Why Multi-Factor Authentication?
Online accounts are frequent targets of attack, and attackers obtain or guess passwords in many ways, some of which are obvious and some of which are more sneaky. But the fact is, just a password is not enough to truly verify your identity, which is commonly used to access your email account and online file storage. An attacker with access to your account will likely steal information stored in your account (everyone you’ve ever emailed with, including sent and saved emails and contact information, and any online files you have access to) and may then abuse it to do anything from send spam, to trick your customers, vendors, coworkers (we’ve seen all this happen and more!) and other contacts into thinking it’s really you asking them to either compromise themselves or their finances (but it’s really the attacker posing as you). The scams are varied and changing all the time, but protecting your account with a second form of authentication, commonly called Multi-Factor Authentication, or MFA for short (or sometimes, 2-Factor Authentication, or 2FA, but the difference is immaterial to us here).
MFA lets a website verify that you and they share another secret other than just a password–usually a code on your cell phone, or a text message, or confirm that you receive a notification from an app on your phone triggered by the website. The notification is the most secure option (it’s sent securely from the website to your phone), the code using an app is also reasonably secure (as long as you only give the code to the real website!), and the text message option is better than not having it, although it’s becoming more common for people to “SIM swap” (steal your cell phone number remotely) for high-value accounts where it’s worthwhile to them. You should have one of these MFA systems set up on all of your accounts, or at least the ones that could be damaging if someone gets in that isn’t you.
You can also read more about MFA on the Microsoft website at: What is: Multi-Factor Authentication where they have a short description and a video. Microsoft is also working to require MFA for everyone, even for older accounts where it wasn’t the default, over the next few months.
How do I set up MFA?
As an end-user working to secure the Microsoft 365 account that belongs to the organization you work for, the easiest way to set up MFA for your Microsoft 365 work account specifically is to use the Microsoft Authenticator application on your mobile phone. Once your administrator or IT support company enables MFA for your Microsoft account, you may be required or requested to set up MFA the next time you log in to your Microsoft account, or you can go directly to https://aka.ms/mfasetup after installing the Microsoft Authenticator app below (keep scrolling to download a step-by-step visual guide!). You can scan the QR codes with your phone camera for iOS or Android in the Download and install the Microsoft Authenticator App article from Microsoft, or follow the links to the apps in each phone’s store by clicking these links from this post on your phone:
Google Android: On your Android device, go to Google Play to download and install the Authenticator app or scan this QR code with your Android phone’s camera:
Apple iOS: On your Apple iOS device, go to the App Store to download and install the Authenticator app or scan this QR code with your iPhone’s camera:
Click here to view or download our visual guide to complete MFA setup using Microsoft Authenticator once you’ve installed the correct mobile app!
Once MFA is configured, you may need to remove and re-add your account to one or more devices, or they may work fine, this is hard to predict and depends in part on how long the account has been connected to your system. You may be prompted to re-authenticate with MFA periodically; sometimes at every login, or just you move around to a new place or computer than you were at last, or sometimes just every few days or few weeks, depending on your Microsoft security settings. Some companies make these settings more or less “hair-trigger” to help balance security and convenience based on their specific risk tolerance.
What if I have questions?
Sometimes, there are issues setting up MFA, or if it’s set up there can also be some older login methods that don’t work with MFA (these are technically called “BASIC Authentication” in case you see that term) that some people’s computers or phone are stuck using and need some help getting things reconfigured to use MFA. That’s something we can help with on a case-by-case basis if you’re a business owner needing help. Or, if your company works with us for support, you may be able to request support from us directly or through your local IT liaison to get things figured out if you get stuck! We’ve helped many folks through the same process and know the workarounds and exceptions and edge cases that sometimes pop up, especially with accounts that have been around a while. You can also check out the guide that Microsoft has called Use Microsoft Authenticator with Microsoft 365.