Microsoft Multi-Factor Authentication

Microsoft Multi-Factor Authentication (MFA) FAQ

Overview
Microsoft Multi-Factor Authentication (MFA) FAQ

This page answers common questions about Multi-Factor Authentication (MFA). Select the headings below to see more information. 

If your phone or key fob is lost or stolen, please take immediate action by submitting an MFA Incident Report. For guidance, see the “Device Changes and Updates” and “Loss or Issues with MFA Key Fob” sections.

Introduction to Multi-Factor Authentication (MFA)

Q: What is Microsoft Multi-Factor Authentication (MFA)?

A: Microsoft Multi-Factor Authentication (MFA) is an additional layer of security that requires users to provide another form of identification, like password and a phone, before gaining access to SCUSD Microsoft accounts or systems. 

Q: Why is MFA important?

A: MFA adds extra protection to your account, significantly enhancing security, even if your password is compromised.

MFA Implementation and Requirements

Q: Is MFA mandatory for your SCUSD Microsoft accounts?

A: Yes, Multi-Factor Authentication (MFA), also known as 2-factor authentication, is required statewide for K-12 districts to secure Cybersecurity Insurance. SCUSD staff must enable MFA to access district resources to comply with this requirement. 

Q: How does MFA work with SCUSD Microsoft accounts?

A: When MFA is enabled, you will be prompted to provide a second form of identification after entering your password. Depending on your chosen MFA setup, this can be a code sent to your mobile device.

Q: What authentication methods are supported?

A: There are three options for second-factor authentication: The Microsoft Authenticator App is FREE. It is the incorrect App if you are prompted to pay a fee. Please confirm the Microsoft Authenticator App is from Microsoft Corporation before downloading.

  1. Using the Microsoft Authenticator App that is installed on your work phone. If you have been issued a SCUSD cell phone, this is your only option for MFA authentication.
  2. Install the Microsoft Authenticator App on your mobile phone. 
  3. Obtain a small hardware device token to generate a random 6-digit code when needed. You can attach the token to your key ring. If you opt for the key FOB, a submission of the MFA Self Setup Wizard form is required (MFA Setup Wizard Form).

The mobile app is the preferred option for security and access. This app does NOT import work email, files, documents, or other work data onto your device. (The Authenticator App works where there is weak or no cell reception available) If you choose the preferred option to install the Microsoft Authenticator App, this process takes less than 5 minutes to register and secure your account. Here’s a quick & easy MFA Self Setup Wizard. Click here for the MFA Setup Wizard Form.

Download the authenticator app:

Q: What is the difference between a Key Fob (Hardware Token) and Mobile App (Software Token)?

A: A key fob is a physical device that typically generates time-sensitive codes, providing a hands-on approach for access control. In contrast, a mobile app relies on using a smartphone as a virtual key to grant access. While both offer secure access, the key fob is tangible, and a mobile app leverages digital authentication methods. 

*Note: The Microsoft Authenticator App is SCUSD’s preferred option. If you opt for the key fob, please be aware that if you lose the FOB, it is stolen, or you don’t have access to it, you cannot access SCUSD resources.

Q: Is there an approved authenticator app required for Multi-Factor Authentication?

A: The Microsoft Authenticator App is the approved SCUSD mobile app for MFA. It allows you to receive push notifications for quick approval or generate time-based codes for authentication.

Setting Up MFA

Q: Do I need to be connected to the Internet or my network to get and use the verification codes?

A: The codes don’t require you to be on the Internet, so you don’t need phone service to sign in. Additionally, because the app stops running as soon as you close it, it won’t drain your battery.

Q: Is registering a device agreeing to give the company or service access to my device?

A: Registering a device gives your device access to your organization’s services and doesn’t allow your organization access to your device.

Q: I am having issues with the MFA Wizard setup. What should I do next?

A. Contact the support team directly if you need help with the MFA self-setup. You can email support@scusd.edu and provide them with details about the issues you are experiencing. The support team will contact you to provide the appropriate services and guide you through troubleshooting.

Q: What is an MFA key fob (Hardware Token)?

