Threats from phishing scams, malicious software, and compromised passwords are constantly increasing and pose an immediate risk to your privacy and the security of University data. Marshall University has implemented a new Multi-Factor Authentication (MFA) system that is required for all active accountholders. When accessing a MFA-protected service, you will be prompted to enter your MUNet username and password and authenticate the login process with multi-factor authentication. Instructions: Before enrolling in Multi-Factor Authentication, you must first read the getting started instructions at the link below. Multi-Factor Authentication setup instructions for your Marshall University account are available here: Multi-Factor Authentication: Getting Started Instructions The best and most convenient way to use Multi-Factor Authentication, is to download the Microsoft Authenticator app from either the App Store for iPhones or the Google Play Store for Androids. You will look for this icon on both platforms. To download, follow the link to your respective app store provided below: iPhone App Store Google Play App Store. Enroll Now! What is it? MFA adds another layer of security to your online accounts Requires “two factor authentication” (2FA) to verify your identity when you log in to a service by: something you know (such as your password) something only you have (such as your mobile phone, on which you will receive a login confirmation notice via text or phone call) Why should I do it? Provides enhanced protection of student and employee data caused by account credential compromise. Increasingly, hackers have targeted higher education institutions by using hacked credentials: to file taxes for employees to tamper with employee payroll deposits to attempt fraudulent access to student and employee’s bank accounts to harvest Social Security numbers for use in credit fraud What are the benefits? Multi-factor authentication (MFA) is an effective way of stopping fraudulent account access by notifying you and requiring you to approve usage of your account MFA is essential to help safeguard access to critical systems MFA provides much stronger assurance that your information is only accessible to the intended people, and that MU’s systems and services remain available only to authorized account holders Multi Factor Authentication FAQ Why must I have MFA for my account?Widespread major data breaches are occurring at an alarming rate affecting millions of people. The information that’s stolen, in many cases, includes usernames and passwords that could allow cybercriminals access to user accounts. In addition, passwords alone can frequently be easily guessed or compromised through phishing or hacking. As more personal information finds its way to online applications, privacy, and the threat of identity theft is increasingly a concern. Multi-factor authentication should be used whenever possible because it immediately neutralizes the risks associated with compromised passwords by adding an additional layer of security to protect highly sensitive personal information. If a password is hacked, guessed, or phished, a bad actor would still need the required second factor on the account, making the stolen password alone useless. Can I Opt Out of MFA?All students are required to use MFA and there is no option to opt out. Marshall has implemented many measures to prevent students and employees from falling victim to cyber hackers and those measures have helped the university successfully prevent serious cyber-attacks, spam email attacks and phishing email incidents. Increasingly, hackers are using sophisticated tools and mechanisms which, if unchecked, will continue to leave Marshall vulnerable to such attacks. Building on these security improvements, we have implemented measures to prevent credential theft. We have decided to implement MFA for all students and have chosen Microsoft Authenticator as our multifactor authentication system. What Marshall IT services will use MFA? Service: Risk Factor: Community: Status/Availability Dates: Office 365 Services – student e-mail, OneDrive, Office 365 ProPlus Apps, etc. Reduce e-mail account abuse related to account takeovers by bad actors. Students, alumni, faculty/staff using OneDrive Opt-in through March 31, 2019, enabled by default April 8, 2019; required July 1, 2019. Campus ID Card eAccount Access Protect financial information associated with eAccount stored value services Students, faculty/staff using eAccounts services. April 3rd, 2019 Outlook Web Access, Exchange Services Reduce e-mail account takeovers and identity abuse. (e.g. impersonation of employees). Faculty and staff February 2019 for opt-in test group, late spring 2019 for wider campus rollout; required July 1, 2019. Banner Financial and student data security, audit compliance (e.g. mandatory password changes). Employees with access to Banner Financial data; faculty with access to bulk student information (FERPA). Introduced for pilot testing April 2019; required use July 1, 2019, IT Enterprise Apps team completed Banner 9 integration; requirement for exemption from 90-day password change on MUNet account. Remote Access (VPN, muRemote, Remote Desktop Connections). Ensure authorized access remote access to on-campus network (VPN), data (Banner and muBert), and server administration. Students, faculty and staff who use Global Protect VPN; students, faculty and staff who use muRemote and RDP clients to access servers from off-campus. Opt-in testing now; general availability April 2019; required July 1, 2019. Web Portal Apps: Single-sign-on (SSO) Ensure authorized access to student resources via