Multi-factor Authentication (MFA) for WWU Universal Accounts

Why MFA?

Using only a password to authenticate is known as single-factor authentication. Credentials using only single-factor authentication can be easily stolen by bad actors.  Adding a second authentication factor (e.g., phone or hardware device) to your account will reduce the possibility that your identity can be stolen, thus providing a safeguard for your computer accounts, personal information, and the university's data. 

How do I sign up?

To use multi-factor authentication at Western, you have two steps:

You are encouraged to read to the bottom of the page before trying to sign up.

Second Factor Options

Your options for a second factor include:

  • A notification or code generated by the Microsoft Authenticator app.
  • A SMS text message sent to your cell phone.
  • A telephone call to a land line or cell phone.
  • A hardware device called a FIDO2 key.

The Information Security Office and Academic Technology User Services are strongly recommending the use of the Microsoft Authenticator app. We have found that this is the simplest method for community members to use. When authenticating, you simply tap an Approve button that pops up on your phone. It can also generate a code that can be used if you lose cell or wireless networking services. This is ideal if you are located in an area with poor or no cell coverage.  If you tend to carry your smart phone, this is the preferred second factor. 

A FIDO2 key is also a very secure method for authentication. They typically plug into a USB port or communicate with the NFC protocol. You can buy a compatible device and set it up yourself.  Staff members may be eligible for a University provided device. Both the Microsoft Authenticator app and a FIDO2 key can also be used in a passwordless mode.

Set Up the Microsoft Authenticator App

The Microsoft website has the most up-to-date information on setting up the Microsoft Authenticator App. We also strongly suggest you watch this short video How to set up Azure Multi-factor Authentication. After installation, make sure you set the Authenticator App as your default sign-in method.

Add a Backup Second Factor

We recommend you add an another factor in case your first MFA option fails. We suggest a cell phone number or land line. A FIDO2 key is also an excellent first or backup second factor.  

Opt-in to MFA

After adding your additional verification method, fill out the WWU Multi-Factor Authentication Opt-In form.

Authenticate with MFA

Once enrolled in MFA, the process to perform MFA is

  1. Enter your username@wwu.edu and password. 
  2. Authenticate with your second factor.

If you have set up the Microsoft Authenticator app, you will see a notification pop up on your phone with the choices Approve or Deny.  Tap Approve to authenticate. If you configured SMS texting, you will receive a code by text message which you have to enter it in your web browser. If you set a phone call as your first MFA choice, you will have to answer the call and push the # key. If using a FIDO2 key, you will have to make sure it is plugged into your device. Most also require you to tap the device or input a code or fingerprint.

A Note About FIDO2 Keys

FIDO2 keys may be connected to your devices by USB, Bluetooth, or NFC. Most FIDO2 keys have a USB-A or USB-C connector and a subset of keys support Bluetooth and NFC. You will probably need a key that supports Bluetooth or NFC to support a mobile device. Before purchasing, verify that the key you choose will support authentication on all your devices. Feel free to contact the Help Desk to discuss these alternative second factor physical devices.

Common Questions About MFA

Will I be prompted for MFA on campus?

We are currently NOT requiring MFA if you are working on campus. This may change in the future.

What applications require MFA?

Currently, you will have to use MFA for Microsoft Office, VPN, and several of our web-based single sign-on applications such as Zoom, Canvas, Google G Suite, the Parking application, and the Contract Management Module.

Do I have to do MFA every time I log in?

No, MFA is only required if you are working off-campus or using a cellular network. You will be prompted at least every 90 days and more often depending on whether you use new devices, web browsers, Incognito/InPrivate windows, passwords, locations, applications, or trigger suspicious security events.

What can I use for a second “factor”?

We recommend the Microsoft Authenticator App but you may also use an SMS text message, phone call, or FIDO2 key.

Will MFA work on my phone if I lose cell service and wireless networking?

