Multi-Factor Authentication Guide

A guide to Multi-Factor Authentication for when accessing University services such as your email account Staff iD, Oracle Finance and MyHub.

Sections: What changes? | Setup your account | Moving to a new phone | Phone sign in | Police Advice

Introduction

Multi-factor authentication (‘MFA’) helps secure your University account and data from attackers. MFA adds an additional layer of security (something you have, e.g. a mobile phone) to your account to ensure that it’s you using your account.

MFA is required off campus to access to University services such as Office 365, Oracle Finance & MyHub.  Whilst on campus you will not be prompted for MFA.

MFA works best by setting up the Microsoft Authenticator app on your mobile phone as this is something most people normally carry with them. Additionally, please consider adding your personal and office phone numbers when setting up MFA on your account in the event of your primary method of access is unavailable. If you do not have a phone, IT Services can provide physical tokens (like credit cards / key fobs).

IT Services recommends the Microsoft Authenticator App for the best,
and most secure, user experience for your work and key personal accounts. 

Please add all sign in methods available to you, so that you don't get locked out.

Even with MFA enabled, please check addresses of web sites used to enter your account details. Malicious people are making copies for website that look very familiar to try and dupe people.

Remember that we will never send an email containing a link asking you to alter or verify your personal details so if you receive one please take advice before doing anything with it. Contact the sender (not by email), or get in touch with IT Services: ring +44 (0)1332 591234, live chat: https://itservicecentre.derby.ac.uk
Or raise a ticket: https://itservicecentre.derby.ac.uk
 or follow the "IT Services" link under "Professional Services" on the Staff iD home page.

What changes will I see?

Once setup, you may be asked to verify your sign in when off campus, after you have entered your username and password. The chosen sign in method below is via the app and you will need to click approve on the app to sign in. The system can also be setup to receive a text method, with a 6 digit code, or phone call, where you will need to press the # key (hash or pound) on your phone.

You are able to 'Sign in another way' to use a different sign in method. If you have no signal on your phone, then select 'Use a verification code from my mobile app'. This allows you to enter the 6 digit code from the app that changes every 30 seconds.

After entering your MFA details, selecting 'Stay signed in' will reduce the number of times you are asked to sign in. Don't do this on a public computer!

You may receive a message to say that suspicious activity has been detected. When visiting a website secured by your University ID, you may get message to verify your account after you have entered your password.

This will give you a range of options you have setup to do this:

The system will confirm it has sent a request:

Setup your account

1. Upon MFA being enabled on your account, you will see this message when visiting Staff iD or by directly going to sites such as office.com:

2. Clicking ‘Next’ will allow you setup the first authentication method.
The easiest and most secure way to setup MFA is with Microsoft Authenticator, an app for your smartphone. However, if you wish to use a text message or phone call, click “I want to set up a different method”. The text message, will contain a six-digit code, or the automated phone call may ask you to press the # key on your phone (the folks in the USA call this the pound button). 

On your phone, install the 'Microsoft Authenticator app' from the Apple App Store or Google Play Store. Make sure you allow access to the camera and allow notifications.

3. Click ‘next’:

4. On your phone, select the '+' to add a 'Work or school account'. This will bring up the 'Scan QR code' screen, using your camera to scan the QR code on your computer.

5. After a few seconds, the notification will be approved.

6. You're all set. However, before you go, it's worth adding additional sign in methods, so that you are not locked out of your account. These include your mobile phone number and office phone.

To do this, visit Staff iD, | click on your initials / photo (top right) | View account | Security info

Once here, please add as many methods as you can, by selecting 'Add method', the 1st arrow above. For staff, please ensure that your Office phone is selected so that you can get into your account when at work, for example if you need to update your mobile phone number.

Once setup, you can change the default option.

7. Lastly, please backup the data on your Authenticator app. This will allow you to move the information to a new phone.

Before you can back up your credentials, you must have:

• A personal Microsoft account to act as your recovery account.

• For iOS only, you must have an iCloud account for the actual storage location.

To turn on cloud backup for iOS devices

• On your iOS device, select Settings, select Backup, and then turn on iCloud backup.

  Your account credentials are backed up to your iCloud account.

  

To turn on cloud backup for Android devices

• On your Android device, select Settings, select Backup, and then turn on Cloud backup.

  Your account credentials are backed up to your cloud account.

  

Recover your account credentials on your new device

You can recover your account credentials from your cloud account, but you must first make sure that the account you're recovering doesn't exist in the Microsoft Authenticator app. For example, if you're recovering your personal Microsoft account, you must make sure you don't have a personal Microsoft account already set up in the authenticator app. This check is important so we can be sure we're not overwriting or erasing an existing account by mistake.

To recover your information

1. On your mobile device, open the Microsoft Authenticator app, and select Begin recovery from the bottom of the screen.

   

2. Sign in to your recovery account, using the same personal Microsoft account you used during the backup process.

   Your account credentials are recovered to the new device.

After you finish your recovery, you might notice that your personal Microsoft account verification codes in the Microsoft Authenticator app are different between your old and new phones. The codes are different because each device has its own unique credential, but both are valid and work while signing in using the associated phone.

Phone sign in

Phone sign in allows you to sign in to your account without typing your password. This uses the security on your phone to prove it's you. To enable this:

1. Go to your Microsoft Authenticator app on your phone.
2. Select your account | Enable phone sign-in.
   
3. You will see a screen that confirms you device is registered and you have a passcode.
   
4. Select continue and you will be asked to 'Approve sign-in'
5. That's it! Next time you sign in to a supported website, eg https://staff.derby.ac.uk, you will be asked to 'Approve sign in' with a number.
   
   On your phone, confirm the correct number.
   If you are asked to enter your password, select 'Use an app instead'. You can always use your password if required.
   

To disable:
If you don't need to use phone sign-in, you can turn it off by going to the Microsoft Authenticator App | your account | Disable phone sign-in

Notes:

Your device needs to have the company portal installed and a passcode / biometrics configured.
You can only have one account with passwordless enabled.
If you selected 'Stay signed in?', you will need to sign out and back in again.
If notifications don't appear to arrive in the Authenticator App, select the three lines (top left) and 'Check for notifications'.

Police Advice

A word from Jodie Nevin, Derbyshire's Cyber Protect Police Officer: Major data breaches occur regularly affecting millions of people. The information that's breached (usually includes username and passwords) can be stolen and used by cyber criminals to access user accounts, or commit further criminal activity. Also, passwords alone can be easily guessed or compromised through phishing or hacking, especially if using weak passwords or information which can be easily found online doing a bit of research on social media and other sources.

As more personal information finds its way to online applications, privacy, and the threat of identity theft is increasingly a concern. MFA could include: Something you know (security question) Something you have (one time security code sent as a text message to your trusted mobile device, or through an authenticator app) Something you are (biometrics: facial recognition, fingerprints) Increasingly, accounts are using somewhere you are as a form of authentication. Multi-factor authentication (MFA) should be added to all your accounts wherever possible to add another layer of security and reduce the risks associated with compromised passwords. If a password is hacked, guessed, or phished, a cyber criminal wouldn’t be able to access as wouldn’t have the additional factor, making the stolen password alone useless. If your accounts don’t support MFA consider replacing with those that do or if you must continue using, make sure you create strong and unique passwords. All staff have MFA enabled on their account and the University is currently gearing up to enable MFA for all student accounts. If any students would like MFA as a priority, please ask them to speak to IT Services to request MFA be added to their University accounts to help protect their account and the organisation against password cyber attacks.