​Notes:
Will need to update VPN instructions with MFA info

 Microsoft Multifactor Authentication

UWSP protects user accounts and High Risk data by requiring the use of multi-factor authentication when accessing important applications and systems.

Microsoft Multifactor Authentication (MFA) is UWSP's multi-factor authentication solution and is a UW-System mandate.

Why is Multifactor Authentication important?

Multifactor authentication protects your personal information and data by adding a second layer of security to your current username/password logon authentication method. 

Microsoft MFA requires a second form of authentication such as you accepting a notification sent to the Microsoft MFA app on your mobile device, or entering a code generated by a security/hardware token (i.e. "key fob").

UWSP's Student Information System (SIS) and accesSPoint have previously used Duo Security to provide a secondary form of secure authentication. With the change to Microsoft MFA, UWSP broadens its digital security footprint to further protect student, employee, and campus data.


Click Here to set up Microsoft MFA now!

See "Set up Microsoft MFA Authentication" below for detailed instructions.

For help or questions with Microsoft MFA authentication at UWSP, please contact the IT Service Desk.

What are my options for authenticating with MFA?

 Employee MFA options

UWSP employees may only use the Microsoft MFA app or their IT-assigned hardware token for their secondary authentication method. 

All employees should set up the Microsoft MFA app on their mobile devices and request their hardware token as soon as possible to ensure that a back up secondary authentication method is always available.

Why are the Microsoft MFA app and a hardware token the only allowed secondary authentication methods for UWSP employees?

According to NIST standards (National Institute of Standards and Technology) these provide a higher level of secure secondary authentication which is required for UWSP employees.  Less secure secondary authentication methods such as SMS or voice calls will be regularly disabled via an automated script if they are added to an employee account.

See, "Why are employees only allowed to use the MFA app or a hardware token?" in the MFA Help section below.

 Student MFA options

Students can use the following options for authentication via MFA:

  • Install the Microsoft MFA app on your mobile phone or tablet (the easiest authentication method).

  • Receive an SMS or voice call to your mobile phone, or a call to your landline phone.

  • Purchase a hardware token from the UWSP Service Desk (see "How to request a hardware token?" below).

Authenticating with the MFA app is the easiest authentication option to access to your secure UWSP resources.

 What is a hardware token?

A hardware token is a small device that generates a one-time use six-digit passcode. 

When logging into a secure UWSP resource you can opt to "sign in a different way" and choose to enter the passcode generated by your hardware token if your mobile device or other authentication option is not available. 

There is no need for you to add your hardware token as an additional authentication method to your myaccount.uwsp.edu portal.  It will be configured for your account upon receipt.

MFA hardware tokens fit on a keychain making them easy to remember wherever you go.


Set up Microsoft MFA authentication

Information Technology strongly recommends that you install the Microsoft MFA Authenticator app on your mobile devices where possible for ease of use and for the most secure secondary authentication experience. Follow Steps 1 and 2 below to install the Authenticator app.

In addition to the Authenticator app you need a back up verification method in the event you experience problems or your preferred verification method is unavailable.

  • All current UWSP employees are required to have a hardware security token as their back up verification method. See "Step 3 - For Employees" below for more information.

  • Students, retirees, volunteers  and contractors have several back up verification options available.  See "Step 3 - For Students, Retirees, Volunteers & Contractors" below.

 Step 1 - For Everyone: Get the MFA Authenticator app here

Get the MFA Authenticator app from:

 Step 2 - For Everyone: Set up the Microsoft MFA app

Best Practice: set the default authentication method to the MFA app after setting up multifactor authentication, then install the Microsoft MFA app on any additional mobile devices that you own.

Prefer a video to written steps?  See the video at the bottom of this section!

Set up the MFA App:

  1. On a computer, log into myaccount.uwsp.edu with your UWSP logon.

  2. Doing this part on a computer allows you to scan a QR code, the easiest set up method.

  3. In the Security info box, click UPDATE INFO >


  4. Click Add Method then select Authenticator app and click Add.

  5. Download and install the Microsoft Authenticator app to your mobile phone or tablet.

  6. Open the Authenticator app and tap I agree to the Privacy information screen.  In a moment, you will tap Scan a QR code.

  7. On your computer click Next through the Start by getting the app and Set up your account windows.

  8. You should now see a QR code in the Microsoft Authenticator window on your computer screen.

  9. On your mobile device tap Add Account.  

  10. Tap Work or School Account.  Allow any requests for permissions.

  11. Tap Scan a QR code. 

  12. Tap OK to access camera and to Allow notifications, then hold your device camera over the QR code to scan.

  13. On your computer: click Next and follow the remaining prompts on both your computer and mobile device to Approve and complete the setup.

