Microsoft Multifactor Authentication

UWSP protects user accounts and High Risk data by requiring the use of multi-factor authentication when accessing important applications and systems.

Microsoft Multifactor Authentication (MFA) is UWSP's multi-factor authentication solution and is a UW-System mandate.

Why is Multifactor Authentication important?

Multifactor authentication protects your personal information and data by adding an additional security layer to your current username/password logon authentication method. 

Microsoft MFA requires a second form of authentication such as you accepting a notification sent to the Microsoft MFA app on your mobile device, or entering a code generated by a security/hardware token (i.e. "key fob").

For a link to download the free Microsoft MFA app, see Step 1 below.



New to UWSP?  Your UWSP account must be activated before you set up Microsoft MFA.  For help or questions with Microsoft MFA authentication at UWSP, please contact the IT Service Desk.


What are my options for authenticating with MFA?

 Employee MFA options

UWSP employees may only use the Microsoft MFA app or their IT-assigned hardware token for their secondary authentication method. 

All employees should set up the Microsoft MFA app on their mobile devices and request their hardware token as soon as possible to ensure that a back up secondary authentication method is always available.

Why are the Microsoft MFA app and a hardware token the only allowed secondary authentication methods for UWSP employees?

According to NIST standards (National Institute of Standards and Technology) these provide a higher level of secure secondary authentication which is required for UWSP employees.  Less secure secondary authentication methods such as SMS or voice calls will be regularly disabled via an automated script if they are added to an employee account.

See, "Why are employees only allowed to use the MFA app or a hardware token?" in the MFA Help section below.

 Student MFA options

Students can use the following options for authentication via MFA:

  • Install the Microsoft MFA app on your mobile phone or tablet (the easiest authentication method).

  • Receive an SMS or voice call to your mobile phone, or a call to your landline phone.

  • Purchase a hardware token from the UWSP Service Desk (see "How to request a hardware token?" below).

Authenticating with the MFA app is the easiest authentication option to access to your secure UWSP resources.

 What is a hardware token?

A hardware token is a small device that generates a one-time use six-digit passcode. 

When logging into a secure UWSP resource you can opt to "sign in a different way" and choose to enter the passcode generated by your hardware token if your mobile device or other authentication option is not available. 

There is no need for you to add your hardware token as an additional authentication method to your myaccount.uwsp.edu portal.  It will be configured for your account upon receipt.

MFA hardware tokens fit on a keychain making them easy to remember wherever you go.


  Start here to set up Microsoft MFA!

See "Set up Microsoft MFA Authentication" below for detailed instructions.


Set up Microsoft MFA authentication

Information Technology strongly recommends that you install the Microsoft MFA Authenticator app on your mobile devices where possible for ease of use and for the most secure secondary authentication experience. Follow Steps 1 and 2 below to install the Authenticator app.

In addition to the Authenticator app you need a back up verification method in the event you experience problems or your preferred verification method is unavailable.

  • All current UWSP employees are required to have a hardware security token as their back up verification method. See "Step 3 - For Employees" below for more information.

  • Students, retirees, volunteers  and contractors have several back up verification options available.  See "Step 3 - For Students, Retirees, Volunteers & Contractors" below.

 Step 1 - For Everyone: Get the Microsoft Authenticator app

IMPORTANT: The Microsoft Authenticator app can only be installed on a mobile device (e.g. iPhone, Android, tablet).

To install the Microsoft Authenticator app:

  1. Open the app store for your mobile phone or tablet:

    • If your mobile device is an iPhone or iPad, open the App Store:
    App Store icon
    • If your mobile device is an Android phone, open the Play Store:
    Play Store icon
  2. Search for Microsoft Authenticator and install this app.

  3. Microsoft Authenticator icon 

  4. See the following "Step 2 - For Everyone: Set up the Microsoft MFA app" to activate the installed Authenticator app for use as your secondary authentication method.​​

 Step 2 - For Everyone: Set up the Microsoft Authenticator app

Best Practice: set the default authentication method to the MFA app after setting up multifactor authentication, then install the Microsoft MFA app on any additional mobile devices that you own.

Prefer a video to written steps?  See the video at the bottom of this section!

Set up the MFA App:

  1. On a computer, log into myaccount.uwsp.edu with your UWSP logon.

  2. Doing this part on a computer allows you to scan a QR code, the easiest set up method.

  3. In the Security info box, click UPDATE INFO >


  4. Click Add sign-in m​​ethod then select Authenticator app and click Add.

  5.  

  6. Open the Microsoft Authenticator app. If you are prompted, tap I agree to the Privacy information screen.  In a moment, you will tap Scan a QR code.

