Multi-factor Authentication F.A.Q.

What is multi-factor authentication?

Multi-factor authentication (also known as two factor authentication or two step verification) is a security enhancement that allows you to present at least two pieces of evidence, or factors, to identify yourself when logging into an account. These factors can be any of the following three categories: 1) something you know (like a password or PIN), 2) something you have (like a phone or hardware token), or 3) something you are (like your fingerprint). Your credentials must come from at least two different categories to be considered multi-factor authentication and to enhance security. Therefore, entering two passwords would not be considered multi-factor authentication.

Why do I need to use multi-factor authentication?

With more MTSU systems using single sign-on (SSO) services, it has never been more important to protect your MTSU account from unauthorized access. SSO services make it easier to access MTSU systems using a common user name and password. However, this also means the risk associated with a compromised user name and password significantly increases.

Phishing attacks, malware, and social engineering constantly target the University population with the intent of stealing users’ credentials to gain unauthorized access to MTSU systems. While users should always create strong passwords to protect against unauthorized access, passwords alone are simply no longer a sufficient means of authentication.

As a result, MTSU now offers multi-factor authentication services to protect your MTSU account. This means systems using SSO services will require a second factor of authentication in addition to a password. So if hackers compromise your password, they would still need a second factor, like your phone, to complete an authentication request.

Am I required to enroll in multi-factor authentication?

As of May 1, 2018, MTSU’s Information Technology Division made Microsoft Azure multi-factor authentication available to all users as an opt-in service. Multi-factor authentication will be required for faculty and staff starting on October 29, 2018 and for students starting on February 25, 2019. As of August 2017, all Information Technology Division employees are required to use multi-factor authentication to protect their accounts.

Is MTSU the first university to implement multi-factor authentication?

MTSU is not the first university to implement multi-factor authentication. MTSU will join many other higher education institutions who offer multi-factor authentication services including Harvard, Yale, Princeton, Columbia, Cornell, Stanford, Northwestern, Notre Dame, University of Alabama, University of Southern California, University of Michigan, Ohio State University, University of Miami, and Clemson. MTSU will also join many commercial institutions who offer multi-factor authentication across their services including Apple, Google, Microsoft, Amazon, FaceBook, Twitter, PayPal, Bank of America, Chase, Empower Retirement, and TIAA-CREF.

Can I opt out of multi-factor authentication?

Opting into multi-factor authentication early is the best way for you to become familiar with the service before it is required. As such there is no means of opting out of the service. We encourage you to opt-in early and provide feedback of your experiences so that we can refine settings for everyone before it is required. You can send your feedback via email to help@mtsu.edu.

What is Microsoft Azure multi-factor authentication?

MTSU’s Information Technology Division implemented Microsoft Azure multi-factor authentication, which provides the ability to use a smartphone or tablet as a second factor of authentication. Users can approve or deny authentication requests via online push notifications or generate verification codes using the Microsoft Authenticator mobile application. Users without smartphones or tablets may alternatively enroll a macOS or Windows computer with the Authy app or a phone number to receive a text message with a verification code or a phone call to approve or deny requests. Users who do not have access to or do not wish to use the above options may contact the ITD Help Desk at (615) 898-5345 or at help@mtsu.edu for other options.

Do I need to have a smartphone to use multi-factor authentication?

No, you do not need to have a smartphone to use multi-factor authentication. Users without smartphones may use the Microsoft Authenticator mobile application on a tablet. Users without smartphones or tablets may alternatively enroll a macOS or Windows computer using the Authy app or a basic cellular phone number to receive a text message with a verification code or a phone call to approve or deny requests. Users without access to computer or a basic cellular phone can enroll a landline phone like an office or home phone to receive a phone call to approve or deny requests. Users who do not have access to or do not wish to use the above options may contact the ITD Help Desk at (615) 898-5345 or at help@mtsu.edu for other options.

How do I enroll in multi-factor authentication?

Click here for instructions on how to enroll your account with Microsoft Azure multi-factor authentication using the Microsoft Authenticator mobile application on your smartphone or tablet. Users without smartphones or tablets can click here for instructions on enrolling a macOS or Windows computer using the Authy App or can click here for instructions on enrolling a phone number to receive a text message with a verification code or a phone call to approve or deny requests. Users who do not have access to or do not wish to use the above options may contact the ITD Help Desk at (615) 898-5345 or at help@mtsu.edu for other options.

Does it cost money to authenticate with my phone?

