• Home >
  • CIT
  • > MFA Frequently Asked Questions

MFA Frequently Asked Questions

What is multi-factor authentication?
Multi-factor authentication (also known as two factor authentication or two step verification) is a security enhancement that allows you to present at least two factors to identify yourself when logging into an account. These factors can be any of the following three categories: 1) something you know (like a password or PIN), 2) something you have (like a phone or hardware token), 3) something you are (like your fingerprint). Your credentials must come from at least two different categories to be considered multi-factor authentication and to enhance security. Therefore, entering two passwords would not be considered multi-factor authentication.
Why do I need to use multi-factor authentication?
With more TSU systems using single sign-on (SSO) services, it has never been more important to protect your TSU account from unauthorized access. SSO services make it easier to access TSU systems using a common username and password. However, this also means the risk associated with a compromised username and password significantly increases. Phishing attacks, malware and social engineering constantly target the University population with the intent of stealing users' credentials to gain unauthorized access to TSU systems. While users should always create strong passwords to protect against unauthorized access, passwords alone are simply no longer a sufficient means of authentication. As a result, TSU now offers multi-factor authentication services to protect your TSU account. This means systems using SSO services will require a second factor of authentication in addition to a password. So if hackers compromise your password, they would still need a second factor such as a phone to complete an authentication request. 
Am I required to enroll in multi-factor authentication?
As of May 1, 2018, TSU's Information Technology Division made Microsoft Azure multi-factor authentication available to all users as a opt-in service. Multi-factor authentication will be required for faculty and staff starting on October 29, 2018 and for students staring on February 25, 2019. As of August 2017, all Information Technology Division employees are required to use multi-factor authentication to protect their accounts.
Is TSU the first university to implement Multi-Factor Authentication?
TSU is not the first university to implement multi-factor authentication. TSU will join many other higher education institutions who offer multi-factor authentication services including Harvard, Yale, Princeton, Columbia, Cornell, Stanford, Northwestern, Notre Dame, University of Alabama, University of Southern California, University of Michigan, Ohio State University, University of Miami, and Clemson. TSU will also join many commercial institutions who offer multi-factor authentication across their services including Apple, Google, Microsoft, Amazon, Facebook, Twitter, PayPal, Bank of America, Chase, Empower Retirement and TIAA-CREF.
Can I opt out of multi-factor authentication?
Opting into multi-factor authentication early is the best way for you to become familiar with the service before it is required. As such there is no means of opting out of the service. We encourage you to opt-in early and provide feedback of your experiences so that we can refine settings for everyone before it is required. You can also send your feedback via email to  helpdesk@tnstate.edu .
What is Microsoft Azure multi-factor authentication?
TSU's Information Technology Division implemented Microsoft Azure multi-factor authentication which provided the ability to use a smartphone or tablet as a second factor of authentication. Users can approve or deny authentication requests via online push notifications or generate verification codes using the Microsoft Authenticator mobile application. Users without smartphones or tablets may alternatively enroll a macOS or Windows computer with the Authy app or phone number to receive a text message with a verification code or a phone call to approve or deny requests. Users who do not have access to or do not wish to use the above options may contact the IT Help Desk at (615) 963-7777 or at helpdesk@tnstate.edu  for other options.
Do I need to have a smartphone to use multi-factor authentication?
No, you do not need to have a smartphone to use multi-factor authentication. Users without smartphones may use the Microsoft Authenticator mobile application on a tablet. Users without smartphones or tablets may alternatively enroll a macOS or Windows computer using the Microsoft Authenticator app or a basic cellular phone number to receive a text message with a verification code or a phone call to approve or deny requests. Users without access to a computer or a basic cellular phone can enroll a landline phone like an office or home phone to receive a phone call to approve or deny requests. Users who do not have access to or do not wish to use the above options may contact the IT Help Desk at (615) 963-7777 or at  helpdesk@tnstate.edu  for other options.
How do I enroll in multi-factor authentication?
Click  here for instructions on how to enroll your account with Microsoft Azure multi-factor authentication using the Microsoft Authenticator mobile application on your smartphone or tablet. Users without smartphones or tablets can click  here for instructions on enrolling a macOS or Windows computer using the Microsoft Authenticator app or can  click  here for instructions on enrolling a phone number to receive a text message with a verification code or a phone call to approve or deny requests. Users who do not have access to or do not wish to use the above options may contact the IT Help Desk at (615) 963-7777 or at  helpdesk@tnstate.edu  for other options.