If you have installed the Microsoft Authenticator App on your mobile device, you can open the application, tap on your account, and view a one-time password code. You can use this code just like a code sent to you with a SMS text message. When authenticating, you may have to choose the option to “Sign in another way” after entering your password and being prompted for MFA.

What if I lost my cell phone and get prompted for MFA?

If you have configured an alternate phone or FIDO2 key, you may choose to “Sign in another way” during MFA. If not, you will have to call the ATUS Help Desk for support.

Are there problems with MFA when traveling?

You will want to set up the Microsoft Authenticator App on your phone when traveling. The app can be used even if you lose cell and wireless networking connectivity.  Every 30 seconds, the app generates a verification code. Enter the most current verification code on the sign-in screen. If you are traveling internationally, we suggest you also consider taking a hardware device such as a FIDO2 key. 

Is MFA required?

There is a project to roll out MFA to all users, and we are currently in the first phase. Users of Banner Admin Pages who are not yet enrolled in MFA will be automatically enrolled on April 13, 2022. We are strongly recommending for for all Western community members to opt-in now, however. This gives everyone a chance to ensure everything is working as expected before their go-live.     

Will my personal device be subject to a public records request because it is used for MFA?

The short answer is no. All authentication records are stored in the Microsoft Azure cloud, and any information on your personal devices would be redundant. Also, if you use the Authenticator App, there will be no record on your device.   

What if I don't want to use my cell phone or don't own a cell phone?

Experience from other Universities using Microsoft MFA have found that users prefer the Microsoft Authenticator App as their second factor. Hardware devices are another thing to carry around, and if you leave it somewhere, you may be prevented from working off-campus. Most users issued a hardware device end up switching to the Authenticator App fairly quickly.  Additionally, if you use a FIDO2 key, you have to first register a phone number. If you do not have any phone number at all, contact the ATUS Help Desk and we will work with you to get a University provided device.

What if I Have Problems?

Keeping your account, data, and identity safe is great but we recognize that using more than just a password might seem like an inconvenience and you might occasionally run into a problem. The Help Desk (helpdesk@wwu.edu, (360) 650-3333) is here to help you if you have questions or issues. The links below may also help answer your questions.

Additional Resources

How to set up Azure Multi-factor Authentication (Short video 3:37)
Set up the Microsoft Authenticator app as your verification method (Document)
Common problems and troubleshooting tips for MFA (Document)
Screenshots of Microsoft Authenticator installation (Document and short video)
Set up security key as verification method (Microsoft)

Additional troubleshooting tips for MFA

I am getting prompted for MFA at every logon.

This problem may be due to a browser setting. Check to see if your browser is set to clear cookies every time it is closed. This will cause this behavior.

I did not get an SMS text message with a code.

Verify that you can receive text messages to your phone by having a friend or co-worker text you.  If you did not receive their texts, there is a problem with your phone or cell service.  If not, you may still have a problem if you have configured your phone to block texts from unknown numbers. Remove blocking temporarily to see if this is the problem. If you still are not sure what is happening, you may do MFA using another method if you have configured more than one authentication method.

I did not get a notification pop-up from the Authenticator app.

You must have cellular or wireless service for the notification pop-ups to work. If you have lost service, you may choose “Sign in another way” from the authentication prompt. You can then choose to use an Authenticator app token. To retrieve the token, open the Authenticator app and click on your account.  You will see a six-digit code. The codes change every 30 seconds, so you need to enter this code quickly in the authentication box or wait until the next code appears to have another 30 seconds.

Another reason for not receiving a notification is if your device is in Do not disturb mode (Android) or Focus Mode (iPhone). Either take your device out of do not disturb mode and try again, or follow the instructions in the paragraph above to authenticate with a different 2nd factor.

My primary MFA authentication method is not working.

If you have configured more than one authentication method, you can “Sign in another way” from the authentication dialog box (example below).

Change sign in verification method

 

I am still having problems.

Please contact the ATUS Help Desk