The Microsoft Authenticator mobile application, which is a free download, can generate verification codes that do not require a voice, text, or data plan. Microsoft Authenticator’s push notification feature consumes a very small amount of data and can use cellular or WiFi data. Users can use the Authy app to generate verification codes on a macOS or Windows computer for free. Using the text message or phone call options with your phone requires a text or voice plan and will be billed by your carrier like any other text message or inbound call. Users who do not have access to or do not wish to use the above options may contact the ITD Help Desk at (615) 898-5345 or at help@mtsu.edu for other options.

What if I do not have a cellular data plan or cellular signal?

We recommend users enroll in multi-factor authentication using Microsoft Authenticator on a smartphone or tablet. The Microsoft Authenticator mobile application can generate verification codes offline and does not require a voice, text, or data plan. Alternatively, users can enroll using the Authy app on a macOS or Windows computer, and the Authy app can similarly generate verification codes offline without the need for a voice, text, or data plan. Users who do not have access to or do not wish to use the above options may contact the ITD Help Desk at (615) 898-5345 or at help@mtsu.edu for other options.

What if I leave my phone at home?

We encourage users to enroll multiple authentication devices with Microsoft Azure multi-factor authentication so that if you do not have access to your primary device, you can still use a backup device. For example, you can enroll another mobile device like a tablet with Microsoft Authenticator, a macOS or Windows laptop or desktop computer with the Authy app, or an alternate authentication phone like a home phone. Click here for instructions on how to enroll an alternate authentication device with Microsoft Azure multi-factor authentication.

What if I lose my phone or suspect someone stole my phone?

We encourage users to enroll multiple authentication devices with Microsoft Azure multi-factor authentication so that if you do not have access to one device, you have at least one more device from which to choose. For example, you can enroll another mobile device like a tablet with Microsoft Authenticator, a macOS or Windows laptop or desktop computer with the Authy app, or an alternate authentication phone like a home phone. Click here for instructions on how to enroll an alternate authentication device with Microsoft Azure multi-factor authentication.

If you lose your phone or suspect someone stole your phone and you enrolled multiple authentication devices, you should immediately log in with an alternative device and remove your lost or stolen phone as an authentication device. If you did not enroll multiple authentication devices or have any questions, contact the ITD Help Desk at (615) 898-5345 or at help@mtsu.edu for assistance. Also, remember that while you should remove your lost or stolen phone as an authentication device as soon as possible, your password will still protect your account.

Can I use the Microsoft Authenticator mobile application when traveling internationally?

Yes, you can use the Microsoft Authenticator mobile application when traveling internationally. The Microsoft Authenticator mobile application can generate verification codes that do not require a voice, text, or data plan. If you have an international cellular data plan or access to WiFi, you can approve or deny authentication requests via online push notifications.

How do I authenticate if I cannot use the Microsoft Authenticator mobile app?

If you cannot receive push notifications from the Microsoft Authenticator mobile app, you can use a verification code generated on the mobile app. If you cannot use the Microsoft Authenticator app, you can receive a text message with a verification code. If you cannot use the Microsoft Authenticator app or receive a text message, you can receive a phone call to approve your sign in request. Click here for instructions on alternate ways to authenticate with Microsoft Azure multi-factor authentication.

What is an App Password, and do I need to use one?

Some applications like Outlook, Apple Mail, and Microsoft Office, do not support using a phone to secure your account with multi-factor authentication. You can instead use an App Password when connecting an email client on a mobile device to your MTSU account. Students who have their MTMail account configured in an Apple Mail, Outlook, or other email client on their smartphones, tablets, or personal computer will need an app password to use in place of your MTMail password. When prompted by your email client for a password, you will need to use this App Password. You will need an App Password per email client per device. Employees do not need to use the App Password to access their email on their smartphone or tablets, tablets, or personal or work computers at this time. Click here for instructions on how to create new app passwords.

What if I want to change my authentication method later after I already enrolled?

You can change your authentication method (e.g. from text messages to Microsoft Authenticator) at any time by logging into your Microsoft Azure account online. Click here for instructions on how to change your authentication method.  

What if I change my phone number or buy a new phone?

If you purchase a new smartphone, as long as you didn't change your phone number, you can still complete your login request by receiving text messages or phone calls to log into your MTSU account online (click here to read about alternate ways to sign into your MTSU account such as receiving text messages or phone calls). You can then install the Microsoft Authenticator app on your new smartphone and enroll the app (see p. 1-8 here). Similarly, if you change your phone number, as long as you still have access to the Microsoft Authenticator app, you can still use the app to approve your login request. You can then log into your account online and update your phone number (click here for instructions). If you cannot accomplish these steps for any reason, please contact the ITD Help Desk at (615) 898-5345 or at help@mtsu.edu