MFA FAQ

Multi-factor authentication (MFA) provides an extra layer of security before logging in to an online service. MFA helps ensure that you are the only person who can access your account(s), even if someone steals your password. For certain applications at CWU, you will log in using your MyCWU login information and as a second step, reconfirm your identity using a verification device of your choice, like a phone or tablet.

MFA is critical in preventing unauthorized access to personal and institutional information if your password is compromised. CWU Information Services & Security staff are working to integrate MFA into the services utilized by the Wildcat community. MFA helps prevent data breaches, because the average cost of a data breach in the United States is around $9 million USD (IBM Data Breach Report, 2022). So, implementing MFA will allow CWU to help keep your data more cybersecure.

Watch the step-by-step video or view the written step-by-step guide.

MFA is now required for all CWU community members.

• Delete the Microsoft Authenticator app, and go through the MFA setup process once again. If necessary, you can view our self-service tool, click Troubleshoot MFA, sign in without MFA, and click Reset MFA to restart the MFA setup process.
• Make sure you have updated to the latest version of the Microsoft Authenticator app.
• You can use the One-Time Password code function of the Authenticator app.

Your options for a second method include:

• A notification or code generated by the Microsoft Authenticator app.
• A phone call

The Information Services & Security department strongly recommends the use of the Microsoft Authenticator app. We have found that this is the simplest method for community members to use. When authenticating into your CWU account with MFA, you will enter the number that appears on the device you are trying to sign in to. So, when you enter your username and password, your device will present a number (example: 58). Next, you will need to type that number into the Authenticator app to complete the approval.

The Authenticator app can also generate a code that can be used if you lose cell or wireless networking services. This is ideal if you are in an area with poor or no cell coverage. If you tend to carry your smart phone, this is the preferred method.

Once enrolled in MFA, the process to authenticate is:

Enter your username@cwu.edu and password.

Authenticate with your second factor.

If you have set up the Microsoft Authenticator app, you will see a notification on your screen with a number (example: 58). Next, you will need to type that number into the Authenticator app to complete the approval.

If you have set up the Phone Call option, you will receive a phone call, and you must press the appropriate key to authenticate.

You will want to set up the Microsoft Authenticator app on your phone when traveling. The app can be used even if you lose cell and wireless networking connectivity. Every 30 seconds, the app generates a verification code. To view the code you can open the Microsoft Authenticator app, tap on your account, and view a one-time password code. When authenticating, you may have to choose the option to "sign in another way" after entering your password to be prompted to authenticate with the one-time password code. Enter the most current verification code on the sign-in screen.

If you have installed the Microsoft Authenticator app on your mobile device, you can open the application, tap on your account, and view a one-time password code. Every 30 seconds, the app generates a verification code. You can use this code just like a code sent to you with a text message. When authenticating, you may have to choose the option to "sign in another way" after entering your password to be prompted to authenticate with the one-time password code. Enter the most current verification code on the sign-in screen.

Notification:

Make sure you have notifications turned on, and make sure you are using the latest version of the Microsoft Authenticator app.

Apple:

1. Go to Settings.
2. Tap Notifications.
3. Select the Authenticator App under Notification style.
4. Choose to Allow Notifications.

Android:

1. Go to Settings.
2. Tap Notifications.
3. Select App notifications.
4. Tap the Authenticator App.
5. Choose to Allow notifications.

Phone call:

Make sure you haven't blocked the following numbers:

+1 (866) 539 4191, +1 (855) 330 8653, and +1 (877) 668 6536.

In the United States, voice calls from Microsoft come from those numbers.

Apple:

1. Go to Settings.
2. Tap Phone.
3. Select Blocked Contacts.
4. Click Edit on the top right-hand corner.
5. Tap the minus (-) sign next to the number to unblock.

Android:

1. Go to the Phone app.
2. Tap the 3 dots in the top right-hand corner.
3. Select Settings.
4. Click Block Numbers.
5. Next to the number you want to unblock, click Clear.
   1. Clear might be a minus (-) sign or an (x).

Yes. Student employees currently using MFA might be using it on an employee account. They will need to enroll in MFA through their student account as well.

View the how-to guide on managing authentication methods.

You can use your backup authentication method, if you have that set up. If that doesn't solve the problem, please contact the Service Desk via email at CWU.ServiceDesk@cwu.edu or via phone at (509) 963-2001.

If you lost your device, you should delete that device from your authentication methods. If you don't know how to delete that method, please view the how-to delete authentication method instructions.

If you don't have a backup method, and would like to add one, view the how-to guide on how to add, remove, and manage your authentication methods. And, if you lost your device and can't access your account, please contact the Service Desk via email at CWU.ServiceDesk@cwu.edu or via phone at (509) 963-2001 and we will help you.

