Information Technology

UWSP employees may only use the Microsoft MFA app or their IT-assigned hardware token for their secondary authentication method. 

All employees should set up the Microsoft MFA app on their mobile devices and request their hardware token as soon as possible to ensure that a back up secondary authentication method is always available.

Why are the Microsoft MFA app and a hardware token the only allowed secondary authentication methods for UWSP employees?

According to NIST standards (National Institute of Standards and Technology) these provide a higher level of secure secondary authentication which is required for UWSP employees.  Less secure secondary authentication methods such as SMS or voice calls will be regularly disabled via an automated script if they are added to an employee account.

See, "Why are employees only allowed to use the MFA app or a hardware token?" in the MFA Help section below.

Students can use the following options for authentication via MFA:

• Install the Microsoft MFA app on your mobile phone or tablet (the easiest authentication method).
  

• Receive an SMS or voice call to your mobile phone, or a call to your landline phone.
  

• Purchase a hardware token from the UWSP Service Desk (see "How to request a hardware token?" below).

Authenticating with the MFA app is the easiest authentication option to access to your secure UWSP resources.

A hardware token is a small device that generates a one-time use six-digit passcode. 

When logging into a secure UWSP resource you can opt to "sign in a different way" and choose to enter the passcode generated by your hardware token if your mobile device or other authentication option is not available. 

There is no need for you to add your hardware token as an additional authentication method to your myaccount.uwsp.edu portal.  It will be configured for your account upon receipt.

MFA hardware tokens fit on a keychain making them easy to remember wherever you go.

IMPORTANT: The Microsoft Authenticator app can only be installed on a mobile device (e.g. iPhone, Android, tablet).

To install the Microsoft Authenticator app:

1. Open the app store for your mobile phone or tablet:
   

If your mobile device is an iPhone or iPad, open the App Store:	​
If your mobile device is an Android phone, open the Play Store:	​

2. Search for Microsoft Authenticator and install this app.

 

3. See the following "Step 2 - For Everyone: Set up the Microsoft MFA app" to activate the installed Authenticator app for use as your secondary authentication method.​​
   

Best Practice: set the default authentication method to the MFA app after setting up multifactor authentication, then install the Microsoft MFA app on any additional mobile devices that you own.

Prefer a video to written steps?  See the video at the bottom of this section!

Set up the MFA App:

1. On a computer, log into myaccount.uwsp.edu with your UWSP logon.
   

Doing this part on a computer allows you to scan a QR code, the easiest set up method.

2. In the Security info box, click UPDATE INFO >
   




3. Click Add sign-in m​​ethod then select Authenticator app and click Add.
   

 

4. Open the Microsoft Authenticator app. If you are prompted, tap I agree to the Privacy information screen.  In a moment, you will tap Scan a QR code.
   

 

5. On your computer, click Next through the Start by getting the app and Set up your account windows.
   

 

You should now see a QR code in the Microsoft Authenticator window on your computer screen.


 

6. On your mobile device (phone or tablet),

1.  Open the Microsoft Authenticator app.

2. Tap Add Account ​to begin the process of pairing your Microsoft Authenticator app with your UWSP account (Android devices: this choice may be under the three vertical dots).
   
   IMPORTANT: When you start Microsoft Authenticator, it may prompt you for your device passcode, fingerprint, or face scan. This is your device's passcode that you use to unlock your device.
   

7. Tap Work or School Account.  Allow any requests for permissions.
   

8. Tap Scan a QR code. 

9. Tap OK to access camera and to Allow notifications, then hold your device camera over the QR code to scan.
   

10. On your computer: click Next and follow the remaining prompts on both your computer and mobile device to Approve and complete the setup.

11. Once you Approve, you may be asked to re-enter the lock screen passcode for your mobile device (e.g. PIN, a shape, or fingerprint).
    

See the section, "Testing your authentication methods" below.

See the video: "Installing the Authenticator App"!

In addition to the MFA app, all UWSP faculty, staff, and student staff are required to have an IT-assigned hardware token as a back up authentication method.  SMS and voice call authentication methods will be disabled via an automated script if added to an employee's account.

See "Requesting a Hardware Token" below to learn how to receive your IT-assigned hardware token.

In addition to the recommended Microsoft MFA app, students may also add the following secondary authentication methods as back up.

• SMS

• Phone call

• Hardware token (Students may request an optional hardware token if they wish to have this additional back up method. A $12 fee is applied to the student's account. See the following section, "Requesting a Hardware Token" for more information.)
  

How to add SMS or phone call as back up authentication methods

1. On a computer or mobile device, sign into myaccount.uwsp.edu with your UWSP logon.
   

2. In the Security info box, click UPDATE INFO >
   




3. Click Add Method then select a phone option and click Add.
   

 

4. Enter your phone number and select Text me a code or Call me to confirm your authentication method.
   

5. Click Next.
   

 

6. You will receive an automated call or SMS to the entered phone number asking you to confirm the registration of your phone.
   

