FAQs about Upcoming MFA Changes

The University of Baltimore Office of Technology Services (OTS) is introducing changes to our multi-factor authentication (MFA) process and requirements for accessing UBalt systems via single sign-on.

These changes include:

• Faculty, staff and student workers who are already performing MFA will be required to use Microsoft’s MFA tools instead of Duo.
• Students who are not currently performing MFA will be required to do so, also using Microsoft’s MFA tools.

FAQS:

• What is multi-factor authentication?
  • Multi-Factor authentication (MFA) is a security measure that requires users to provide more than one factor to access an account or application. MFA is a more secure way to verify user identity than a simple username and password. It can help prevent unauthorized access to accounts even if a password has been compromised. MFA has been adopted by several industries. You likely already perform MFA when accessing your banking accounts, healthcare accounts, even email and social media accounts.
     
• Why is UBalt making these changes?
  • First and foremost, these changes will improve our overall security posture and provide increased protection of UBalt’s technology environment. Microsoft’s MFA tools provide more advanced methods of authentication that can prevent fraudulent attempts to circumvent MFA, such as MFA fatigue attacks.
    
    In addition to increased security, cost savings will be provided to the University by leveraging Microsoft’s MFA capabilities, which is included as a part of UBalt’s Microsoft Azure solution.
    
    Lastly, by requiring MFA for all students, faculty and staff, UBalt will be in alignment with the University System of Maryland’s latest technology security requirements.
     
• What MFA methods will be available for users?
  • The most secure and recommended method to perform MFA will be using the Microsoft Authenticator app using number matching.  Detailed documentation on downloading the app and using the app to authenticate is available. 
    
    Physical hardware tokens that will provide a secure code for authentication will also be available by request for those who do not have smart devices or who are traveling internationally. The request process will be announced prior to the MFA change.
     
• What support will be available to help me with the changes?
  • Documentation is available to provide step-by-step instructions for registering for MFA and performing MFA. The OTS Call Center will be available to assist with any issues by submitting a ticket, by phone, or in person in BC 131.
     
• What will happen when the change goes into effect?
  • The first time you log into a UBalt system, you will receive a prompt to register for MFA, and set up your authentication methods. The screens will walk you through the set-up process step by step.
    
    After you are registered you will be prompted to perform MFA when you start a new session via single sign-on. You will only need to register one time, but you will be required to authenticate on each device you are logged into. For example, you will need to perform MFA to log in to a UBalt account on your laptop computer and to log into a UBalt account on your smart phone. 
    
    OTS recommends allotting 10 - 20 minutes to complete the registration process and to authenticate your accounts before starting any scheduled tasks (such as Teams meetings, online classes, etc). 
     
• What systems or accounts will I need to perform MFA for?
  • Any UBalt system you access using your UBalt credentials will require MFA.
     
• What can I do in advance to prepare?
  • If desired, you can download the Microsoft Authenticator app from the App Store or Google Play store on your mobile device; however, this is not necessary to do ahead of time. When the requirement goes into effect, you will receive a prompt to download the app.
     
• What if I already use the Microsoft Authenticator app for another account? 
  • Microsoft Authenticator can be linked to multiple accounts. See documentation on registering for MFA for more information. 
     
• When authenticating, what should I do if my authentication prompt times out?
  • If an MFA prompt times out, your application will display the below message: 
    You can click on 'Send another request to my Microsoft Authenticator app' or click the back button on your browser to re-send the prompt. 
     
• How can I manage my authentication methods? 
  • If you get a new device or need to re-register MFA, visit myaccount.microsoft.com and log in with your UBalt credentials. Under Security Info click on Update Info:
    Your authentication methods will be listed. To delete a method, select 'Delete'. To add a method, select 'Add sign-in method' and select 'Authenticator app' and select 'Add' You will be prompted to get the Microsoft Authenticator app and register your device. 
    
    If no MFA methods are configured, you will be prompted to register for MFA the next time you log in with your UBalt credentials. 
     
• I am planning on switching to a new device. What should I do? 
  • If you have both devices, follow the steps outlined in the question above, deleting your old device and adding your new device. If desired, you can transfer your Microsoft Authenticator settings to your iCloud or Android Cloud Backup to be transferred to your new device. You may be prompted to re-register your device the next time you are prompted to perform MFA. See Microsoft's documentation: Back up account credentials in Microsoft Authenticator.
     
• What if I lose my device? 
  • If you lose the device registered for MFA, contact the OTS Call Center to be signed out of all devices and to reset your MFA registration for a new device. You can also sign yourself out by visiting myaccount.microsoft.com.
    
    Under Security Info click on Update Info:
    Select 'Sign out everywhere'. This will sign your account out of all sessions and all devices including your current session.
    You will still need to contact the OTS Call Center to reset your MFA settings.