Connecticut State Colleges & Universities
IT Support Center

Multi-Factor Authentication (MFA)

Multi-factor Authentication is used to confirm your identity before allowing access to a service (e.g., Protective Enclave). It increases security by requiring you to use both something you know (e.g., your NetID and password) and something you have (e.g., a work phone or mobile device) to make it more difficult for an unauthorized person to authenticate as you (i.e. they can’t get access just by knowing your password).

The services that currently use MFA for authentication are listed in the menu on the right.  

The CSCU System Office uses Microsoft's Multi-Factor Authentication Server which currently supports the following types of authentication methods:

  • Phone Call - Calls you at a pre-defined phone number, requiring you to enter your predefined PIN on the phone keypad
  • Text Message - Sends a text message to a pre-defined phone number with an authorization code, requiring you to reply to the text message with the code and your predefined PIN
  • Mobile App - Uses the Microsoft Authenticator App (Windows Phone, Android, and iOS only)

This page has the following sections:

  • Checking your MFA method - this section will walk you through how to check what MFA method you are configured to use.
  • Setting up your MFA Account - this section guides you through the one-time setup procedure so you can begin to use MFA to authenticate for any service that uses MFA to authentication (i.g. Protective Enclave)
  • Changing your MFA Settings - this section helps you when you want to make changes to your existing MFA account (i.e. change method, phone, PIN, etc.)
If you have questions on setting up or changing your MFA settings, check out the FAQ.

Checking your MFA method

If you are unsure of what MFA method you selected (phone, text of mobile app) simply logging into MFA User Portal (https://mfa.ct.edu) will use the MFA method currently selected. After you enter your username/password and click Log In, it will be waiting for you to authenticate using your MFA method (phone, text or mobile app), so your phone will ring, you will get a text or your mobile app will notify you awaiting authentication:

NOTE: If you have not yet setup your MFA account, after you enter your username/password, you will be logged in. You'd then need to follow the steps outlined in the Setting up your MFA Settings section.

Once logged into the MFA user portal, if you wish to change your MFA method, security questions or PIN, follow the steps outlined in the Changing Your MFA Settings section.

Setting Up Your MFA Account

The following procedure will guide you through the one-time MFA account configuration steps. Once you have configured your MFA settings following the steps below, the authentication method you choose (phone call, text message, mobile app) will be used when you attempt to login to a service that uses MFA for authentication (e.g. Protective Enclave). You cannot login to a service that uses MFA without first configuring your MFA settings.

At any time you can change your MFA settings if you decide later that you'd rather authenticate using one of the other methods or if you've forgotten your PIN.

You will be selecting and then configuring one of the authentication methods that you want to use (i.e. Phone, Text or app) followed by selecting and entering your Security Question information.

  1. You will know your account is ready to be configured when you receive an email from CSCU-Authentication letting you know that you need to complete the MFA setup.
  2. After receiving the automated e-mail, you will need to access the MFA User Portal:

    https://mfa.ct.edu

    You only need to go to the MFA User Portal to setup or change your authentication settings. After you've initially completed the setup of your MFA account, you will login directly to the service you want to access (e.g., Protective Enclave) and it will use your MFA settings to authenticate that it is you logging in.

  3. Enter the following information, then click Log On:

    • Username: Enter your NetID (e.g. 98765432@xxx.commnet.edu). ( What is my NetID?)
    • Password: Dots (), rather than your password, are displayed on screen as you type to conceal your password from others.


  4. Use the Method dropdown to select the authentication method you'd like to configure for MFA:

    Then

    The available methods are as follows (click the link for further instructions on using that method):

    • Phone Call - Calls you at a pre-defined phone number, requiring you to enter your predefined PIN on the phone keypad
    • Text Message - Sends a text message to a pre-defined phone number with an authorization code, requiring you to reply to the text message with the code and your predefined PIN
    • Mobile App - Uses the Microsoft Authenticator App (Windows Phone, Android, or iOS only)

    Phone Call

    If you select the Phone Call method, you are setting up your MFA authentication to call you when you want to authenticate.  It is recommended to use a mobile phone that you always have with you, so you can authenticate no matter where you are located. You will need to be able to access the phone during configuration. You will also enter a backup phone number that will be used if the first phone number is not answered or goes to voicemail.

    1. In the Phone text box, type in a primary and a backup phone number (including area code) that you would like the Microsoft authentication servers to call you on. In the PIN and Confirm PIN text boxes, type in a PIN of your choice which will be asked of you during the authentication process, then click Call Me Now to Authenticate:

    2. Within 30 seconds of clicking "Call Me Now to Authenticate", you will receive an automated phone call from Microsoft's authentication servers.  You will then be asked to enter your PIN followed by the # key to complete the authentication process.
    3. Continue to Completing the Setup Process to configure your security questions and answers.
    4. If you do not configure your security questions and answers, the setup of MFA will not be complete and you will need to complete your setup again.