A: An MFA key fob, or Multi-Factor Authentication key fob, is a small electronic device that generates time-sensitive codes to add an additional layer of security to user authentication. If is commonly used as part of two-factor authentication, requiring users to provide both a password and the code from the key fob to access a system or account. 

Q: I am having issues with my MFA. How can I troubleshoot MFA issues?

A: If you encounter issues with MFA, check your internet connection, verify your authentication method, and ensure your device’s time settings are accurate. For further assistance, contact your IT support at Support@SCUSD.Edu.

Remember to keep your MFA settings up-to-date and follow best practices for a secure online experience.

Q: I am having trouble adding my work or school account to my Microsoft Authenticator app. What are the steps?

A: To add a work or school account for passwordless or two-step verification, select the + button in the top right corner of Microsoft Authenticator > Work or school account > Sign in and complete the authentication on your device to add your account.

Q: I can’t add my work or school account to Microsoft Authenticator and I am receiving the following error: “We could not complete the sign-in at this time. Please ensure push notifications are enabled in Settings and your network connection is stable.”

A: Press OK to dismiss the message and then go to Settings and make sure push notifications are enabled and you have network connectivity. You can also remove your account and attempt the sign in again. If you are still not able to add your account, please reach out to your admin.

Multi-Factor Authentication (MFA) and Access Sharing

Q: Can I disable MFA to share my login with substitutes, colleagues, and students when I’m away?

A: Disabling MFA is strictly prohibited for district cybersecurity and compliance reasons. Sharing login credentials poses significant security risks and violates best practices. Instead, direct users to contact Support@SCUSD.EDU for alternative solutions such as delegating access, setting up  accounts, or establishing access protocols. Only authorized users can access district resources. 

Q: How can I facilitate access for substitutes or colleagues without sharing my login credentials?

A: Only authorized users may access district resources. All permitted users will have their own unique login credentials and multi-factor authentication (MFA) setup. It is essential to maintain the security of individual accounts and adhere to cybersecurity policies to ensure responsible and secure access to district resources.

Q: I need to share my key fob with individuals who need access to documents. How can I do this?

A: Sharing Key fobs for MFA purposes is strictly prohibited, as it poses significant security risks. Instead of sharing key fobs, consider utilizing shared drives, such as Google Drive. Create a shared folder, grant appropriate access permissions, and upload the necessary documents. It’s essential to leverage secure and authorized methods, like shared drives, to facilitate document access while maintaining the integrity and security of district systems.

Device Changes and Updates

Q: I purchased a new phone. Can I use Microsoft Authenticator on my new phone for MFA?

Congrats on your new phone! Yes, you can use Microsoft Authenticator on your new device. Please follow these steps and notify Support@SCUSD.Edu:

  • Go to the Multifactor Authentication (MFA) Setup Wizard
  • Fill out all required fields on the Multifactor Authentication (MFA) Setup Wizard
  • Select Option 2 Mobile App
  • Download the app if you haven’t already. Follow all steps and complete the MFA installation.
  • You will get a “Let’s try it out” message and approve it on your phone.
  • You will get a “Notification approved” and click next and done. You have successfully set up MFA.

Q: What should I do if I lose my MFA mobile device or hardware token?

A: Please report to Support@SCUSD.Edu and submit the MFA Incident Report. Your account will be reviewed for vulnerability, and a technology service representative will contact you to secure your account.

Q: What should I do if I can no longer access my old phone for MFA?

A: If you can no longer access your old phone, please submit the MFA Incident Report to notify Technology Services of your situation. Technology Services will contact you for further assistance.

Does this apply to you?

Acquired a new phone – Please refer to the instructions: “I purchased a new phone. Can I use Microsoft Authenticator on my new phone for MFA?”

MFA options –

1. Using the Microsoft Authenticator App that is installed on your work phone. If you have been issued a SCUSD cell phone, this is your only option for MFA authentication.

2. Install the Microsoft Authenticator App on your mobile phone. 

3. Obtain a small hardware device token to generate a random 6-digit code when needed. You can attach the token to your key ring. MFA

If you opt for the key FOB, a submission of the MFA Self Setup Wizard form is required (MFA Setup Wizard Form).

