Multi-Factor Authentication (MFA)
MFA helps safeguard access to data and applications. As the name suggests, a multi-factor solution uses at least one factor from two or more categories to validate whether an individual's identity can be confirmed. Generally, the categories are:
- Something you know - a password, the answer to a security question, a birthdate.
- Something you have – a number sent to a cell phone, a key to a lock.
- Something you are - a fingerprint, voice recognition, or facial recognition.
In practical terms, asking for a password and a birthdate is not adequate because both of these things are something you know and therefore susceptible to a single data breach into a system that stores this information. On the other hand, asking for a password along with a unique and one-time code sent to your cell phone is true multi-factor authentication.
Reasons for MFA
Identity theft is an easy, low-risk, and high-reward crime. According to Verizon's Data Breach Investigations Report in 2018, weak or stolen user credentials are used in 95 percent of all web application attacks. And it's not just about data theft: hackers also destroy data, change programs, and use servers to transmit spam or malicious code. Anti-virus software and advanced firewalls and detection/prevention systems are necessary security elements, but if user authentication is compromised, then we have just unlocked and opened our front door to intruders.
How MFA Works
In late 2016, the IT Steering Committee that governs the Division of Information Technology's (DoIT's) project work approved an effort to implement an MFA solution across campus that would reduce the number of compromised accounts, roll out self-service password resets (SSPR) , and achieve compliance with a number of federal and state laws that actually require MFA for security and privacy protections.
Since then we have implemented SSPR for all faculty, staff and students (password.niu.edu) and MFA for students who log in to systems that authenticate via Microsoft's Azure Active Directory (AD) environment. This includes the entire Office365 suite (email, calendaring, OneDrive, SharePoint, etc.) and Blackboard. While enforcing MFA for students drastically reduced the number of compromised accounts and resulting spam in NIU's O365 environment, the risk of an information security and data privacy breach still remains.
Next Steps for MFA at NIU
The next MFA implementation will include faculty and staff who log in to Office365/Outlook, Blackboard, and our secure VPN service (secure.niu.edu) for heightened privileges to private or restricted data.
The good news is that Microsoft's Azure AD environment will soon combine MFA and SSPR into one user portal making it easier to enter and change a cell phone number and a personal email address both to authenticate from off-campus and to reset one's own password.
Frequently Asked Questions
Why is a cell phone required for MFA?
When is MFA required?
Multi-factor Authentication uses at least two of three factors:
- Something you know
- Something you have
- Something you are
Microsoft uses something you know and something you have. Cellphones are something you have and a password is something you know. A text message to a cellphone (or even an actual call) and the Mobile App are the best ways to easily enroll people into MFA.
How often will I have to MFA?
Whenever you are not on the NIU Network (Including NIUGuest wireless).
I logged into O365 without MFA but when I accessed another app I was required to use MFA. Why?
When accessing apps including Office365, Blackboard, and Qualtrics off the NIU Network you will be required to MFA once every 30 days. However if you are accessing these resources from a new device or new application (I.E Chrome, Firefox) for the first time, you will be required to MFA again.
What are the methods for alternate contact information?
If you are off the NIU network and are past the 30-day requirement or accessing O365 on a new device, you will not be asked to MFA until you access an app.
Why is the Authenticator App recommended?
Mobile phone (text), land-line phone (call) and the recommended Microsoft Authenticator App.
What is Basic Authentication and why is it being disabled?
The Microsoft Authenticator App grants access to your account with one click and can be used to login without the need for cellular data or wireless connections. Simply use the changing number when MFA is required. This makes the Authenticator App perfect for overseas travel when your cellular or wireless connections may be incurring additional charges.
Why do I need to enable my camera when setting up the Authenticator App?
Basic Authentication is an older and less secure authentication method that requires only a user name and password, making it impossible to function with MFA. For example, native email on an Android device or the native Mail client on MacOS use only Basic Authentication and therefore can't use MFA as soon as we disable Basic Authentication.
Why can’t I use an alternate email as my second factor?
The Microsoft Authenticator App needs to scan the QR code during setup. If you do not allow the use of the camera for this task, you cannot configure the app. Once you have completed the setup of the Authenticator App, you can go into your settings on your device and disable the app from using your camera.
Can I use a land-line or office phone for my second factor?
An alternate email address is "something you know" and so using this with your NIU Account ID and password is not using a true second factor. Thus, this isn't true Multi-Factor Authentication.
I am a student who already has MFA enabled but I also have a student employee account. Can I add this second account in the Authenticator App?
Yes, but we strongly recommend you use a cellphone if you choose the call option. If you're asked to use MFA in a location where your land-line is unavailable, you won't gain access to your accounts.
Yes. In the Authenticator App click on the + in the upper right corner and select work account.
Self-Service Password Reset (SSPR)
Before SSPR was implemented at NIU in November 2017, the Division of Information Technology (DoIT) performed approximately 20,000 password resets over the phone each year at a cost of close to $120,000/year. The Microsoft-based SSPR asks for alternate contact methods (text to a phone; call to a phone; non-NIU email address) and then when you need to change your password or if you've forgotten it entirely, SSPR uses one of your stored contact methods to assist you.
The new SSPR functionality should have resulted in a large amount of cost savings for NIU, but the Service Desk still processes password resets for many who may not have completely or accurately added alternative contact methods. This is costly, but perhaps more importantly, the validation of identity over the phone presents a security risk. Asking for a name, NIU Account ID, a birthdate, or even the last four digits of a Social Security Number is no longer a best practice to validate identity when so many of these data elements are easily discoverable by bad actors.
For these reasons, the IT Service Desk will cease performing password resets over the phone in the summer of 2019 for currently employed faculty/staff and enrolled students who already have access to SSPR. We will, of course, continue to reset passwords in person at our Technology Support Desk in Founders Library or in rare circumstances where an in-person reset presents an undue burden in comparison with the security risk of a data breach.