    Text Message

    When you select the Text Message method, you are setting up your MFA authentication to text you when you want to authenticate.  It is recommended to use a mobile phone that you always have with you, so you can authenticate no matter where you are located. You will need to be able to access the text message during configuration. NOTE: For the purpose of this document, the iOS platform will be used as an example.

    1. In the Phone text box, type in the phone number (including area code) of a mobile device that is capable of receiving text messages (text message rates apply) that you would like the Microsoft authentication servers to send the text message to. In the PIN and Confirm PIN text boxes, type in a 4 digit PIN of your choice which will be asked of you during the authentication process, then click Text Me Now to Authenticate:

    2. Within 30 seconds, you will receive a text message from Microsoft's authentication servers (the phone number will not be the same each time) with a one-time use verification code, similar to what is shown below. Reply to the text with the code you received followed by your PIN.

    3. NOTE: You can enter the code followed by the PIN with no spaces in between or with a space or a + in between as well. For example all these are acceptable (9522086756 or 952208 6756 or 952208+6756 )

    4. Since this passcode is used only once, once you've replied, you do not need to save the text message. The next time you authenticate using MFA, you will receive a different passcode that you will need to reply to in order to authenticate. NOTE: You will also see the name of the service you are requesting access to also displayed in the text message. The above text was sent in response to a login attempt on the MFA User Portal. When you login to the Protective Enclave, you will see "Reply with this code + your PIN for Netscaler PE SNIP verification" indicating it is for access to the Protective Enclave.

    5. Continue to Completing the Setup Process to configure your security questions and answers.
    6. If you do not configure your security questions and answers, the setup of MFA will not be complete and you will need to complete your setup again.

    Mobile App

    When you select the Mobile App method, you are setting up your MFA authentication to use the Microsoft Authenticator app when you want to authenticate.  In order to use this method, you must first have the Microsoft Authenticator app for Windows Phone, Android, or iOS installed on your mobile device and enabled for push notifications.

    IMPORTANT NOTE:  There are a variety of "authenticator" apps (e.g., Google Authenticator).  You must use the Microsoft Authenticator app to authenticate.

    You can download the Microsoft Authenticator app by clicking the link below and selecting the appropriate operating system for your mobile device:

    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to#install-the-app

    For the purpose of this document, the iOS platform will be used as an example.

    1. Once you have the Microsoft Authenticator app installed, open the Microsoft Authenticator app on your mobile device.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Send You Notifications, similar to what is shown below:


      If prompted, tap Allow; otherwise, tap the plus (+) symbol or Add account. NOTE: You may have other accounts configured that you use Microsoft Authenticator app to authenticate with that will be listed or the list may be empty if this is the first time using the Microsoft Authenticator app:

    2. Tap the Work or school account option:



      The QR code scanner will launch on the app.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Access the Camera, tap OK as you will need to scan the QR code using your mobile phone's camera:



    3. On the Multi-Factor Authentication User Setup screen, click Generate Activation Code:

    4. You will be presented with an activation code (QR Code) and URL as shown below:

    5. Scan the QR code using the Microsoft Authenticator app from your mobile device. It doesn't have to be exactly lined up in the green square, the app will be able to recognize the QR code and will add the account:

    6. Once scanned and the code is accepted, the account will be added to the list of accounts:

    7. In the PIN and Confirm PIN text boxes, type in a 4 digit PIN of your choice which will be asked of you during the authentication process on your mobile device and click Authenticate Me Now:

    8. Within 30 seconds, your Microsoft Authenticator app will prompt you to Approve sign-in.  Type in the PIN you selected from the previous step and tap Approve:


      NOTE: If the Microsoft Authenticator app didn't prompt you to approve, be sure that you have allowed push notifications from the Microsoft Authenticator app on your mobile device.

      If using an iOS device with Touch ID enabled, you may see that Touch ID Set Up was automatically done for you so you can use your fingerprint to authenticate instead of the PIN,  tap OK:


    9. Continue to Completing the Setup Process to configure your security questions and answers.
    10. If you do not configure your security questions and answers, the setup of MFA will not be complete and you will need to complete your setup again and may need to delete the account you just created in the Microsoft Authenticator app and start again by rescanning another QR code.

Completing the Setup Process
  1. Select and complete your security questions and answers and click Continue:

  2. Once you have completed your questions and answers, you will be taken to the Welcome screen:



  3. Before logging out of the MFA User Portal, it is strongly recommended that you add a phone number as a backup method of authenticating if your primary method is unavailable by following the instructions for Changing Phone.  If your primary method is Phone Call, you may enter a BACKUP Phone Number that will be used if you cannot be reached on the primary phone number.

