Multi Factor Authentication (MFA)
Caltech is taking steps to improve security for our email and file services, by requiring use of Multi-Factor Authentication (MFA) on all campus Microsoft Office365 accounts and other critical applications. Many campus personnel are already using MFA now when logging into campus systems or services.
What is MFA?
Authentication, both online and in the physical world, normally consists of at least one of the following "factors":
- Knowledge: something you know (e.g., a password or code)
- Possession: something you have (e.g., a physical key or a card)
- Inherence: something you are (e.g., the person with a particular set of fingerprints or facial features)
Traditional online authentication only requires a single factor, usually a username and password combination that the user knows. MFA combines that factor with at least one other, such as a physical hardware token ("something you have"). MFA is sometimes also referred to as two-factor authentication, but it is not necessarily limited to just two.
Why are we requiring MFA?
Authentication systems that are based on usernames and passwords are increasingly proving to be inadequate for protection of online resources and the data that they process or store. Passwords for campus systems are subject to a wide variety of attacks, ranging from simple repeated automated guessing to theft via sophisticated impersonation schemes such as those used in phishing scams.
MFA using Duo Security is convenient and greatly reduces the likelihood of successful unauthorized access to a protected account, even if an account's password is already known to an attacker. For Office365 access including email, Sharepoint, OneDrive and Teams, users are prompted to approve their login with the Duo Mobile app or by entering an approval code about as often as you are currently prompted to enter your password alone: i.e., whenever accessing the service from a new device, web browser, or software application.
When will MFA be required for Office365?
Starting in 2016, Caltech has implemented MFA on a mandatory basis to safeguard access to specific key systems, resources and user accounts, while also offering it on an opt-in basis for the general campus population.
This year (FY2022), we are moving to protect all campus Office365 accounts with MFA. Implementation will be in a phased approach in order to avoid overwhelming IMSS support services. During this period, all Caltech account-holders are welcome to opt into using MFA for Office365 access at your convenience, before IMSS contacts you about getting set up.
You can get started now
- Self-enroll your mobile device if you haven't already done so.
- Prepare your email client for MFA using Modern Authentication.