Multi-factor authentication (MFA) is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code sent to their cellphone or a confirmation link sent to an alternative email address.
If you only use a password to authenticate—even a strong, complex password—it leaves an insecure vector for attack. If your password is weak or has been exposed elsewhere, the system cannot know if it is really you signing in or if it is an attacker. Multi-factor authentication (MFA) helps protect your account by adding additional verification methods that are not easy for an attacker to obtain or duplicate.
How does MFA work?
Registering MFA methods such as notifications or codes received by mobile app, phone, or text messages on your account makes it harder for bad actors to log in as if they were you. You may even be familiar with this feature: your bank, social media, and shopping sites already offer multi-factor authentication to help protect your personal data!
Depending on your configuration, from time to time you’ll need to process an approval request or type in a numeric code retrieved from your phone or email.
You won’t have to do this every time you log in; eventually, the system will recognize all of your devices and locations. It will only prompt you for an additional authentication confirmation when you are logging in from a brand new device or location it has not seen before. Why? Because log-in attempts from unrecognized devices or locations are often someone else attempting to compromise your account.
Available verification methods
Multi-factor authentication works by requiring two or more of the following authentication methods:
- Something you know, typically a password
- Something you have, such as a trusted device that is not easily duplicated, like a phone, a secondary email address, or a hardware key
The following forms of verification can be used with multi-factor authentication:
- Microsoft Authenticator app
- SMS text message
- Voice call
The Microsoft Authenticator app asks the user to simply Approve or Deny the request. Other forms require the user to enter a temporary code.
It’s important to have a primary verification method such as a mobile app as well as a backup, in case you cannot use your primary method.
How often will I need to verify my account?
Once you have registered MFA methods on your account, you may receive an MFA prompt the next time you log into an application or service configured to use our new cloud-based SSO platform. You can choose from one of your registered forms of additional verification to use; your primary method—such as an authenticator mobile app—will be triggered by default.