Changing Your MFA Settings

The following procedures will guide you through changing any of the following MFA settings on your account:

Changing the Authentication Method

The following procedure will guide you through changing the authentication method associated with your MFA account.  Perform the following steps to change your current method:

  1. From the navigation menu on the left side of the window, select Change Method:

  2. Click the Method dropdown and select the method you'd prefer to use for MFA (see figures below):

    Selecting MFA Method

    Then


    The available methods are as follows:

    • Phone Call - Calls you at a pre-defined phone number, requiring you to enter an expected response on the phone keypad
    • Text Message - Sends a text message to a pre-defined phone number with an authorization code, requiring you to reply to the text message
    • Mobile App - Uses the Microsoft Authenticator App (Windows Phone, Android, or iOS only)

  3. Click Save:


    Once your method has been saved, you will see a message similar to what's shown below:


    If you received the above message, your method has been changed and that method will now be used when authenticating using MFA.  You may Log Off.

    NOTE: If you receive any of the following error messages after clicking Save, click the link next to the error message to correct the issue and then repeat that procedure:

    Phone Call - You must specify a phone number for your account before you can change your method to Phone Call.  Click the Change Phone link in the navigation menu to specify a phone number. - Instructions for Changing Phone

    Text Message - You must specify a phone number for your account before you can change your method to Text Message.  Click the Change Phone link in the navigation menu to specify a phone number. - Instructions for Changing Phone

    Mobile App - You must activate the Microsoft Authenticator mobile app before you can change your method to Mobile App.  Click the Activate Mobile App link in the navigation menu to begin your activation. - Instructions to Activate Mobile App
Changing or Adding a Phone number

The following procedure will guide you through changing the phone number(s) associated with your MFA account or adding a Backup phone number:

  1. From the navigation menu on the left side of the window, select Change Phone:

    Change Phone
  2. Depending on your current MFA method, you will have a choice to enter one or two phone numbers:

    Text Message or Mobile App Method:

    Phone Call Method:

    In the New Phone Number text box(es), type in the phone number(s) (including area code) that you would like the Microsoft authentication servers to call or text you on and click Save.
  3. Once your Phone has been changed, you will see a message similar to what's shown below:

    Change Phone Success
  4. That completes the procedure for changing the phone number(s) associated with your MFA account.
Changing your PIN

The following procedure will guide you through changing the PIN used when authenticating with your MFA account:

  1. From the navigation menu on the left side of the window, select Change PIN:

  2. In the New PIN and Confirm PIN text boxes, type in a 4 digit PIN of your choice which will be asked of you during the authentication process on your mobile device and click Save. You will not be able to see your old PIN, but can set a new PIN to use:

  3. Once your PIN has been changed, you will see a message similar to what's shown below:

  4. That completes the procedure for changing the PIN associated with your MFA account.
Activating the Mobile App

Before you can select the Mobile App method, you must first activate the mobile app with your mobile device.  When using the Mobile App method, you will receive a push notification from the Microsoft Authenticator app to approve your authentication.  In order to use this method, you must first have the Microsoft Authenticator app for Windows Phone, Android, or iOS installed on your mobile device and enabled for push notifications.

IMPORTANT NOTE:  There are a variety of "authenticator" apps (e.g., Google Authenticator).  You must use the Microsoft Authenticator app to authenticate.

You can download the Microsoft Authenticator app by clicking the link below and selecting the appropriate operating system for your mobile device:

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to#install-the-app

For the purpose of this document, the iOS platform will be used as an example.

The following procedure will guide you through the steps to Activate Mobile App and PIN associated with your MFA account:

  1. Once you have the Microsoft Authenticator app installed, from the navigation menu on the left side of the window, select Activate Mobile App:

  2. Open the Microsoft Authenticator app on your mobile device.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Send You Notifications, similar to what is shown below:


    If prompted, tap Allow; otherwise, tap the plus (+) symbol or Add account. NOTE: You may have other accounts configured that you use Microsoft Authenticator app to authenticate with that will be listed or the list may be empty if this is the first time using the Microsoft Authenticator app:


  3. Tap the Work or school account option:



    The QR code scanner will launch on the app.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Access the Camera, tap OK as you will need to scan the QR code using your mobile phone's camera:



  4. On the My Account: Activate Mobile App screen, click Generate Activation Code:

  5. You will be presented with an activation (QR) code and URL as shown below:

  6. Scan the QR code using the Microsoft Authenticator app from your mobile device. It doesn't have to be exactly lined up in the green square, the app will be able to recognize the QR code and will add the account:

  7. Once scanned and the code is accepted, the account will be added to the list of accounts:

  8. Your Mobile App is now activated on your mobile device.  Before you will be able to authenticate using the Mobile App method, you will also need to make sure you have a PIN set.  Please following the instructions for Changing PIN before logging off.