Multi-factor Authentication (MFA) for WWU Universal Accounts
Passwords can be compromised. Western now offers Multi-factor Authentication (MFA) to better safeguard your computer accounts and personal information and the University’s data. Western’s MFA requires you to have something (a phone or hardware device, e.g.) in addition to a password to authenticate. If your password is stolen by a hacker, it is insufficient to break into your account.
Register for MFA
- BEFORE you register for MFA, please verify/change your authentication methods and contact information to make sure you have another authentication method selected. Employees should list more than just their office phone and preferably set up more than one second factor in case their primary factor fails.
- If you have a mobile phone, set up the Microsoft Authenticator App. If you do not have a mobile phone, you may use a land phone line to do MFA. Note: you must be working in proximity to the phone in case you have to use MFA. Your third choice is to purchase a FIDO2 key. These may be purchased from any vendor. The key plugs into your hardware and give you mobility. If you cannot do any of these methods, please fill out this request form for a University-supplied hardware device.
- After adding your additional verification method, fill out the WWU Multi-Factor Authentication Opt-In form.
- The next time you sign into an application requiring MFA, you may be prompted to add or verify alternate contact information. Follow the screen instructions to complete.
IMPORTANT: You may be prompted to enter a second factor more frequently in the first week, but it should settle down after the apps you use have been approved. You will also be challenged for new browser sessions, but not for new tabs within the same browser sessions.
Authenticate With MFA
Once enrolled in MFA, the process to complete MFA is 1) enter your email@example.com and password; and 2) authenticate with your second factor (one of the following):
- Verification code or pop-up notification generated by your Microsoft Authenticator app on your iOS or Android smartphone, tablet, or smartwatch
- Code sent to your mobile phone via text message
- Voice call to your mobile phone
- Voice call to your landline (using a location-specific phone is not recommended unless you do not have a better option)
- FIDO2 key insertion into a USB port then tap or fingerprint to your key
The Microsoft Authenticator app is strongly recommended, because you don't have to copy then paste any codes. You simply tap the APPROVE pop-up on your smartphone or smartwatch. The Microsoft Authenticator app can also be used if you lack mobile or wireless networking service.
A Note About FIDO2 Hardware Keys
If you do not have a mobile phone and are not working in proximity to a land phone line, FIDO2 keys are a great option for strong security. They can also be configured for passwordless authentication. You may purchase a FIDO2 key from any vendor, but it must be from a Microsoft supported and compatible manufacturer. FIDO2 keys may be connected to your devices by USB, Bluetooth, or NFC. Most FIDO2 keys have a USB-A or USB-C connector and a subset of keys support Bluetooth and NFC. You will probably need a key that supports Bluetooth or NFC to support a mobile device. Before purchasing, verify that the key you choose will support authentication on all your devices. Feel free to contact the Help Desk to discuss these alternative second factor physical devices.
Common Questions About MFA
Do I have to do MFA every time I log in?
No – MFA is only required if you are working off-campus or using a cellular network. You will be prompted at least every 90 days and more often depending on whether you use new devices, web browsers, passwords, locations, applications, or trigger suspicious security events.
What can I use for a second “factor”?
We recommend the Microsoft Authenticator App but you may also use an SMS text message, phone call, or FIDO2 key.
What applications require MFA?
Currently, you will have to use MFA for Microsoft Office and several of our web based single sign-on applications such as Zoom, Canvas, Google G Suite, the Parking application, and the Contract Management Module. You will NOT have to do MFA for Banner, Web4U or VPN. We will add MFA for VPN in the future.
Will MFA work on my phone if I lose cell service and wireless networking?
If you have installed the Microsoft Authenticator App on your mobile device, you can open the application, tap on your account, and view a one-time password code. You can use this code just like a code sent to you with a SMS text message. When authenticating, you may have to choose the option to “Sign in another way” after entering your password and being prompted for MFA.
What if I lost my cell phone and get prompted for MFA?
If you have configured an alternate phone or FIDO2 key, you may choose to “Sign in another way” during MFA. If not, you will have to call the ATUS Help Desk for support.
Are there problems with MFA when traveling?
You will want to set up the Microsoft Authenticator App on your phone when traveling. The app can be used even if you lose cell and wireless networking connectivity. Every 30 seconds, the app generates a verification code. Enter the most current verification code on the sign-in screen. If you are traveling internationally, we suggest you also consider taking a hardware device such as a FIDO2 key.
Is MFA required?
MFA is currently not required, but we are strongly recommending for everyone to opt-in. For those who don't opt-in to MFA now, we will be rolling out mandatory MFA to faculty and staff in May 2021. Planning for the student rollout of MFA is occurring now.
What if I Have Problems?
Keeping your account, data, and identity safe is great but we recognize that using more than just a password might seem like an inconvenience and you might occasionally run into a problem. The Help Desk (firstname.lastname@example.org, (360) 650-3333) is here to help you if you have questions or issues. The links below may also help answer your questions.
How to set up Azure Multi-factor Authentication (Short video 3:37)
Set up the Microsoft Authenticator app as your verification method (Document)
Common problems and troubleshooting tips for MFA (Document)
Screenshots of Microsoft Authenticator installation (Document and short video)
Additional troubleshooting tips for MFA
I am getting prompted for MFA at every logon.
This problem may be due to a browser setting. Check to see if your browser is set to clear cookies every time it is closed. This will cause this behavior.
I did not get an SMS text message with a code.
Verify that you can receive text messages to your phone by having a friend or co-worker text you. If you did not receive their texts, there is a problem with your phone or cell service. If not, you may still have a problem if you have configured your phone to block texts from unknown numbers. Remove blocking temporarily to see if this is the problem. If you still are not sure what is happening, you may do MFA using another method if you have configured more than one authentication method.
I did not get a notification pop-up from the Authenticator app.
You must have cell or wireless service for the notification pop-ups to work. If you have lost service, you may choose “Sign in another way” from the authentication prompt. You can then choose to use an Authenticator app token. To retrieve the token, open the Authenticator app and click on your account. You will see a six-digit code. The codes change every 30 seconds, so you need to enter this code quickly in the authentication box or wait until the next code appears to have another 30 seconds.
My primary MFA authentication method is not working.
If you have configured more than one authentication method, you can “Sign in another way” from the authentication dialog box (example below).
I am still having problems.
Please contact the ATUS Help Desk