The following questions and answers pertain to Multifactor Authentication as it is implemented in our environment.
What is Multifactor Authentication?
Multifactor Authentication (MFA) is more secure than just a password because it relies on more than one form of authentication. There are three authentication types: something you know, something you have with you, and something you are. The something you know could be a password, pass phrase, or pin. The something you have could be a phone or security card. Something you is also referred to as biometric authentication, such as a fingerprint. The standard authentication methods used at our company are a password and the Microsoft Authenticator app installed on a smartphone. The Microsoft Authenticator app is configured with phishing resistant MFA technology that prevents a lot of modern credential theft attacks.
Why do we need MFA?
MFA can help to stop malicious hackers from authenticating as you because they will need more than just your password. Some attacks such as password spray have no defense other than ensuring MFA is enable on accounts. MFA is also required by most cybersecurity compliance standards, including those mandated by our federal clients.
How will this impact my productivity?
Your IT department has attempted to minimize the number authentication prompts required. The average employee should only expect a 2nd authentication prompt when risk high, such as when connecting from an unsecured network or when authenticating to a new device for the fist time.
How do I enable MFA on my account?
Use the following link to register for MFA: https://aka.ms/mfasetup
Follow the prompts to complete MFA registration. If you have not associated an authentication app with your work account, you may be prompted to install and register one on your smartphone.
Why do some email apps not work?
Our MFA solution only works with applications (apps) that use modern authentication. Some Android phones come with a default email app that does not use modern authentication and therefore will not work. The best thing to do is download and use a compatible application like the Outlook app.
What should I do if I replace the device where my authentication application was installed?
While most smartphones have some ability to automatically install apps that existed on your old phone, they will be missing configuration data. Authenticator apps use this stored data to work properly. There are two options to fix the Authenticator app on the new device. The first option is to delete existing (non-working) accounts listed in authenticator and then complete a new authentication registration. This is the cleanest option with the best potential to work on the first try. The second option is to restore data backed up from your old device. Instructions for restoring the data may be found here: Back up and recover account credentials in the Authenticator app - Microsoft Support
My smartphone has an authenticator app installed. Is that all I need to use MFA?
It isn't enough to have an authenticator app installed on your smartphone. You also need to take 2 additional steps. The first is to add your account to the authenticator app, and the second is to have the app verify to the cloud hosted authentication service that the app is correctly configured. When you use https://aka.ms/mfasetup and follow all of the instructions, you will have completed all of the needed steps. If you stop after adding the account to the authenticator app and don't complete the verification, the authenticator app will not work as a 2nd authentication factor.
Related KBs
How Multifactor Authentication Is Applied To Accounts: https://support.leoadaly.com/a/solutions/articles/13000048514
Multifactor Authentication Troubleshooting: https://support.leoadaly.com/a/solutions/articles/13000034646
Zscaler Troubleshooting: https://support.leoadaly.com/support/solutions/articles/13000059859
Authentication Overview: https://support.leoadaly.com/a/solutions/articles/13000063801