Connecticut State Colleges & Universities

Connecticut State Colleges & Universities
IT Support Center

Multi-Factor Authentication (MFA)

Text Message option no longer supported

We stopped supporting the Text Message option to authenticate to the Protective Enclave. If you had the Text Message option and cannot login now, you will need to contact us.

Multi-factor Authentication is used to confirm your identity before allowing access to a service (e.g., Protective Enclave). It increases security by requiring you to use both something you know (e.g., your NetID and password) and something you have (e.g., a work phone or mobile device) to make it more difficult for an unauthorized person to authenticate as you (i.e. they can't get access just by knowing your password).

The services that currently use MFA for authentication are listed in the menu on the right.  

The CSCU System Office uses Microsoft's Multi-Factor Authentication Server which currently supports the following types of authentication methods:

  • Phone Call - Calls you at a pre-defined phone number, requiring you to enter your predefined PIN on the phone keypad
  • *** Text Message (End of support date: 4/9/2021) - Sends a text message to a pre-defined phone number with an authorization code, requiring you to reply to the text message with the code and your predefined PIN. NOTE: If you are still using this method, you need to change it to use the Phone Call or Mobile App method before 4/9/2021 or you will not be able to authenticate.
  • Mobile App - Uses the Microsoft Authenticator App (Windows Phone, Android, and iOS only)

This page has the following sections:

  • Checking your MFA method - this section will walk you through how to check what MFA method you are configured to use.
  • Setting up your MFA Account - this section guides you through the one-time setup procedure so you can begin to use MFA to authenticate for any service that uses MFA to authentication (i.g. Protective Enclave)
  • Changing your MFA Settings - this section helps you when you want to make changes to your existing MFA account (i.e. change method, phone, PIN, etc.)
If you have questions on setting up or changing your MFA settings, check out the FAQ.

Checking your MFA method

If you are unsure of what MFA method you selected (phone, text or mobile app) simply logging into MFA User Portal (https://mfa.ct.edu) will use the MFA method currently selected. After you enter your username/password and click Log In, it will be waiting for you to authenticate using your MFA method (phone, text or mobile app), so your phone will ring, you will get a text or your mobile app will notify you awaiting authentication:

NOTE: If you have not yet setup your MFA account, after you enter your username/password, you will be logged in. You'd then need to follow the steps outlined in the Setting up your MFA Settings section.

Once logged into the MFA user portal, if you wish to change your MFA method or security questions, follow the steps outlined in the Changing Your MFA Settings section. This is where you will need to change from the Text Message method to the Phone Call or Mobile App method if you are still using the Text Message method by April 9, 2021.

Setting Up Your MFA Account

We highly suggest you first setup your account using the "phone call" method - even if you want to use the mobile app method. This allows you to configure a backup phone number and your security questions easily. Then, if you wish to use the mobile app method after you have MFA setup to use the phone call method, change your MFA settings to use another method.

The following procedure will guide you through the one-time MFA account configuration steps. Once you have configured your MFA settings following the steps below, the authentication method you choose (phone call or mobile app) will be used when you attempt to login to a service that uses MFA for authentication (e.g. Protective Enclave). You cannot login to a service that uses MFA without first configuring your MFA settings.

At any time you can change your MFA settings if you decide later that you'd rather authenticate using the other method or if you've forgotten your PIN or don't have your device with you (e.g. you forgot your mobile device at home and need to change your MFA setting so you can authenticate).

You will be selecting and then configuring one of the authentication methods that you want to use (i.e. Phone or Mobile app) followed by selecting and entering your Security Question information.

  1. You will know your account is ready to be configured when you receive an email from CSCU-Authentication letting you know that you need to complete the MFA setup.

  2. After receiving the automated e-mail, you will need to access the MFA User Portal:

    https://mfa.ct.edu

    You only need to go to the MFA User Portal to setup or change your authentication settings. After you've initially completed the setup of your MFA account, you will login directly to the service you want to access (e.g., Protective Enclave) and it will use your MFA settings to authenticate that it is you logging in.

  3. Enter the following information, then click Log On:

    • Username: Enter your NetID (e.g. 98765432@xxx.commnet.edu). ( What is my NetID?)
    • Password: Dots (), rather than your password, are displayed on screen as you type to conceal your password from others.


