What is multi-factor authentication ('MFA')

Multi-Factor Authentication (MFA) is a way to check that you, and only you, obtain access to your account. Once enabled, you will receive a request for more information when you sign-in. The best experience is achieved by installing the Microsoft Authentication app on your phone and adding your phone number as a backup. The Authenticator app can be used without access to wifi or a mobile phone signal. Other Authentication apps are available if you already use one. Services will use the default method to contact you. It is important to keep your details up to date, for example, if you change your phone number.

You can use the headers below to navigate the guide.

Initial setup (desktop/laptop)

Updating your details | Authenticator Backup | Passwordless Sign-In | FAQ

Initial setup (Desktop/Laptop)

• Once MFA has been enabled on your account, you will see this message when you sign-in to Microsoft websites with your @derby.ac.uk account (https://office.com). This process can be completed on any computer or directly on your smartphone. 
• Left-click on 'Next'.

Add the Microsoft Authenticator application

• The easiest and most secure way to set up MFA is with Microsoft Authenticator, an app for your smartphone. However, if you wish to use a text message, click “I want to set up a different method”.
• Download the Microsoft Authenticator app (if you haven't already).
• Left-click on 'Next'.
  
  
  
  
• If prompted, allow notifications.
• Then add an account, and select "Work or School".
• Left-click on 'Next'.

• Scan the QR code.
• Left-click on 'Next'.

• Approve the sign-in on your mobile phone.

• Left-click on 'Next'.

Updating your details

• You can manage your MFA settings by using this guide: https://itservicecentre.derby.ac.uk/hc/en-us/articles/4407741934482-Manage-Your-Security-Details-for-Multi-Factor-Authentication-MFA-Staff-Guide-

Backup your Authenticator App

• Please backup the data on your Authenticator app. This will allow you to move the information to a new phone.
• Before you can back up your credentials, you must have:
  • A personal Microsoft account (opens in a new tab) to act as your recovery account.
  • For iOS only, you must have an iCloud account (opens in a new tab) for the actual storage location.

To turn on cloud backup for iOS devices

• On your iOS device, select Settings, select Backup, and then turn on iCloud backup.

  Your account credentials are backed up to your iCloud account.

  

To turn on cloud backup for Android devices

• On your Android device, select Settings, select Backup, and then turn on Cloud backup.

  Your account credentials are backed up to your cloud account.

  

Recover your account credentials on your new device

You can recover your account credentials from your cloud account, but you must first make sure that the account you're recovering doesn't exist in the Microsoft Authenticator app. For example, if you're recovering your personal Microsoft account, you must make sure you don't have a personal Microsoft account already set up in the authenticator app. This check is important so we can be sure we're not overwriting or erasing an existing account by mistake.

• On your mobile device, open the Microsoft Authenticator app, and select Begin recovery from the bottom of the screen.

  

• Sign in to your recovery account, using the same personal Microsoft account you used during the backup process.

• Your account credentials are recovered to the new device.

After you finish your recovery, you might notice that your personal Microsoft account verification codes in the Microsoft Authenticator app are different between your old and new phones. The codes are different because each device has its unique credential, but both are valid and work while signing in using the associated phone.

Passwordless sign-in

Passwordless sign-in allows you to sign in to your account without typing your password. This uses the security on your phone to prove it's you. To enable this:

• Go to your Microsoft Authenticator app on your phone.
• Select your account.
• Enable phone sign-in.

• Click 'Continue'.

• Approve the sign-in on your mobile phone.

 

To disable:

• Go to your Microsoft Authenticator app on your phone.
• Select your account.
• Click 'Disable phone sign-in.

Notes:

• Your device needs to have the company portal installed and a passcode/biometric configured.
• You can only have one account with passwordless enabled.
• If you selected 'Stay signed in?', you will need to sign out and back in again.
• If notifications don't appear to arrive in the Authenticator App, select the three lines (top left) and 'Check for notifications'.

Frequently Asked Questions

1. Can I reduce the number of verification requests?

   • If you are using your device, some websites let you 'Stay signed in?'.
     
     

2. Why am I being asked to change my password many times?

   • If you are using a VPN, then the system may flag this as risky. Try not to use the VPN for University services.
     
     

3. I have limited wifi / mobile phone signal, how can I use the system.

   • The Authenticator app, once installed from your app store, can be used without wifi or a mobile phone signal. Follow the instructions above and set the default to be "Authenticator app or hardware token - code"
     
     This will allow you to type the 6 digit number from your phone at sign in. This is found by selecting your username in the app and the number changes every 30 seconds, which keeps your account secure.
   • Note, if you enable a phone to sign in, the system will use a Wi-Fi/mobile phone signal to display a 2 digit number for you to select instead of typing your password.
     
     

4. I do not own a mobile phone - how can I access my applications?

   • If you do not own a mobile phone, please contact the IT Service Centre, so we can discuss your options. Please include 'MFA setup' in your subject: ITServiceCentre@derby.ac.uk
     
     

5. When you 'view account', there is an option to view 'My sign-ins to review recent activity. There is an activity that I don't recognise.

   • My sign-ins shows where you have recently used your account. The location may be where the ISP (e.g. Vodafone, Ask4, BT) is registered and not your precise location. However, it should be within the same country.
   • If you are using a VPN, this should show the country to which your VPN is connected.
   • If there are sign-ins that you are concerned about, please click the ''Look unfamiliar? Secure your account' link and follow the instructions. If you are still concerned, please contact ITServiceCentre@derby.ac.uk.
     
     

6. I've set up the app and can also receive text messages, however when I try a phone call, it asks me to press a pound key, which my phone doesn't have.

   • The hash symbol '#' is known as a pound symbol in some parts of the world. This is the button to press.

7. My phone/tablet Apple Mac has stopped receiving email/calendar items around the same time that I set up MFA. How do I start receiving them again?

   • As part of securing your account, you may need to delete the account and set this up again. The email is stored on Microsoft's servers, so you should not lose anything. In the meantime, you can sign in to UDo or office.com to view your emails. More information is available in this article.
     
     

8. Is the app accessible?

   • The app works with screen readers and other accessibility tools.
     
     

9. I can't sign in and get the message 'The username or password is not correct. Please try again. (error: Access-Reject)', noted below.

   • You have not set up MFA yet, please sign in to https://office.com and follow the steps to provide the information required.
     
     

10. I can verify my sign in and I know my password is correct, however, I still can't get in. I get the error 'Sign-in error Invalid username or password' noted below.

    • Some services require that your account has been enabled to access the service. Please contact your tutor to confirm access has been requested.