The mobile app is the preferred option for security and access. This app does NOT import work email, files, documents, or other work data onto your device. (The Authenticator App works where there is weak or no cell reception available) If you choose the preferred option to install the Microsoft Authenticator App, this process takes less than 5 minutes to register and secure your account. Here’s a quick & easy MFA Self Setup Wizard. Click here for the MFA Setup Wizard Form.

Download the authenticator app:

Q: Is there a waiting period or verification process when updating MFA on a new device?

A: Updating MFA on a new mobile device is typically straightforward. Once you enable the Microsoft Authenticator App, expect the authenticator to prompt authentication within 24 hours. Follow these steps to add Microsoft Authenticator App to your new phone. 

Go to the Multifactor Authentication (MFA) Setup Wizard

  • Fill out all required fields on the Multifactor Authentication (MFA) Setup Wizard
  • Select Option 2 Mobile App
  • Download the app if you haven’t already. Follow all steps and complete the MFA installation.
  • You will get a “Let’s try it out” message and approve it on your phone.
  • You will get a “Notification approved” and click next and done. You have successfully set up MFA.

Q: Can I simultaneously use multiple mobile devices for the Microsoft Authentication App?

A: Yes, Microsoft MFA supports using multiple mobile devices simultaneously. You can set up and authenticate using multiple trusted devices for added flexibility. However, you cannot use a mobile device simultaneously with a hardware token. Technology Service will monitor accepted authentication methods frequently for security purposes and contact staff members if unapproved methods or dual usage of token hardware and mobile apps are detected.

Q: Do I need to inform my IT administrator about the change in my MFA device?

A: It is a good practice to inform your IT administrator or support team about any changes to your MFA device to ensure they know the update and can provide assistance if needed.

Lost or Issues with MFA Key Fob

Q: I forgot my MFA key fob at home. Can disable MFA for the day? 

A: For district cybersecurity and compliance purposes, we are unable to disable MFA.  If you are unable to obtain your FOB, the alternative is to use the Microsoft Authenticator app until you are able to access your FOB again. 

Download the authenticator app here: Please contact Support when the Authenticator app is installed.

Q: I lost my MFA key fob. What should I do to regain access to my SCUSD Microsoft account?

A: If your MFA key fob is lost, stolen, or misplaced, follow these steps immediately:

Contact your dedicated site technology representative and support team immediately and submit the MFA Incident Report to report your lost, stolen, or misplaced key fob. Technology Service will contact you promptly to secure your account.

*Note: If you need immediate access, the Microsoft Authenticator app is the preferred option to secure and regain access to your SCUSD Microsoft account.

Q: Can I disable the lost MFA key fob from my account?

A: No! Please submit the MFA Incident Report and contact the support desk immediately for lost, stolen, or misplaced key fobs. For all MFA-related needs, please get in touch with Support@SCUSD.Edu.

*Note: If you need immediate access, the Microsoft Authenticator app is the preferred option to secure and regain access to your SCUSD Microsoft account.

Q: How quickly should I report the loss of my MFA key fob?

A: Report the loss of your MFA key fob as soon as possible. Prompt reporting lets your Technology Services secure your account and quickly prevent unauthorized access. Submit the MFA Incident Report to report your incident.

Q: Can I get a new MFA key fob?

A: The availability of a new MFA key fob depends on your employment status and the current needs of your situation.

Note: New key fobs are approved for damaged, defective, lost, stolen, or missing key fobs only. Submit the MFA Incident Report to inquire about obtaining a replacement key fob or explore alternative MFA methods. The Microsoft Authenticator app is the preferred option to secure and regain access to your SCUSD Microsoft account.

Authentication Code Prompts

Q: Why am I being prompted to enter the authentication code more often than my colleague(s)? Why am I prompted for the authentication code often?

A: The frequency of authentication code prompts varies between users, and the security settings of particular services or systems determine it. Expect prompts during logins, particularly when accessing sensitive and protected information or making significant account changes.

Here are common factors that may trigger the authentication code required: 

  • Login Location(s) 
  • Network (Different Wi-Fi)
  • Using a different device
  • System or Platform – Rules are imposed by the individual services (Infinite Campus, Microsoft, ClassLink, Outlook, etc.)
  • Activity deemed suspicious. 
  • Browser setting
  • Password Change