  7.  

  8. On your computer, click Next through the Start by getting the app and Set up your account windows.

  9.  

    You should now see a QR code in the Microsoft Authenticator window on your computer screen.

     

  10. On your mobile device (phone or tablet),

    1.  Open the Microsoft Authenticator app.

    2. Tap Add Account ​to begin the process of pairing your Microsoft Authenticator app with your UWSP account (Android devices: this choice may be under the three vertical dots).

      IMPORTANT: When you start Microsoft Authenticator, it may prompt you for your device passcode, fingerprint, or face scan. This is your device's passcode that you use to unlock your device.

  11. Tap Work or School Account.  Allow any requests for permissions.

  12. Tap Scan a QR code. 

  13. Tap OK to access camera and to Allow notifications, then hold your device camera over the QR code to scan.

  14. On your computer: click Next and follow the remaining prompts on both your computer and mobile device to Approve and complete the setup.

  15. Once you Approve, you may be asked to re-enter the lock screen passcode for your mobile device (e.g. PIN, a shape, or fingerprint).

See the section, "Testing your authentication methods" below.

See the video: "Installing the Authenticator App"!

 

 Step 3 - For Employees only: Request a hardware token

In addition to the MFA app, all UWSP faculty, staff, and student staff are required to have an IT-assigned hardware token as a back up authentication method.  SMS and voice call authentication methods will be disabled via an automated script if added to an employee's account.

See "Requesting a Hardware Token" below to learn how to receive your IT-assigned hardware token.

 Step 3 - For Students, Retirees, Emeriti, Volunteers & Contractors only: Configure one of these additional options

In addition to the recommended Microsoft MFA app, students may also add the following secondary authentication methods as back up.

  • SMS

  • Phone call

  • Hardware token (Students may request an optional hardware token if they wish to have this additional back up method. A $12 fee is applied to the student's account. See the following section, "Requesting a Hardware Token" for more information.)


How to add SMS or phone call as back up authentication methods

  1. On a computer or mobile device, sign into myaccount.uwsp.edu with your UWSP logon.

  2. In the Security info box, click UPDATE INFO >


  3. Click Add Method then select a phone option and click Add.

  4.  

  5. Enter your phone number and select Text me a code or Call me to confirm your authentication method.

  6. Click Next.

  7.  

  8. You will receive an automated call or SMS to the entered phone number asking you to confirm the registration of your phone.

 

 

See "Testing your authentication methods" below.


​Requesting a Hardware Token

All UWSP employees, including student staff, are required to have an MFA hardware token as a secure additional authentication method. For more information on how to request your hardware token see, How to request a hardware token below.

Hardware tokens are optional for UWSP students, retirees, emeriti, and volunteers and can be purchased as a good back-up secondary authentication method.  See, How to request a hardware token below for more information.

Important: See, "Special requirements when using your hardware token with Remote Computer Access and VPN" if using your hardware token's verification code when logging into the Remote Computer Lab or Remote Desktop.

 How to request a hardware token

Best Practice: for easiest authentication, set the default authentication method to the MFA app. Install the Microsoft MFA app on any additional mobile devices that you own. Use a hardware token as your secure back up authentication method.

Anyone can request a hardware token to use in addition to the Microsoft Authenticator app.

Employees including Student Staff

Employees (including student staff) are required to have a hardware token.  See "Request a hardware token" below.  Your first hardware token is provided at no cost to you or your department.

Hardware security tokens belong to UWSP.  When leaving university employment, faculty/staff hardware tokens must be returned to IT or to the department.  Student staff hardware tokens must be returned to the hiring department/employer.

Lost hardware tokens: A $12 replacement fee will be charged to the department (or department/student employer in the case of student staff) if a hardware token is lost or damaged and must be replaced.

 

 


Students, Retirees, Emeriti, and Volunteers

Students, Retirees, Emeriti, and Volunteers are not required to have a hardware token, and are instead encouraged to use Phone SMS or Voice options as their back up authentication method.  If a hardware token is desired, you may submit a request to purchase a token using one of the methods below.  There is a $12 charge for each hardware token. 

Students: the $12 fee for a hardware token will be billed to your student bill.

Retirees, Emeriti, and Volunteers:  please contact your university department to ask if they will cover the cost of your hardware token and to request their approval.


Request a Hardware Token

Click Request a hardware token (you will have the option to have the hardware token mailed to you).

After requesting a hardware token, you will be asked to schedule an appointment to pickup and activate at the MFA - Security Token Pickup page. If you chose to have a token mailed to you, be sure to select the on-line meeting option.