  4. Use the Method dropdown to select the authentication method you'd like to configure for MFA:

     

    The available methods are as follows (click the link for further instructions on using that method):

    • Phone Call - Calls you at a pre-defined phone number, requiring you to enter your predefined PIN on the phone keypad.
    • Mobile App - Uses the Microsoft Authenticator App (Windows Phone, Android, or iOS only)

    Phone Call

    If you select the Phone Call method, you are setting up your MFA authentication to call you when you want to authenticate.  It is recommended to use a mobile phone that you always have with you, so you can authenticate no matter where you are located. You will need to be able to access the phone during configuration. You will also enter a backup phone number that will be used if the first phone number is not answered or goes to voicemail.

    1. In the Phone text box, type in a primary and a backup phone number (including area code) that you would like the Microsoft authentication servers to call you on. In the PIN and Confirm PIN text boxes, type in a PIN of your choice which will be asked of you during the authentication process, then click Call Me Now to Authenticate:

    2. Within 30 seconds of clicking "Call Me Now to Authenticate", you will receive an automated phone call from Microsoft's authentication servers.  You will then be asked to enter your PIN followed by the # key to complete the authentication process.
    3. Continue to Completing the Setup Process to configure your security questions and answers.
      4. If you do not configure your security questions and answers, the setup of MFA will not be complete and you will need to complete your setup again.

    Text Message

    This option is no longer available to be selected.

    Mobile App

    When you select the Mobile App method, you are setting up your MFA authentication to use the Microsoft Authenticator app when you want to authenticate.  In order to use this method, you must first have the Microsoft Authenticator app for Windows Phone, Android, or iOS installed on your mobile device and enabled for push notifications.

    IMPORTANT NOTE:  There are a variety of "authenticator" apps (e.g., Google Authenticator).  You must use the Microsoft Authenticator app to authenticate.

    You can download the Microsoft Authenticator app by clicking the link below and selecting the appropriate operating system for your mobile device:

    https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to#install-the-app

    For the purpose of this document, the iOS platform will be used as an example.

    1. Once you have the Microsoft Authenticator app installed, open the Microsoft Authenticator app on your mobile device.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Send You Notifications, similar to what is shown below:


      If prompted, tap Allow; otherwise, tap the plus (+) symbol or Add account. NOTE: You may have other accounts configured that you use Microsoft Authenticator app to authenticate with that will be listed or the list may be empty if this is the first time using the Microsoft Authenticator app:

    2. Tap the Work or school account option:



      The QR code scanner will launch on the app.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Access the Camera, tap OK as you will need to scan the QR code using your mobile phone's camera:



    3. On the Multi-Factor Authentication User Setup screen, click Generate Activation Code:

    4. You will be presented with an activation code (QR Code) and URL as shown below:

    5. Scan the QR code using the Microsoft Authenticator app from your mobile device. It doesn't have to be exactly lined up in the green square, the app will be able to recognize the QR code and will add the account:

    6. Once scanned and the code is accepted, the account will be added to the list of accounts:

    7. In the PIN and Confirm PIN text boxes, type in a 4 digit PIN of your choice which will be asked of you during the authentication process on your mobile device and click Authenticate Me Now:

    8. Within 30 seconds, your Microsoft Authenticator app will prompt you to Approve sign-in.  Type in the PIN you selected from the previous step and tap Approve:


      NOTE: If the Microsoft Authenticator app didn't prompt you to approve, be sure that you have allowed push notifications from the Microsoft Authenticator app on your mobile device.

      If using an iOS device with Touch ID enabled, you may see that Touch ID Set Up was automatically done for you so you can use your fingerprint to authenticate instead of the PIN,  tap OK:


    9. Continue to Completing the Setup Process to configure your security questions and answers.
      10. If you do not configure your security questions and answers, the setup of MFA will not be complete and you will need to complete your setup again and may need to delete the account you just created in the Microsoft Authenticator app and start again by rescanning another QR code.

Completing the Setup Process
  1. Select and complete your security questions and answers and click Continue:

  2. Once you have completed your questions and answers, you will be taken to the Welcome screen:



  3. Before logging out of the MFA User Portal, it is strongly recommended that you add a phone number as a backup method of authenticating if your primary method is unavailable by following the instructions for Changing Phone.  If your primary method is Phone Call, you may enter a BACKUP Phone Number that will be used if you cannot be reached on the primary phone number.

