Multi-Factor Authentication (MFA) is another level of protection to your account on top of your password. This can be a notification sent to a personal device (notification to Microsoft Authenticator App, SMS or phone call) or to a personal account (email) to confirm it is in fact yourself logging in. Imperial uses MFA when logging in to Office 365 applications.
Why Use MFA?
MFA adds an extra layer of protection to your account. This means if your account is compromised and your details are shared, it will be even more difficult to gain access to the account. This protects yourself and the College's data.
Configuring MFA
After MFA has been enabled on your account you will need to configure the options that best suit you the first time you logon to Office 365. MFA requires you to use a personal device that you will have on-hand with you; we recommend you download the Microsoft Authenticator app to your phone. Use the below instructions to set up MFA on your account.
- On your phone, visit the App Store (iPhone) or Play Store (Android) to download and install the Microsoft Authenticator app. Ensure that you allow it to use your camera and send notifications when it prompts you.
- On your computer, go to your MySign-Ins Microsoft account page
- Click Add method.
- On the Add a method window, ensure Authenticator app is selected from the list, and click Add.
- On the Start by getting the app window, click Next.
- On the Set up your account window, click Next.
- On your phone, open the Authenticator app. If you’re asked for an unlock code, that’s your phone’s PIN (it may alternatively require your fingerprint or retina scan if you’ve set up either of those methods on your phone).
- Click the menu button (three dots) and then Add account.
- Click Work or school account.
- Click Scan a QR code. If the app asks for permission to use your camera, click Allow.
- The app should then open a QR code scanner. Point your camera at the QR code on your computer screen.
- Click Next on the computer.
- Click Enable phone sign-in or Approve on your phone. You may also need to unlock the app using your phone’s PIN, your fingerprint or retina scan.
- Click Next on your computer.
- Click Set default sign-in method, or Change if there’s already one set.
- Select Microsoft Authenticator – notification from the list, and click Confirm.
In case you are unable to access your mobile phone for some reason (e.g. your phone has run out of battery or you have lost your phone), make sure you set up a secondary method. Learn how to set up a secondary method from the FAQs below.
The Microsoft help web pages also offer in-depth instructions on how to use Microsoft Authenticator with Microsoft 365.
MFA enhancements February 2023
From 27 February 2023 Microsoft is implementing new mechanisms to enhance MFA and defend against potential attackers. These include:
- When you approve a request, you will now know which application prompted for the MFA challenge.
- You will be advised on the rough location of where the request came from.
- Number matching (pictured below) has been introduced to defend against an MFA fatigue attack.
Frequently asked questions
- Who can use MFA?
- Do I have to use MFA each time I login?
- Does MFA work in my country?
- Does MFA work over Wi-Fi?
- How do I add a second multi factor method?
- I can't add MFA to my iOS mail client?
- I use my phone to check my emails, will MFA affect this?
- I'm currently abroad, will I be charged to use MFA?
- Is there an alternative to using a phone?
- I’ve received an unexpected text message or an App notification
- Preventing MFA prompts during important meetings/lectures
- What if I change my phone?
- What if I lose my phone?
- Why am I being asked to enter a number to complete an MFA transaction?
- Why isn't location data provided by the Microsoft Authenticator App accurate?
MFA can be set up for all Imperial accounts.
For most applications that people connect to they will have the option to trust this device for 30 days and will therefore not be constantly prompted to MFA. However, some systems require additional security and therefore will prompt every time.
The MFA service we are using is provided by Microsoft - so if Office365 (email, teams, SharePoint etc.) is available in your country, so should the authentication service. Find out more about Microsoft's availability regions.
MFA does work in China, however, there are some limitations if you are using the Android App as not all Google Services are available in China - Find out more.
Yes, the Microsoft Authenticator App works on both Wi-Fi and mobile connections.
- Please go to Microsoft Sign-ins security page
- Select "Add method" at the top of the options box.
- You can then choose from a selection of methods.
- see screen shot below for guidance:
Please delete your existing Imperial College account from you iOS mail client and start again.
Most email applications provide support for MFA so users will be prompted to MFA every 30 days.
Linux users: Thunderbird v78 or higher supports MFA.
Apple users: iOS 11, iPadOS 13.1 and macOS 10.14 and above native mail client supports MFA.
We advise everyone to use the Microsoft Authenticator App. You may be charged to use mobile data whilst roaming – please check with your provider.
If roaming data charges apply, you can use one of the rotating passwords within the application to verify yourself. There will be no charge associated with this.
Hardware tokens are available and can be requested by completing this form.
Please decline the app notification (select "No It's Not Me)/do not respond to the text message and contact the ICT Service Desk who can investigate further.
Using the Microsoft Authenticator App makes dealing with MFA prompts quick and simple there may be times when you do not want the disruption of the MFA prompt. You can force the MFA prompt early on the device by following the below instructions:
Go to My Sign-Ins
It will either prompt you to re-authenticate using MFA or not, make sure you tick the "do not prompt for x days" box
If not then near the bottom click on Sign out everywhere then go to My Sign-Ins (microsoft.com) https://mysignins.microsoft.com/security-info again and it should prompt you for MFA. make sure you tick the "do not prompt for x days" box
If you get a new phone then you will need to migrate the Authenticator App to your new device.
Please contact the Service Desk. You can also set up a second device in case this happens.
The use of MFA has drastically reduced the number of compromised accounts within the College, however malicious actors have adapted and are now using a new attack (MFA fatigue), which means individuals could repeatedly receive approval notifications.
Unfortunately, sometimes people believe that this is a system error/issue so approve the request which grants a third-party access to their account. Number matching helps to defend against this type of attack.
The location data from the app isn't always accurate, particularly if you are using a mobile network or using a Virtual Private Network (VPN).
If you are ever in doubt, based on the location provided, please select the "No It's Not Me" button and contact the ICT Service Desk.