Yes. Upon initial registration, CWU recommends that you register more than one device. When prompted, you will be able to choose which registered device you want to use to authenticate; this allows you to have multiple options if one of your devices does not function correctly.

Please note that you can add, remove, and manage your authentication methods at any time.

Yes. It is free.

Yes! The university values personal choice and recognizes the convenience of using a personal device for MFA.

Yes! Employees can use a personal device for MFA, even for university business. A personal device enables safe and convenient multi-factor authentication to systems used to conduct university business. "Bring your own device" (BYOD) is a common operational model that acknowledges trends in society toward use of personal devices for user authentication.

If you run into issues with Multi-factor Authentication, please view our decision tree. Our decision tree provides step-by-step instructions on how to troubleshoot your MFA access.

No. If you use the Microsoft Authenticator app, there will be no record on your device. All authentication records are stored in the Microsoft Azure cloud, and any information on your personal devices would be redundant.

You should contact the CWU Service Desk at (509) 963-2001 or via email at CWU.ServiceDesk@cwu.edu.

When you authenticate into your CWU account with MFA, instead of clicking the Approve notification on your smartphone, you will enter the number that appears on the device you are trying to sign in to. So, when you enter your username and password, your device will present a number (example: 58). Next, you will need to type that number into the Authenticator app to complete the approval.

Number matching will be in effect after March 8, 2023 at CWU.

Microsoft Authenticator enables app lock by default. App lock uses your phone's security features. So, in addition to unlocking one's phone, one must also unlock the Microsoft Authenticator app. For example, if you use a 4-digit pin to secure your phone, you must use that same 4-digit pin to unlock the Authenticator app.

You may disable Microsoft's Authenticator app lock by following these steps:

1. Open the Microsoft Authenticator app.
2. In the top right hand corner, select three horizontal dots.
3. Select Settings.
4. Under Security, toggle App Lock to off.

You may also view our more detailed instructions on how to disable the app lock on the Authenticator app.

If your Authenticator app displays advertisements, then you are using a third party's authenticator app. CWU strongly recommends Wildcat community members use the Microsoft Authenticator app. The Microsoft Authenticator app does not display advertisements. You may view our how-to change your MFA method guide. This guide will guide you step-by-step on how to add a different method, such as the Microsoft Authenticator app, and remove the third party authenticator app.

• MyCWU
• Canvas
• Microsoft Office products
• And several of our web-based single sign-on applications

MFA will prompt you to authenticate once every 8 days for most CWU systems. You may be prompted more frequently if you use VPN, if you use more than one computer, or if you frequently clear your browser cache.

Easily reduce the number of times you are prompted to sign in with MFA by clicking the "stay signed in" option on personal devices, or on other non-shared computers that you regularly use and trust. "Stay signed in" tells your browser to remember that you have confirmed your identity using your MFA device. If you select this option, you won't have to use your MFA device as often with that browser.

Please note: you might be prompted more frequently if you use VPN, if you use more than one computer, or if you frequently clear your browser cache.

Microsoft introduced support for number matching to its Authenticator app. The company has announced that the new security feature will be enabled by default for all Microsoft Authenticator users worldwide on May 8, 2023. Microsoft encourages institutions to enable Number Matching before the enforcement date to ensure consistent behavior for all users, hence, CWU will enforce number matching beginning on March 8, 2023.

With number matching enabled, the Microsoft Authenticator app requires users to type a number displayed on the computer screen to complete the authentication process. Microsoft notes that the feature helps to prevent accidental approvals and provides protection against multi-factor authentication fatigue attacks.

Moreover, the additional context feature enables users to view extra information while approving a sign-in request in Microsoft Authenticator. These include the name of the application being used and the login based on the device's IP address. Microsoft says that these additional details help users to understand the validity of a sign-in request.

Most attackers are interested in using your username and password to send out hundreds or thousands of phishing messages to other faculty, staff, and students in an attempt to compromise their computers and get access to sensitive information. Another very common tactic is for hackers to alter your direct deposit information so your paycheck or, if you are a student, financial aid is deposited into their account instead of yours.

The main benefit of using multi-factor authentication is a significant increase in protection of your account. If you receive a security code or push notification when you are not trying to log in to your account, you'll immediately know that someone else is attempting to do so. If this does happen, you should change your password and contact the CWU Information Services & Security department!

• Two-factor adds an extra barrier between your personal information and the malicious people.
• Two-factor can help keep attackers from accessing your email, documents, financial, personal, and health information, or research data.
• Two-factor reduces the risk of hackers using your MyCWU account to perform harmful activities.
• Two-factor helps protect CWU's systems.