Options for Second Factor of Authentication

What are Factors?

At myprofile.microsoft.com you must setup at least one secondary factor for authentication. Your first factor is your password, which is something you know.  The second factor should be something you have.

This second factor prevents hackers from accessing your accounts by simply knowing, stealing, or cracking your password. It is an extra layer of security that has been in place with financial institutions and Apple’s iCloud, and is widely being expanded to many more applications like Microsoft accounts, Twitter, Facebook, etc.

A single second factor can be used, but it is recommended that additional second factors are defined and used where available.  These additional second factors will provide flexibility when you are presented with the MFA prompt, as you can override the default and choose one of the alternate methods, if available.

Option: Phone – Text me a code

How: An SMS text message containing the six-digit code will be sent to the mobile phone number provided.  This code is the second factor required at the sign-on prompt.

For: Will work anywhere you have your mobile phone.  No data plan is required.

Against: If you cannot accept a text message or are in a location where you cannot accept an incoming text message at no charge (depending on your mobile phone plan), this is not a good option.

 

Option: Authenticator App on Your Mobile Phone

Installation: Download the Microsoft Authenticator app to your phone. You will need to be at a computer and have your mobile phone with you to set up this option. Go to the myprofile.microsoft.com on your computer (not the smart phone) and follow the instructions. You will be prompted to scan the QR code presented on your computer screen using the authenticator app.

Case: with data or WiFi

How: Once this is setup, when the second factor is needed, you are prompted to accept or deny the sign-on from your phone. Note you will need an iOS or Android mobile device that can install apps.

For: Easy to use, no code is needed. The second factor is just a tap on your phone.

Against: If your phone does not have a data connection (e.g. remote location or limitation of your calling plan), this will not work.  (See the next Case for more information)

 

Case: without data or WiFi

How: Once this is setup, when the second factor is needed, you will launch the Authenticator app on your phone, and it will show you the current valid six-digit code for your account.  No data is needed, as this will even work when device is in airplane mode. When you sign-on to a MFA secured application, it will try to send a message to the Authenticator App. When you are not connected to the Internet, follow these steps:

  1. When the window "We've sent a notification.." appears, click on the Sign in another way link.
  2. In the "Verify your identity" window, select "Use a verification code from my mobile app"
  3. Open the Microsoft Authenticator app on your smart phone and enter the six digit code displayed in to the "Enter code" prompt.

For: Works anywhere you have your device. As long as it has power, you can access the code.

Against: You need to have an iOS or Android mobile device where you can install apps.

Option: Security Key Hardware

How: Use an approved Microsoft security key purchased through an electronics retailer. Program it using the steps outlined in FIDO2 Security Key for WindowsSecurity key hardware

For: No phone is required, a security key is portable and will work anywhere. Assistance from IT Services may not be required if you have another MFA option.

Against: Purchase cost involved. If authorized by the responsible budget authority, the cost may be covered by the local department.

OPTION: Windows Hello for Business

How: If you are using a university-owned device that is enrolled for device administration, and your PC is equipped with a TPM 2.0 chip, you can use that device as the second factor along with its PIN or a biometric input.

For more information, see this article:

For: Does not require a mobile phone, or any additional prompts or input. Your Windows sign-on unlocks all MFA enabled applications through that device.

Against: Access is only from this device. Device must be under device administration and meet University compliance policies.

Option: Phone – Call Me

THIS OPTION IS NO LONGER AVAILABLE AS OF JULY 2023!!

How: An automated voice call is made to the phone number you provide. Answer the call and follow the prompts to authenticate.

For: This can be your home phone or cell phone.  If you only access your computer from home and have no cell phone, this is a good option.

Against: The phone number must be input ahead of time, so it would not be suitable for hotels, Internet cafes, or other roaming locations.

Note: We recommend that you do not use your office phone if you intend to work remotely.


[1] You can use any OATH TOTP token with a 30- or 60-second refresh that has a secret key of 128 characters or less.

 

Option: MFA Token (Hardware)

THIS OPTION IS NO LONGER AVAILABLE. REPLACED WITH HARDWARE KEY. 

How: Use an approved MFA token that displays a 6-digit code upon the press of a button.[1] These tokens can be bought online through the University for $20 each including tax. Once the MFA token is purchased, come to the IT Service Desk in the lower level of the University Computer Centre (UCC) during University business hours with a copy of your purchase email. The IT Service Desk will give you a MFA token as well as help you get it programmed and connected to your account.  Additional information on this programming service can be found at www.uwindsor.ca/mfatoken.

For: No phone is required, token is portable and will work anywhere. If you can set it up yourself, it will not require any assistance from IT Services.

Against: A one-time programming step using a card reader is required, and there is a nominal purchase cost involved.  If authorized by the responsible budget authority, the cost of this token may be covered by the local department.

Print Article

Related Articles (3)

This article explains how to configure your auth options before (recommended) or after MFA was enabled on your account.
This article explains how to configure your authentication options after MFA was enabled on your account.
Multi-Factor Authentication (MFA) combines two or more independent credentials - what you know (your password) with something you have (mobile phone) in order to create a second layer of security for your UWin Account. Even if someone knows your password, they will be prevented from accessing your account when it is protected by MFA.