See "Testing your authentication methods" below.

Best Practice: for easiest authentication, set the default authentication method to the MFA app. Install the Microsoft MFA app on any additional mobile devices that you own. Use a hardware token as your secure back up authentication method.

Anyone can request a hardware token to use in addition to the Microsoft Authenticator app.

Employees including Student Staff

Employees (including student staff) are required to have a hardware token.  See "Request a hardware token" below.  Your first hardware token is provided at no cost to you or your department.

Hardware security tokens belong to UWSP.  When leaving university employment, faculty/staff hardware tokens must be returned to IT or to the department.  Student staff hardware tokens must be returned to the hiring department/employer.

Lost hardware tokens: A $12 replacement fee will be charged to the department (or department/student employer in the case of student staff) if a hardware token is lost or damaged and must be replaced.

Students, Retirees, Emeriti, and Volunteers

Students, Retirees, Emeriti, and Volunteers are not required to have a hardware token, and are instead encouraged to use Phone SMS or Voice options as their back up authentication method.  If a hardware token is desired, you may submit a request to purchase a token using one of the methods below.  There is a $12 charge for each hardware token. 

Students: the $12 fee for a hardware token will be billed to your student bill.

Retirees, Emeriti, and Volunteers:  please contact your university department to ask if they will cover the cost of your hardware token and to request their approval.

Request a Hardware Token

Click Request a hardware token (you will have the option to have the hardware token mailed to you).

After requesting a hardware token, you will be asked to schedule an appointment to pickup and activate at the MFA - Security Token Pickup page. If you chose to have a token mailed to you, be sure to select the on-line meeting option.

See the following: "Students/Employees Requirements for receiving and activating your hardware token".

If you chose to pick up your hardware token at the IT Service Desk:

You may make an appointment with the IT Service Desk to pick up a hardware token.

Or for COVID-19 distancing purposes, you can request a hardware token be mailed to you.

You will need identification:

Allowed forms of ID:

• University ID (required)

Setting your default authentication method to Microsoft Authenticator - Notifications offers the easiest authentication.  Fortunately, Microsoft Authenticator - Notifications automatically becomes your default if the Microsoft Authenticator app is installed before other authentication methods are added.

1. On a computer or mobile device, sign into myaccount.uwsp.edu with your UWSP logon.
   

2. In the Security info box, click UPDATE INFO >
   




Your default authentication method displays at the top.


3. To change your default, click Change.
   

 

4. Click the dropdown and select your preferred authentication method to make it your new default.
   

 

5. Click Confirm.
   

If your default authentication method is set to Microsoft Authenticator - Notification your authentication method is as easy as tapping Approve on your mobile device screen. 

1. Sign into the secure UWSP resource. 
   




2. ​On your mobile device, you will​ see a notification letting you know that the MFA app has received an authentication request. Make sure that notifications and alerts are enabled for the Authenticator app on your device.
   

 




3. Tap to open this notification or open the MFA app on your mobile device. You may additionally be prompted to enter your device passcode.
   

4. Tap Approve to approve signing in to the secure resource.
   

 

IMPORTANT:  When logging into a secure UWSP resource, make sure to immediately check your mobile device and MFA app for a prompt asking you to Approve your authentication to that resource.

​Information Technology strongly recommends that you install the MFA app on all of your mobile devices and set the app as your default method of authentication.  Make sure to have your device next to you whenever you anticipate needing to access protected UWSP resources.​

If authenticating to a Microsoft resource:

On the Approve sign in request screen, click "I can't use my Microsoft Authenticator app right now".

Note: SMS and phone methods of authentication are available to students only. To use this authentication method you must have a phone added under your myaccount.uwsp.edu portal.

If authenticating to a Microsoft resource:

On the Approve sign in request screen, click Sign in another way.

To test the authentication methods you have added under your myaccount.uwsp.edu portal,

Go to testmfa.uwsp.edu/ and click Sign In.

Sign in with your UWSP logon.

The default authentication method that you selected in your myaccount.uwsp.edu portal will immediately prompt you to authenticate.​

To test the MFA app on your mobile device

1. ​On your mobile device, you will​ see a notification letting you know that the MFA app has received an authentication request. Make sure that notifications and alerts are enabled for the Authenticator app on your device.
   

 




2. Tap to open this notification or open the MFA app on your mobile device. You may additionally be prompted to enter your device passcode.
   

3. Tap Approve to approve signing in to the secure resource.
   

 

To test other authentication method(s)

1. Click Use a different verification option.
   

 

2. From the list of verification methods that displays, select the back up method you would like to test. 
   
   

 

3. When you have verified your authentication method click Sign Out. This will take you to the Sign In screen. From here, you can either close your browser or click Sign In to test another authentication method. Note: to test another verification method, you must sign out and then click Sign In again.
   