See the following: "Students/Employees Requirements for receiving and activating your hardware token".

 Requirements for receiving and activating your hardware token

If you chose to pick up your hardware token at the IT Service Desk:

You may make an appointment with the IT Service Desk to pick up a hardware token.

Or for COVID-19 distancing purposes, you can request a hardware token be mailed to you.

You will need identification:

You must present two forms of picture ID at the Service Desk or during your scheduled video call.

If you choose to have your hardware token mailed:

Hardware tokens will be mailed via registered mail to your HRS mailing address.  Your MFA hardware token must be activated before it can be used.

IMPORTANT: your hardware token will be mailed to the address you have on record in HRS. Please log into your MyUW portal to confirm or update your current address. Help documentation on updating your personal information is available if needed.

It will take 7-10 business days to receive your hardware token through the mail.  If you do not receive your token within two weeks, please contact the IT Service Desk.

To activate your hardware token, schedule a time to meet virtually with a service desk staff member (e.g. Zoom or Microsoft Teams video call). You will need to show them your two forms of picture ID and read them the serial number on the token. The staff member will match the serial number to the serial numbers on file. This confirms your receipt of the hardware token so that it can be activated.

Allowed forms of ID:

  • University ID (required)

AND one additional form of picture ID from the following:
  • Drivers license

  • Passport

  • State ID

 ‭(Hidden)‬ Students: Requirements for receiving and activating your hardware token

Students may purchase an MFA hardware token if they desire this additional secondary authentication method. Hardware tokens are billed to a student's account.

To get a hardware token while on campus

  1. Make an appointment with the IT Service Desk to pick up a hardware token. 

  2. Bring your University ID and one additional form of picture ID (See "Allowed forms of ID" below).

Your hardware token will be activated and ready for use.

To request a hardware token be mailed to you

For COVID-19 distancing purposes, if you do not wish to come to the IT Service Desk, you can request a hardware token be mailed to you.

You must:

  • Schedule a video call with the IT Service Desk (e.g. Zoom or Microsoft Teams video call).

  • Present your University ID and one additional form of picture ID during this video call (See "Allowed forms of ID" below).

Your hardware token will be mailed to you via registered mail. It must be activated before it can be used.

To activate your hardware token: email the serial number (SN) to the IT Service Desk from your UWSP student email.  The serial number will be matched to the serial numbers on file. This confirms your receipt of the device and lets the Service Desk know that it can be activated.

IMPORTANT: Hardware tokens are billed to a student's account. The IT Service Desk does not take direct payment in any form.

Allowed forms of ID:

  • University ID (required)

AND one additional form of picture ID from the following:
  • Drivers license

  • Passport

  • State ID


IMPORTANT: How to change your default authentication method

Knowing how to change your default authentication method is important as it allows you to quickly replace your default if ever needed.

Information Technology strongly recommends that you set the MFA app to be your default authentication method.  Using the MFA app offers a higher level of secure identity assurance than does SMS or voice calls. If the MFA app is not currently set as your default, the following information will help you to easily make this change.

 Change your default authentication method

Setting your default authentication method to Microsoft Authenticator - Notifications offers the easiest authentication.  Fortunately, Microsoft Authenticator - Notifications automatically becomes your default if the Microsoft Authenticator app is installed before other authentication methods are added.


To see what your default authentication method is, or to change your default authentication method:
  1. On a computer or mobile device, sign into myaccount.uwsp.edu with your UWSP logon.

  2. In the Security info box, click UPDATE INFO >


  3. Your default authentication method displays at the top.

  4. To change your default, click Change.

  5.  

  6. Click the dropdown and select your preferred authentication method to make it your new default.

  7.  

  8. Click Confirm.



Access your secure UWSP resources with MFA

When logging into a secure UWSP resource, MFA authentication will prompt you: 

  • the first time you log in after setting up the MFA app, and, 

  • each time your MFA authentication expires.

See the section, "UWSP resources requiring MFA, deadlines, and other information" below for a list of MFA prompt frequencies for UWSP protected resources.


 How to authenticate using the MFA App

If your default authentication method is set to Microsoft Authenticator - Notification your authentication method is as easy as tapping Approve on your mobile device screen. 

  1. Sign into the secure UWSP resource. 


  2. ​On your mobile device, you will​ see a notification letting you know that the MFA app has received an authentication request. Make sure that notifications and alerts are enabled for the Authenticator app on your device.

  3.  


  4. Tap to open this notification or open the MFA app on your mobile device. You may additionally be prompted to enter your device passcode.

