About MFA

Multi-factor Authentication (MFA) is used in cloud-based applications to keep WPI data secure.

MFA  ensures the security of your account by verifying your login through another method, such as a personal device.

Upon logging in to your WPI account, if you have not done so already, you will be asked to set up MFA. It is required to access all resources that use Self-Service Password Reset or Microsoft Single Sign-On, including, but not limited to, Outlook, Canvas, OneDrive, and Zoom. You will need to complete MFA Setup within fourteen (14) days of first accessing your WPI account.

The Microsoft Authenticator app is the form of MFA that WPI supports. The application can be found in the Google Play or Apple App Store on your mobile device and the icon for the app can be seen in the image below. If you are unable to use this app, please use Get Support to contact the IT Service Desk.

Microsoft Authenticator Icon

Number Matching

The Microsoft Authenticator application uses number matching to verify your login. When you login, you are asked to enter numbers from the application in order to approve the authentication request. Number matching is more secure as it ensures that you are the one interacting with a legitimate authentication process. Other forms of authentication are vulnerable to attackers.

The image depicts an example of number matching where a user must enter the number provided by Microsoft to their Authenticator application.

  • Configure the Microsoft Authenticator App
    Logging into WPI while Overseas
    This method is required to use MFA while traveling internationally. It should be setup on a device that will be used during travel. While overseas, you will need access to a good wi-fi connection in order to use the app and log into your WPI accounts.

    You will need your mobile device and a computer to configure the Microsoft Authenticator app. On your mobile device, click Install the Microsoft Authenticator App (Actions). Choose to get the app for iOS devices on the App Store or Android devices on Google Play.

    If prompted to allow notifications and/or access to the phone camera (needed to scan QR code), please click OK or Allow.

    On your mobile device:

    1. Download the Microsoft Authenticator App. 
    2. Once downloaded, launch the app.
    3. Add your WPI email account.
    4. Select School account.
    5. On your phone, you will be prompted to scan a QR code.
    Only Select Microsoft Authenticator App
    The Microsoft Authenticator App is the only form of MFA that WPI supports. Please ignore the other options on the Add a method page.  

    On your computer:

    • Click Update and Define Verification Methods (in the Actions section of this article) or if on the first time login prompt page, press the Next button
    • Press the Add sign-in method button and select Authenticator App
    • Follow the prompts by pressing Next
    • Use your mobile phone to scan the QR code on the prompt page
    Microsoft Authenticator QR Code prompt page. QR Code highlighted.

    Continue through the prompts by pressing Next. A test authentication will be sent to your phone. Match the numbers you're provided and confirm with Yes.

    When you login to a WPI resource requiring MFA, a number will be displayed. Type that number into the Microsoft Authenticator app to complete the approval.

    Left: Approve sign in on login screen displays a number. Right: Authenticator app requires you to enter the number shown to sign in.

  • Remove Other MFA Options for WPI Account
    MFA for Non-WPI Accounts
    Please do not remove your current MFA method(s) for your accounts that are outside of WPI.

    After adding the Microsoft Authenticator App, it is important that you remove text and calling authentication options that you may have set up for your WPI account. 

    Security Keys
    Security keys, such as a YubiKey, are also a very secure method of MFA. If you have already use a security key for your WPI accounts, please keep that method of authentication.

    If you have removed text and calling options prior to setting up the Microsoft Authenticator application, please contact the IT Service Desk. These options will be phased out in the near future because they have a greater potential for account compromise.

    1. Click Update and Define Verification Methods (Actions).

    2. For Security Info, only keep Microsoft Authenticator Push multi-factor authentication (MFA).  For all other options click Delete to the right of the item, then press OK. A window will appear confirming the deletion.

    3. Repeat for all items until only Microsoft Authenticator Push multi-factor authentication (MFA) remains.

    4. Click profile in upper right and choose Sign out.

  • MFA First Time Login

    When you visit any site that uses Microsoft Single Sign-On, or if you navigate to Update and Define Verification Methods (in Actions), you will be prompted to set up your Authentication Method:  

    Prompt for First Time Setup: Keep your account secure through the Microsoft Authenticator App.

    The Microsoft Authenticator App for WPI is set to use Number Matching. This is currently the most secure MFA option, designed to combat MFA fatigue and prevent accidental approvals and attacks where users are bombarded with approval requests.  

    This 1-minute video demonstrates what MFA fatigue looks like. You can skip the long introduction and start at 0:17 to see the MFA fatigue attack demo.

  • Process for Logging in with MFA

    In this two-step process:

    1. You log into the web application using your WPI email and password.

    2. You are asked for an additional verification, which is a numerical code that you receive. 

    A new numerical code is generated each time an authentication request is submitted. After verification, you will be granted access to the application. It is vital that you carefully look at the verification username to ensure it is truly your login being authenticated.

    Unexpected Notifications from Authenticator App
    If you receive a push notification on your Microsoft Authenticator app and you didn't try to log in a few seconds ago, then select No it's not me.