myMU, muOnline, Library, etc. All – opt-in/out options based on role (e.g. recruit, alumni and application support (e.g. some apps may not support MFA-based authentication). TBA, currently testing in lab environment; options available for opt-out based on application or account holder role (e.g. recruiting, alumni portal, etc.). How often do I need to use MFA?This depends on whether your device is located on-campus or off-campus. IT is currently using a configuration called ‘conditional access’ which should minimize MFA verification when they originate from inside the Marshall University network (a verified location). If you are off-campus, you should expect to receive an MFA verification prompt the first time you authenticate from either a new device or new location from which you have not previously verified using MFA. If you are using an application which supports Office365 modern authentication, you will receive an option to ‘Approve sign-in request’ and ‘Don’t ask again for 60 days’. This option may be used on devices or locations you consider trusted, such as your mobile device or personal computer located at home. You should never use this option on public or shared-access computers.Can MFA detect fraud?Yes, the fraud alert feature reports fraudulent attempts when someone attempts to gain access to protected resources without MFA verification. Alerts are sent to you the account holder and the Marshall IT security team.What methods can I use to Authenticate? Push Notifications via Microsoft Authenticator App (Recommended for ease-of-use and security, requires cellular data or WiFi access) One-Time Security Codes via Microsoft Authenticator App (Use this method when your mobile device does not have access to cellular date or WiFi service) SMS (Text Message) (Recommended as an alternative verification method; SMS txt messages do require cellular or WiFi access) Phone Call OATH Hardware Token (available through Marshall IT service desk) Do I need a smartphone to use MFA?No. In addition to using the Microsoft Authenticator App, Marshall’s MFA service allows you to use a basic feature phone with SMS (text message) support, or you can receive a phone call to an office or residential phone. If you do not have a mobile device, you may use a OATH hardware token to verify your authentication. To request an OATH token, please use the Online request form for MFA Tokens. This will automatically create a support request with the IT Service Desk. Note to MU Employees: Please see question “Can I use my Marshall University office phone as a verification method?” below. Is the mobile app required?No, but Marshall University strongly encourages using the app when possible to provide ease of use and enhanced security features. The Microsoft Authenticator app is free from both the Apple App Store and Google Play Store and it allows you to generate MFA verification codes for your account even when cellular or WiFi service is not available. The app also speeds up the verification process by allowing you to receive push notifications to “Approve” or “Deny” a logon event. How do I configure the mobile app? First, go to MFA Setup, where you will be asked to authenticate your Marshall email address. This will redirect you to the MU Single Sign-on Login page where you will login using your MUNet username and password. Choose “Notify me through app” to generate a customized QR code. This is used to associate your MUNet credentials with your mobile device. More detailed instructions are also provided at the Multi-Factor Authentication: Getting Started page. Using your mobile device, open the Microsoft Authenticator app and click the ‘+’ in the upper right-corner of the mobile app to add a new account. Next, the Microsoft Authenticator app will activate your device’s camera. Position the device to capture / ‘scan’ the provided QR code (see example here), then click the ‘Next’ button on the ‘Configure Mobile App’ webpage. You will receive a push notification on your phone to verify the Authenticator app is working correctly. Select the “Approve” button on the notification to verify. What is a one-time security code? How does it differ from a password?A one-time security code is a temporary 6-digit number generated by the Microsoft multi-factor authentication service, and may be used as the “second factor” for verifying your authentication. This security code provides an extra layer of security for your password. The security code can be generated either by the Authenticator app, as a SMS (text message), or via a OATH hardware token if you do not have a mobile device. Why do I need to use an alternative verification method? When setting up your MFA method, we recommend setting the mobile app (Microsoft Authenticator app) as your primary method, as well as setting up a secondary method, such as SMS (text message) or phone call. If there is an issue with your primary method, you’ll have the secondary method to use a backup and can still login to your account. Note to MU Employees: Please see section “Can I use my Marshall University office phone as a verification method?” below. Can I use my Marshall University office phone as a verification method? This method is not recommended because MFA verification is not required for some services (e.g. Office365) when connected to the University’s network. If you set your office phone as your primary MFA method, you will not receive the verification (via phone call) when logging in from an off-campus location. It is recommended to set up your primary verification method to use a device which you can access when off-campus (e.g. mobile phone or OATH hardware token). If you still want to