Does it cost money to authenticate with my phone?
The Microsoft Authenticator mobile application, which is a free download, can generate verification codes that do not require a voice, text or data plan. Microsoft Authenticator's push notification feature consumes a very small amount of data and can use cellular or WiFi data. Users can use the Microsoft Authenticator app to generate verification codes on a macOS or a Windows computer for free. Using the text message or phone call options with your phone requires a text or voice plan and will be billed by your carrier like any other text message or inbound call. Users who do not have access to or do not wish to use the above options may contact the IT Help Desk at (615) 963-7777 or at  helpdesk@tnstate.edu  for other options.
What if I do not have a cellular data plan or cellular signal?
We recommend users enroll in multi-factor authentication using Microsoft Authenticator on a smartphone or tablet. The Microsoft Authenticator mobile application can generate codes offline and does not require a voice, text or data plan. Alternatively, users can enroll using the Microsoft Authenticator mobile application or on a macOS or Windows computer, and the Microsoft Authenticator application can similarly generate verification codes offline without the need for a voice, text or data plan. Users who do not have access to or do not wish the use above options may contact the IT Help Desk at (615) 963-7777 or at  helpdesk@tnstate.edu  for other options.
What if I leave my phone at home?
We encourage users to enroll multiple authentication devices with Microsoft Azure multi-factor authentication so that if you do not have access to your primary device, you can still use a backup device. For example, you can enroll another mobile device like a tablet with Microsoft Authenticator, a macOS or Windows laptop or desktop computer with the Microsoft Authenticator app or an alternate authentication device with Microsoft Azure multi-factor authentication.
Can I use the Microsoft Authenticator mobile application when traveling internationally?
Yes, you can use the Microsoft Authenticator mobile application when traveling internationally. The Microsoft Authenticator mobile application can generate verification codes that do not require a voice, text or data plan. If you have an international cellular data plan or access to WiFi, you can approve or deny authentication requests via online push notifications.
How do I authenticate if I cannot use the Microsoft Authenticator mobile app?
If you cannot receive push notifications from the Microsoft Authenticator mobile app, you can use a verification code generated on the mobile app. If you cannot use the Microsoft Authenticator app, you can receive a text message with a verification code. If you cannot use the Microsoft Authenticator app or receive a text message, you can receive a phone call to approve your sign-in request. 
What is an App Password and do I need to use one?
Some applications like Outlook, Apple Mail and Microsoft Office do not support using a phone to secure your account with multi-factor authentication. You can instead use an App Password when connecting an email client on a mobile device to your TSU account. Students who have their MTMail account configured in an Apple Mail, Outlook or other email client on their smartphones, tablets, or personal computer will need an App Password to use in place of your MTMail password. When prompted by your email client for a password, you will need to use this App Password. You will need an App Password per email client per device. Employees do not need to use the App Password to access their email on their smartphone or tablets or personal or work computers at this time. 
What if I want to change my authentication method later after I already enrolled?
You can change your authentication method (e.g. from text message to Microsoft Authenticator) at any time by logging into your Microsoft Azure account online. 
What if I change my phone number or buy a new phone?
If you purchase a new smartphone, as long as you didn't change your phone number, you can still complete your login request by receiving text messages or phone calls to log into your TSU account online (click here to read about alternate ways to sign into your TSU account such as receiving text messages or phone calls). You can then install the Microsoft Authenticator app on your new smartphone and enroll the app. Similarly, if you change your phone number, as long as you still have access to the Microsoft Authenticator app, you can still use the app to approve your login request. You can then log into your account online and update your phone number. If you cannot accomplish these steps for any reason, please contact the IT Help Desk at (615) 963-7777 or at helpdesk@tnstate.edu .
What if I lose my phone or suspect someone stole my phone?
We encourage users to enroll multiple authentication devices with Microsoft Azure multi-factor authentication so that if you do not have access to one device, you have at least one more device from which to choose. For example, you can enroll another mobile device like a tablet with Microsoft Authenticator, a macOS or Windows laptop or desktop computer with the Microsoft Authenticator app or an alternate authentication phone like a home phone. Click  here  for instructions on how to enroll an alternate authentication device with Microsoft Azure multi-factor authentication.