A guide to Multi Factor Authentication for when accessing University services such as your email account Staff iD, Oracle Finance and MyHub.
Multi Factor Authentication (‘MFA’) helps secure your University account and data from attackers. MFA adds an additional layer of security (something you have, e.g. a mobile phone) to your account to ensure that it’s you using your account.
MFA is required off-campus to access University services such as Office 365, Oracle Finance & MyHub. Whilst on campus you will not be prompted for MFA.
MFA works best by setting up the Microsoft Authenticator app on your mobile phone as this is something most people normally carry with them. Additionally, please consider adding your personal and office phone numbers when setting up MFA on your account in the event of your primary method of access is unavailable. If you do not have a phone, DS&S can provide physical tokens (like credit cards / key fobs).
DS&S recommends the Microsoft Authenticator App for the best,
and most secure, user experience for your work and key personal accounts.
Please add all sign-in methods available to you, so that you don't get locked out.
Even with MFA enabled, please check addresses of websites used to enter your account details. Malicious people are making copies of websites that look very familiar to try and dupe people.
Remember that we will never send an email containing a link asking you to alter or verify your personal details so if you receive one please take advice before doing anything with it. Contact the sender (not by email), or get in touch with DS&S: live chat: https://itservicecentre.derby.ac.uk
or raise a ticket: https://itservicecentre.derby.ac.uk or follow the "DS&S" link under "Professional Services" on the Staff iD home page.
What changes will I see?
Once setup, you may be asked to verify your sign-in when off campus, after you have entered your username and password. The chosen sign-in method below is via the app and you will need to click approve on the app to sign-in. The system can also be setup to receive a text method, with a 6 digit code, or phone call, where you will need to press the # key (hash or pound) on your phone.
You are able to 'Sign-in another way' to use a different sign-in method. If you have no signal on your phone, then select 'Use a verification code from my mobile app'. This allows you to enter the 6-digit code from the app that changes every 30 seconds.
After entering your MFA details, selecting 'Stay signed in' will reduce the number of times you are asked to sign-in. Don't do this on a public computer!
You may receive a message to say that suspicious activity has been detected. When visiting a website secured by your University ID, you may get message to verify your account after you have entered your password.
This will give you a range of options you have setup to do this:
The system will confirm it has sent a request:
Setup your account
2. Clicking ‘Next’ will allow you setup the first authentication method.
The easiest and most secure way to setup MFA is with Microsoft Authenticator, an app for your smartphone. However, if you wish to use a text message or phone call, click “I want to set up a different method”. The text message (containing a six-digit code), or the automated phone call may ask you to press the # key on your phone (the folks in the USA call this the pound button).
On your phone, install the 'Microsoft Authenticator app' from the Apple App Store or Google Play Store. Make sure you allow access to the camera and allow notifications.
3. Click ‘next’:
4. On your phone, select the '+' to add a 'Work or school account'. This will bring up the 'Scan QR code' screen, using your camera to scan the QR code on your computer.
5. After a few seconds, the notification will be approved.
6. You're all set. However, before you go, it's worth adding additional sign-in methods, so that you are not locked out of your account. These include your mobile phone number and office phone.
To do this, visit Staff iD, | click on your initials / photo (top right) | View account | Security info
Once here, please add as many methods as you can, by selecting 'Add method', the 1st arrow above. For staff, please ensure that your Office phone is selected so that you can get into your account when at work, for example if you need to update your mobile phone number.
Once setup, you can change the default option.
7. Lastly, please backup the data on your Authenticator app. This will allow you to move the information to a new phone.
Before you can back up your credentials, you must have:
A personal Microsoft account to act as your recovery account.
For iOS only, you must have an iCloud account for the actual storage location.
To turn on cloud backup for iOS devices
On your iOS device, select Settings, select Backup, and then turn on iCloud backup.
Your account credentials are backed up to your iCloud account.
To turn on cloud backup for Android devices
On your Android device, select Settings, select Backup, and then turn on Cloud backup.
Your account credentials are backed up to your cloud account.
Recover your account credentials on your new device
You can recover your account credentials from your cloud account, but you must first make sure that the account you're recovering doesn't exist in the Microsoft Authenticator app. For example, if you're recovering your personal Microsoft account, you must make sure you don't have a personal Microsoft account already set up in the Authenticator app. This check is important so we can be sure we're not overwriting or erasing an existing account by mistake.
To recover your information
On your mobile device, open the Microsoft Authenticator app, and select Begin recovery from the bottom of the screen.
Sign-in to your recovery account, using the same personal Microsoft account you used during the backup process.
Your account credentials are recovered to the new device.
After you finish your recovery, you might notice that your personal Microsoft account verification codes in the Microsoft Authenticator app are different between your old and new phones. The codes are different because each device has its own unique credential, but both are valid and work while signing in using the associated phone.
Phone sign-in allows you to sign-in to your account without typing your password. This uses the security on your phone to prove it's you. To enable this:
- Go to your Microsoft Authenticator app on your phone.
- Select your account | Enable phone sign-in.
- You will see a screen that confirms you device is registered and you have a passcode.
- Select continue and you will be asked to 'Approve sign-in'
- That's it! Next time you sign-in to a supported website, e.g. https://staff.derby.ac.uk, you will be asked to 'Approve sign-in' with a number.
On your phone, confirm the correct number.
If you are asked to enter your password, select 'Use an app instead'. You can always use your password if required.
If you don't need to use phone sign-in, you can turn it off by going to the Microsoft Authenticator App | your account | Disable phone sign-in
Your device needs to have the company portal installed and a passcode / biometrics configured.
You can only have one account with passwordless enabled.
If you selected 'Stay signed in?', you will need to sign-out and back in again.
If notifications don't appear to arrive in the Authenticator App, select the three lines (top left) and 'Check for notifications'.
A word from Jodie Nevin, Derbyshire's Cyber Protect Police Officer:
Major data breaches occur regularly affecting millions of people. The information that's breached (usually includes username and passwords) can be stolen and used by cyber criminals to access user accounts, or commit further criminal activity.
Also, passwords alone can be easily guessed or compromised through phishing or hacking, especially if using weak passwords or information which can be easily found online doing a bit of research on social media and other sources.
As more personal information goes online, concerns about privacy and identity theft grow.
MFA could include:
Multi-Factor Authentication (MFA) should be added to all your accounts wherever possible to add another layer of security and reduce the risks associated with compromised passwords. If a password is hacked, guessed, or phished, a cyber criminal wouldn’t be able to access it, as they wouldn’t have the additional factor, making the stolen password alone useless. If your accounts don’t support MFA consider replacing with those that do or if you must continue using, make sure you create strong and unique passwords.