: Easy to use, no code is needed. The second factor is just a tap on your phone.
Against: If your phone does not have a data connection (e.g. remote location or limitation of your calling plan), this will not work. See the next Case for more information.
Case: without data or WiFi
How: Once this is setup, when the second factor is needed, you will launch the Authenticator app on your phone, and it will show you the current valid six-digit code for your account. No data is needed, as this will even work when device is in airplane mode. When you sign-on to a MFA secured application, it will try to send a message to the Authenticator App. When you are not connected to the Internet, follow these steps:
- When the window "We've sent a notification.." appears, click on the Sign in another way link.
- In the "Verify your identity" window, select "Use a verification code from my mobile app"
- Open the Microsoft Authenticator app on your smart phone and enter the six digit code displayed in to the "Enter code" prompt.
For: Works anywhere you have your device. As long as it has power, you can access the code.
Against: You need to have an iOS or Android mobile device where you can install apps.
FIDO2 Security Key
How: Use an approved Microsoft security key purchased through an electronics retailer. Program it using the steps outlined in FIDO2 Security Key for Windows.
For: No phone is required, a security key is portable and will work anywhere. Assistance from IT Services may not be required if you have another MFA option.
Against: Purchase cost involved. If authorized by the responsible budget authority, the cost may be covered by the local department.
Windows Hello for Business
How: If you are using a university-owned device that is enrolled for device administration, and your PC is equipped with a TPM 2.0 chip, you can use that device as the second factor along with its PIN or a biometric input.
For more information, see this article:
For: Does not require a mobile phone, or any additional prompts or input. Your Windows sign-on unlocks all MFA enabled applications through that device.
Against: Access is only from this device. Device must be enrolled in Intune device administration and meet University compliance policies.
LIMITATION: Windows Hello (by itself) can be multi-factor locally, but it is not always exposed to web apps as a distinct MFA-capable 'passkey authentication event,' so it doesn’t reliably satisfy MFA requirements in browser-based flows. Windows Hello does create a passkey but authentication cannot see it in some scenarios (it’s not treated the same as all the other types of passkeys).