setup your office phone as a backup verification method, you will need to select “Alternate authentication phone” and enter your office phone number. The “Office Phone” option can not be used due to the country code requirement which cannot be set at this time. I lost or replaced my device. How do I ensure notifications do not continue to go to my old device? If you lost or already replaced your device, and your backup verification method is not available: Call or visit the IT Service Desk to have your MFA registration reset. Once reset, you can login to your Office365 account or go to MFA Setup and follow the prompts to set up your new device. Remember, it is recommended to set the Mobile App (Microsoft Authenticator app) with push notifications as your primary verification method. If you are planning to get a new device, but still have access to your old device or backup verification method: You will need to set up a backup verification method that you can use when you receive your new device. To do so, login to MFA Setup which will prompt you for MFA verification… If you use the Microsoft Authenticator App: Under the “Authenticator app or Token” section, click “Delete” next to the “Authenticator app – [device name]” that is associated with your old device. Be sure to have “Authentication Phone” or “Alternate authentication phone” selected with a phone number you will still have access to when you dispose of your old device. This will serve as a backup method for logging in until you can get the Microsoft Authenticator app set up on your new device. Click “Save” when finished. Once you receive your new device, you can login to MFA Setup and follow the steps under the section “How do I configure the mobile app?” above. If you use SMS (text messages)/phone call verification, and do not plan on changing your phone number: No action needs to be taken. You will still receive SMS (text message) security codes on your new device when your carrier makes the switch. This is also the case if you use the Microsoft Authenticator app as your primary verification method, and already use SMS (text messages) as a backup method. If you use SMS (text messages)/phone call verification, and DO plan on changing your phone number: On the MFA Setup page, select either “Authentication phone” or “Alternate authentication phone” and enter a phone number you will have access to until you receive your new device. If you already know your new number, enter it in the “Authentication phone” section. Click “Save” when finished. What if I don't have access to WiFi or cellular service? The Microsoft Authenticator App is designed to work both online and offline. In offline mode, the Authenticator app generates a temporary security code which you will enter during the ‘verifying your identity’ step of logon. As long as you have a smart phone and have configured the mobile app, WiFi and/or cellular service are not required to for MFA verification. If you have a basic feature phone (non-smartphone) which only receives SMS text messages, and does not support mobile apps, then cellular or WiFi service are required to receive a text verification. What is an OATH hardware token?An OATH token is a small hardware device that the owner carries for verification in place of the options on a mobile device. This device can generate a one-time security code. If you do not have access to a mobile phone, you can request an OATH token for use as your primary verification device. To request an OATH token, please use the Online request form for MFA Tokens to automatically create a support request with the IT Service Desk. Do I have to pay for an OATH hardware token?If you do not have access to a mobile phone, you can request an OATH token for use as your primary verification device. If you have a mobile device but prefer to use the OATH token form factor, there will be a one-time charge to cover the cost of the device. To request an OATH token, please use the Online request form for MFA Tokens to automatically create a support request with the IT Service Desk. How can I disable an OATH token? First, go to MFA Setup Select “Disable” next to your Security Token Please return your OATH token to the IT Service Desk to avoid a $20 replacement fee. Why am I not prompted for MFA when I login to my email account?MFA is currently only available for accounts configured to use Office365 e-mail services. MFA for faculty/staff email accounts will be activated when your mailbox is migrated to use Office365 e-mail services.Why am I not receiving push-notifications on my Authenticator App?If you downloaded the Microsoft Authenticator App, but are not receiving push/pop-up notifications for MFA verification, it is likely due to a configuration issue. Go to the MFA Setup page and confirm that your preferred verification option is ‘Notify me through app‘. Also make sure the option ‘[x] Authenticator app or Token‘ is selected, and click on the button for ‘Set up Authenticator App‘. Note, having a second device – e.g. a computer or tablet – makes this step easier. The setup process generates an image called a QR code and asks you to open your Authenticator app to take a picture of the code for verification. What are my options if I have an e-mail client on my computer that does not support MFA?Keeping your computer operating system and applications updated is essential to the security of your data and devices. You can use your web browser to connect to your e-mail via the myMU Web portal or portal.office.com. In addition to web access, a number of Microsoft and other third-party applications support ‘modern authentication’ – visit this Microsoft link for details.