SSO Transition update #3 - MFA methods and Authenticator Apps

Hello Malone University Students, Faculty, and Staff:

Malone Xpress was converted to the new SSO system on Wednesday. This was a day later than expected because of some technical glitches in Malone Xpress. We have fielded several calls about the best way to set up your multi factor authentication so this post is dedicated to the types of questions that we have received from you in the past week or two.

There is no cost for MFA

You DO NOT NEED TO PAY for any services related to MFA at Malone. We have fielded several calls where users are being prompted to sign up for a subscription for their MFA authenticator apps. When I search the IOS App Store for “Microsoft Authenticator,” the first result is an ad for a third party app. The second result is the actual “Microsoft Authenticator App” the link to the correct iOS download is here. The Android app is here.

You can use any compatible authenticator app. I personally use Google’s authenticator app (download for iOS or Android). 

Whichever app you choose, this same app can be used for any service - banking, services, social media, etc. - that supports authenticator MFA.

More than one MFA method

There are four different mechanisms for multi-factor authentication which can be used. We recommend you set up at least two in case one fails or isn't available to you when you need it:

• An authenticator app such as the ones from Microsoft or Google <--most secure and recommended.
• Phone - you can be called or texted a verification code.
• Alternate phone - a backup method in case the phone you set up is not available.
• Office phone - this would call a third number you specify and read a code to you.

Even after you have completed the initial set up of your MFA methods, you can update which methods for MFA you want to use in your Microsoft profile's security section: https://mysignins.microsoft.com/security-info

How do Authenticator apps work?

When setting up a new service in your authenticator app, the most common method is for you to scan a QR code that the service will show to you during the set up. If you choose to use a different authenticator app than Microsoft’s, you will need to select that option during set up.

The process requires you set up a connection between your chosen authenticator app and whatever service(s) requires MFA. This connection is unique and is based on your smartphone’s hardware, a secure key managed by that service, and the current time. Every minute or so, a new valid key is generated by the app using these three pieces of information. That code expires every minute so that even if it was somehow stolen, it would stop working within sixty seconds. 

How the code is calculated is created is based on some very clever math that Kyle Calderhead, David Hahn, or Shawn Campbell could explain to you. If you take the algorithms course, you would be able to explain it like they can!

Things to watch for when using an Authenticator App

• When moving to a new phone, be sure to transition your MFA set up to the new device. This usually  means opening the authenticator app on the old and new phones at the same time and scanning a code shown on the old phone screen with the camera from the new phone. This migration cannot be done just by restoring your device from a backup because it is unique to the hardware of your device. Remember to completely wipe your old device before discarding, reselling, or giving it to someone else.
• Many services will give you backup or rescue codes that can be used instead of the MFA app. Be sure to store these securely someplace. We suggest printing these rescue codes and storing them in your files somewhere. Do not save them to a digital file on your computers or devices. These codes can be used to recover your ability to log in say, if you drop your phone in a lake or it is stolen.