  5. Tap Approve to approve signing in to the secure resource.

  6.  

IMPORTANT:  When logging into a secure UWSP resource, make sure to immediately check your mobile device and MFA app for a prompt asking you to Approve your authentication to that resource.

Information Technology strongly recommends that you install the MFA app on all of your mobile devices and set the app as your default method of authentication.  Make sure to have your device next to you whenever you anticipate needing to access protected UWSP resources.


 How to authenticate with a hardware token

Make sure to see the section,
"Special requirements when using your hardware token with Remote Computer Access and VPN"
.

 

If authenticating to a Microsoft resource:

On the Approve sign in request screen, click "I can't use my Microsoft Authenticator app right now".


Then from the list of verification options, select the option to "Use a verification code".




 How to authenticate with SMS or phone call

Note: SMS and phone methods of authentication are available to students only. To use this authentication method you must have a phone added under your myaccount.uwsp.edu portal.

If authenticating to a Microsoft resource:

On the Approve sign in request screen, click Sign in another way.


Then from the list of verification options, select the option for Text  or Call.



​How to test your MFA

Information Technology provides the following easy tool to test your Microsoft Security Verification methods added under your My Account > Security Info

At any point if you have questions or need help with your Microsoft MFA authentication please contact the IT Service Desk.

 Testing your authentication methods

To test the authentication methods you have added under your myaccount.uwsp.edu portal,

Go to testmfa.uwsp.edu/ and click Sign In.

 

Sign in with your UWSP logon.

 

The default authentication method that you selected in your myaccount.uwsp.edu portal will immediately prompt you to authenticate.​

To test the MFA app on your mobile device

  1. ​On your mobile device, you will​ see a notification letting you know that the MFA app has received an authentication request. Make sure that notifications and alerts are enabled for the Authenticator app on your device.

  2.  


  3. Tap to open this notification or open the MFA app on your mobile device. You may additionally be prompted to enter your device passcode.

  4. Tap Approve to approve signing in to the secure resource.

  5.  

To test other authentication method(s)

  1. Click Use a different verification option.

  2.  

  3. From the list of verification methods that displays, select the back up method you would like to test. 

  4.  

  5. When you have verified your authentication method click Sign Out. This will take you to the Sign In screen. From here, you can either close your browser or click Sign In to test another authentication method. Note: to test another verification method, you must sign out and then click Sign In again.

  6. ​​​​​


Special requirements when using your hardware token with Remote Computer Access and VPN

Remote computer access (e.g. Remote Desktop, Remote/Online Access Labs) and VPN are older technologies that are unable to accept the entry of a numeric code as a verification method.

Because of this, if your mobile device is not available and you must use a hardware token to authenticate to these remote access services a secure, intermediary tool must be installed on your personal computer.  The verification code generated by your hardware token is then entered into this tool which passes your authentication to the remote service allowing you to log in.

UWSP uses the BIG-IP Edge Client to provide this intermediary service.

Note: only your hardware token and the codes generated by the MFA app require authentication via the BIG-IP Edge Client.  For easiest authentication, Information Technology strongly encourages you to install the MFA app on your mobile device and have your device with you when you work.

 Set up BIG-IP Edge Client

To use BIG-IP Edge Client it must be installed on the off-campus computer (e.g. your personal computer) which is connecting to UWSP.

 

To install BIG-IP Edge Client for PC

  1. You must first download the BIG-IP Edge Client for PC (Download the Mac version here) on the off-campus computer.

  2. On a Windows 10 computer, the download will display at the lower-left corner of the screen.

  3. Click the Ellipses and select Keep. From here you can continue with step 2, or instead, open your Downloads folder in File Explorer and skip to step 6.

  4.  

  5. Click Show more.

  6.  

  7. Select Keep anyway.

  8.  

  9. Below UWSP_FOB_VPN_Setup.exe click Show in folder.

  10.  

    This opens the Downloads folder in your Windows Explorer.

    To install:

  11. Double-click UWSP_FOB_VPN_Setup.exe

  12.  

  13. In the Setup screen click Next >.

  14.  

  15. Click Install.

  16.  

  17. Wait for the install to complete, then click Next (the installer may immediately move to the Completing screen).

  18.  

  19. Click Finish.


 Authenticating with MFA through BIG-IP Edge Client

  1. Open BIG-IP Edge Client from your Start menu.

  2.  

  3. Click Connect.

  4.  

  5. Log in with your UWSP logon.

  6.  

    When the BIG-IP Client has finished connecting you will be prompted for your second authentication method.