​​​​​

To use BIG-IP Edge Client it must be installed on the off-campus computer (e.g. your personal computer) which is connecting to UWSP.

To install BIG-IP Edge Client for PC

1. You must first download the BIG-IP Edge Client for PC (Download the Mac version here) on the off-campus computer.
   

On a Windows 10 computer, the download will display at the lower-left corner of the screen.


2. Click the Ellipses and select Keep. From here you can continue with step 2, or instead, open your Downloads folder in File Explorer and skip to step 6.
   

 

3. Click Show more.
   

 

4. Select Keep anyway.
   

 

5. Below UWSP_FOB_VPN_Setup.exe click Show in folder.
   

 

This opens the Downloads folder in your Windows Explorer.


To install:


6. Double-click UWSP_FOB_VPN_Setup.exe
   

 

7. In the Setup screen click Next >.
   

 

8. Click Install.
   

 

9. Wait for the install to complete, then click Next (the installer may immediately move to the Completing screen).
   

 

10. Click Finish.
    

1. Open BIG-IP Edge Client from your Start menu.

 

2. Click Connect.

 

3. Log in with your UWSP logon.
   

 

When the BIG-IP Client has finished connecting you will be prompted for your second authentication method.


4. Select Azure Multi-Factor Authentication.
   

 

5. To authenticate with your hardware token select Use a different verification method.
   

 

6. Select Use verification code from mobile or hardware token to enter the code from your hardware token screen.
   

 

7. You can now log into your remote access service as you normally do.  BIG-IP Client should continue to run in the background for additional remote access sessions.

If the BIG-IP Client becomes disconnected you will no longer be able to authenticate to remote access services and will instead see an error prompt. For example, a computer restart will force a client disconnect.

If you find that you have been disconnected from BIG-IP Client, open the client from your Start menu again and reconnect as above.

If you experience further connection problems, please contact the IT Service Desk.

No. The Microsoft Azure Authenticator app is only used as a secondary authentication form and stores no data that could be requested via an open records request.

The Public Records Law applies based upon the content of a record, and not its location. A work related email or text message is a public record whether it is sent or received on a personally owned device or a UWS/institutional device. A personal email unrelated to work is not a public record no matter where it is located. Using an employment related application, such as Outlook or multi-factor authentication, on a personal phone might generate a public record. However, it won’t subject the rest of an employee’s phone to a public records request. For further resources on this topic, visit the UW System Public Records website.

Microsoft MFA is supported on Microsoft, Android, and iOS mobile devices.

Using the MFA app or hardware token provides a strong form of secondary authentication. 

According to NIST standards (National Institute of Standards and Technology), SMS and voice calls are considered weaker forms of secondary authentication when securing an organization's resources.  Because employees frequently need to access UWSP systems that house sensitive data for the campus, a higher level of identity assurance is needed.

If you believe that your UWSP account may be compromised due to a lost mobile device, contact the IT Service Desk. The Service Desk can help with resetting your password and check to ensure that no additional rules or auto-forwarding have been added to your UWSP email.

If you have a back up MFA authentication method which is not tied to your phone

If you lose or misplace your phone and have set up a backup authentication method which is not tied to your lost phone, click the link, "Sign in another way" in the authentication prompt you receive when attempting to log into a UWSP resource.

If you do not have a back up MFA authentication method, or all authentication methods are tied to your phone

If you lose or misplace your phone and your phone is your only MFA authentication method you will be unable to log into all university resources which require secondary authentication (see "UWSP resources requiring MFA, deadlines, and other information" above). You will also not be able to log into myaccount.uwsp.edu to add a new authentication method or remove a lost device.

• If you know where your phone is, but forgot to bring it with you:

The IT Service Desk can provide a one-time bypass allowing you to log into myaccount.uwsp.edu to add a new authentication method.

Contact the Service Desk. Let them know that your device has been lost and to clear your MFA settings. Once your MFA settings have been cleared, you will be able to log into your myaccount.uwsp.edu with your UWSP logon and add a new authentication method.

Important: always make sure to have a backup authentication method set in your myaccount.uwsp.edu portal (see "Set up Microsoft MFA authentication" above).

Once you get your new phone you will want to:

1. Install the MFA app on your new phone, 
   

2. Log into your myaccount.uwsp.edu portal go to Security Info and add the newly installed MFA app as your new default authentication method.
   

3. Remove the previous authentication methods connected to your old phone (e.g. the previous "Authenticator App" and any phone authentication methods).

4. re-add the phone authentication methods. You must re-add the phone authentication methods as each installation of the MFA app has a unique identifier.

Student hardware tokens:

Student hardware tokens are billed to the student's account.

Employee hardware tokens:

UWSP requires the use of hardware tokens by all faculty and staff including student employees.  Because of this requirement, the institution covers the cost of the first hardware token for all of its employees.  If a hardware token is lost, a replacement device will be billed to the employee's department/employer.