Changing Your MFA Settings

The following procedures will guide you through changing any of the following MFA settings on your account:

Changing the Authentication Method

The following procedure will guide you through changing the authentication method associated with your MFA account.  Perform the following steps to change your current method:

  1. First, log into MFA User Portal (https://mfa.ct.edu)
  2. From the navigation menu on the left side of the window, select Change Method:

  3. Click the Method dropdown and select the method you'd prefer to use for MFA (see figures below):

    First you will see the method you currently have selected, click the drop down arrow:

    Then select either Phone Call or Mobile App:


    The available methods are as follows:

    • Phone Call - Calls you at a pre-defined phone number, requiring you to enter an expected response on the phone keypad
    • Mobile App - Uses the Microsoft Authenticator App (Windows Phone, Android, or iOS only)

  4. Click Save:


    Once your method has been saved, you will see a message similar to what's shown below:


    If you received the above message, your method has been changed and that method will now be used when authenticating using MFA.  You may Log Off.

    NOTE: If you receive any of the following error messages after clicking Save, click the link next to the error message to correct the issue and then repeat that procedure:

    Phone Call - You must specify a phone number for your account before you can change your method to Phone Call.  Click the Change Phone link in the navigation menu to specify a phone number. - Instructions for Changing Phone

    Mobile App - You must activate the Microsoft Authenticator mobile app before you can change your method to Mobile App.  Click the Activate Mobile App link in the navigation menu to begin your activation. - Instructions to Activate Mobile App
Changing or Adding a Phone number

The following procedure will guide you through changing the phone number(s) associated with your MFA account or adding a Backup phone number:

  1. First, log into MFA User Portal (https://mfa.ct.edu)
  2. From the navigation menu on the left side of the window, select Change Phone:

    Change Phone
  3. Depending on your current MFA method, you will have a choice to enter one or two phone numbers:

    Mobile App Method:

    Phone Call Method:

    In the New Phone Number text box(es), type in the phone number(s) (including area code) that you would like the Microsoft authentication servers to call or text you on and click Save.
  4. Once your Phone has been changed, you will see a message similar to what's shown below:

    Change Phone Success
  5. That completes the procedure for changing the phone number(s) associated with your MFA account.
Changing your PIN

The following procedure will guide you through changing the PIN used when authenticating with your MFA account:

  1. First, log into MFA User Portal (https://mfa.ct.edu)
  2. From the navigation menu on the left side of the window, select Change PIN:
  3. In the New PIN and Confirm PIN text boxes, type in a 4 digit PIN of your choice which will be asked of you during the authentication process on your mobile device and click Save. You will not be able to see your old PIN, but can set a new PIN to use:

  4. Once your PIN has been changed, you will see a message similar to what's shown below:
  5. That completes the procedure for changing the PIN associated with your MFA account.
Activating the Mobile App

Before you can select the Mobile App method, you must first activate the mobile app with your mobile device.  When using the Mobile App method, you will receive a push notification from the Microsoft Authenticator app to approve your authentication.  In order to use this method, you must first have the Microsoft Authenticator app for Windows Phone, Android, or iOS installed on your mobile device and enabled for push notifications.

IMPORTANT NOTE:  There are a variety of "authenticator" apps (e.g., Google Authenticator).  You must use the Microsoft Authenticator app to authenticate.

You can download the Microsoft Authenticator app by clicking the link below and selecting the appropriate operating system for your mobile device:

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to#install-the-app

For the purpose of this document, the iOS platform will be used as an example.

The following procedure will guide you through the steps to Activate Mobile App and PIN associated with your MFA account:

  1. First, log into MFA User Portal (https://mfa.ct.edu)
  2. Once you have the Microsoft Authenticator app installed, from the navigation menu on the left side of the window, select Activate Mobile App:
  3. Open the Microsoft Authenticator app on your mobile device.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Send You Notifications, similar to what is shown below:


    If prompted, tap Allow; otherwise, tap the plus (+) symbol or Add account. NOTE: You may have other accounts configured that you use Microsoft Authenticator app to authenticate with that will be listed or the list may be empty if this is the first time using the Microsoft Authenticator app:


  4. Tap the Work or school account option:



    The QR code scanner will launch on the app.  The first time you open the app, you may be prompted with "Authenticator" Would Like to Access the Camera, tap OK as you will need to scan the QR code using your mobile phone's camera:



  5. On the My Account: Activate Mobile App screen, click Generate Activation Code:

  6. You will be presented with an activation (QR) code and URL as shown below:

  7. Scan the QR code using the Microsoft Authenticator app from your mobile device. It doesn't have to be exactly lined up in the green square, the app will be able to recognize the QR code and will add the account:

  8. Once scanned and the code is accepted, the account will be added to the list of accounts:

  9. Your Mobile App is now activated on your mobile device.  Before you will be able to authenticate using the Mobile App method, you will also need to make sure you have a PIN set.  Please following the instructions for Changing PIN before logging off.
  View a printer-friendly version