  7. Select Azure Multi-Factor Authentication.

  8.  

  9. To authenticate with your hardware token select Use a different verification method.

  10.  

  11. Select Use verification code from mobile or hardware token to enter the code from your hardware token screen.

  12.  

  13. You can now log into your remote access service as you normally do.  BIG-IP Client should continue to run in the background for additional remote access sessions.

If the BIG-IP Client becomes disconnected you will no longer be able to authenticate to remote access services and will instead see an error prompt. For example, a computer restart will force a client disconnect.

If you find that you have been disconnected from BIG-IP Client, open the client from your Start menu again and reconnect as above.

If you experience further connection problems, please contact the IT Service Desk.


Can't find the answer?  Contact the IT Service Desk!

MFA Help

 Will having the Microsoft Azure Authenticator app installed on my device open my device up to open records requests?

No. The Microsoft Azure Authenticator app is only used as a secondary authentication form and stores no data that could be requested via an open records request.

The Public Records Law applies based upon the content of a record, and not its location. A work related email or text message is a public record whether it is sent or received on a personally owned device or a UWS/institutional device. A personal email unrelated to work is not a public record no matter where it is located. Using an employment related application, such as Outlook or multi-factor authentication, on a personal phone might generate a public record. However, it won’t subject the rest of an employee’s phone to a public records request. For further resources on this topic, visit the UW System Public Records website.

 Which mobile devices support Microsoft MFA?

Microsoft MFA is supported on Microsoft, Android, and iOS mobile devices.

 Why are employees only allowed to use the MFA app or a hardware token?

Using the MFA app or hardware token provides a strong form of secondary authentication. 

According to NIST standards (National Institute of Standards and Technology), SMS and voice calls are considered weaker forms of secondary authentication when securing an organization's resources.  Because employees frequently need to access UWSP systems that house sensitive data for the campus, a higher level of identity assurance is needed.

 I can't find my phone or other mobile device that I use for MFA!

If you believe that your UWSP account may be compromised due to a lost mobile device, contact the IT Service Desk. The Service Desk can help with resetting your password and check to ensure that no additional rules or auto-forwarding have been added to your UWSP email.

If you have a back up MFA authentication method which is not tied to your phone

If you lose or misplace your phone and have set up a backup authentication method which is not tied to your lost phone, click the link, "Sign in another way" in the authentication prompt you receive when attempting to log into a UWSP resource.


If you do not have a back up MFA authentication method, or all authentication methods are tied to your phone

If you lose or misplace your phone and your phone is your only MFA authentication method you will be unable to log into all university resources which require secondary authentication (see "UWSP resources requiring MFA, deadlines, and other information" above). You will also not be able to log into myaccount.uwsp.edu to add a new authentication method or remove a lost device.

  • If you know where your phone is, but forgot to bring it with you:
The IT Service Desk can provide a one-time bypass allowing you to log into myaccount.uwsp.edu to add a new authentication method.

  • If you do not know where your phone is:

Contact the Service Desk. Let them know that your device has been lost and to clear your MFA settings. Once your MFA settings have been cleared, you will be able to log into your myaccount.uwsp.edu with your UWSP logon and add a new authentication method.

 What should I do if I get a new phone?

Important: always make sure to have a backup authentication method set in your myaccount.uwsp.edu portal (see "Set up Microsoft MFA authentication" above).

Once you get your new phone you will want to:

  1. Install the MFA app on your new phone, 

  2. Log into your myaccount.uwsp.edu portal go to Security Info and add the newly installed MFA app as your new default authentication method.

  3. Remove the previous authentication methods connected to your old phone (e.g. the previous "Authenticator App" and any phone authentication methods).

  4. re-add the phone authentication methods. You must re-add the phone authentication methods as each installation of the MFA app has a unique identifier.

 How are hardware tokens paid for?

Student hardware tokens:

Student hardware tokens are billed to the student's account.

Employee hardware tokens:

UWSP requires the use of hardware tokens by all faculty and staff including student employees.  Because of this requirement, the institution covers the cost of the first hardware token for all of its employees.  If a hardware token is lost, a replacement device will be billed to the employee's department/employer.

 ‭(Hidden)‬ Information for student employees

For security purposes, student employees have a staff account in addition to their university student account. 

To easily manage your MFA verifications for both accounts, you will want to add both accounts to the MFA app on your mobile device.


Add "how to add an additional account".

Set up first under myaccount.uwsp.edu

Info about BIG-IP



***Under Construction***


​​ ​

For questions or help with Microsoft MFA authentication at UWSP, please contact the IT Service Desk.