  14. Once you Approve, you may be asked to re-enter the lock screen passcode for your mobile device (e.g. PIN, a shape, or fingerprint).

See the section, "Testing your authentication methods" below.

See the video: "Installing the Authenticator App"!

 

 Step 3 - For Employees: Request a hardware token

In addition to the MFA app, all UWSP faculty, staff, and student staff are required to have an IT-assigned hardware token as a back up authentication method.  SMS and voice call authentication methods will be disabled via an automated script if added to an employee's account.

See "Requesting a Hardware Token" below to learn how to receive your IT-assigned hardware token.

 Step 3 - For Students, Retirees, Volunteers & Contractors: Configure one of these options

In addition to the recommended Microsoft MFA app, students may also add the following secondary authentication methods as back up.

  • SMS

  • Phone call

  • Hardware token (Students may request an optional hardware token if they wish to have this additional back up method. A $12 fee is applied to the student's account. See the following section, "Requesting a Hardware Token" for more information.)


How to add SMS or phone call as back up authentication methods

  1. On a computer or mobile device, sign into myaccount.uwsp.edu with your UWSP logon.

  2. In the Security info box, click UPDATE INFO >


  3. Click Add Method then select a phone option and click Add.

  4. Enter your phone number and select Text me a code or Call me to confirm your authentication method.

  5. Click Next.

  6. You will receive an automated call or SMS to the entered phone number asking you to confirm the registration of your phone.

See "Testing your authentication methods" below.


​Requesting a Hardware Token

All UWSP employees, including student staff, are required to have an MFA hardware token as a secure additional authentication method. For more information for how to request your hardware token see, How to request a hardware token below.

Hardware tokens are optional for UWSP students, retirees, emeriti, and volunteers and can be purchased as a good back-up secondary authentication method.  See, How to request a hardware token below for more information.

 How to request a hardware token

Best Practice: for easiest authentication, set the default authentication method to the MFA app. Install the Microsoft MFA app on any additional mobile devices that you own. Use a hardware token as your secure back up authentication method.

Anyone can request a hardware token to use in addition to the Microsoft Authenticator app.

Employees including Student Staff

Employees (including student staff) are required to have a hardware token.  See "Request a hardware token" below.  Your first hardware token is provided at no cost to you or your department.

Hardware security tokens belong to UWSP.  When leaving university employment, faculty/staff hardware tokens must be returned to IT or to the department.  Student staff hardware tokens must be returned to the hiring department/employer.

Lost hardware tokens: A $12 replacement fee will be charged to the department (or department/student employer in the case of student staff) if a hardware token is lost or damaged and must be replaced.

 

 


Students, Retirees, Emeriti, and Volunteers

Students, Retirees, Emeriti, and Volunteers are not required to have a hardware token, and are instead encouraged to use Phone SMS or Voice options as their back up authentication method.  If a hardware token is desired, you may submit a request to purchase a token using one of the methods below.  There is a $12 charge for each hardware token. 

Students: the $12 fee for a hardware token will be billed to your student bill.

Retirees, Emeriti, and Volunteers:  please contact your university department to ask if they will cover the cost of your hardware token and to request their approval.


Request a Hardware Token

Click Request a hardware token(you will have the option to have the hardware token mailed to you).

After requesting a hardware token, you will be asked to schedule an appointment to pickup and activate at the MFA - Security Token Pickup page. If you chose to have a token mailed to you, be sure to select the on-line meeting option.

See the following: "Students/Employees Requirements for receiving and activating your hardware token".

 Employees: Requirements for receiving and activating your hardware token

If you chose to pick up your hardware token at the IT Service Desk:

You may make an appointment with the IT Service Desk to pick up a hardware token.  Masks are required for all Service Desk visits.

Or for COVID-19 distancing purposes, you can request a hardware token be mailed to you.

You will need identification:

You must present two forms of picture ID at the Service Desk or during your scheduled video call.

If you choose to have your hardware token mailed:

Hardware tokens will be mailed via registered mail to your HRS mailing address.  Your MFA hardware token must be activated before it can be used.

IMPORTANT: your hardware token will be mailed to the address you have on record in HRS. Please log into your MyUW portal to confirm or update your current address. Help documentation on updating your personal information is available if needed.

It will take 7-10 business days to receive your hardware token through the mail.  If you do not receive your token within two weeks, please contact the IT Service Desk.

To activate your hardware token, schedule a time to meet virtually with a service desk staff member (e.g. Zoom or Microsoft Teams video call). You will need to show them your two forms of picture ID and read them the serial number on the token. The staff member will match the serial number to the serial numbers on file. This confirms your receipt of the hardware token so that it can be activated.

Allowed forms of ID:

  • University ID (required)

AND one additional form of picture ID from the following:
  • Drivers license

  • Passport

  • State ID

 ‭(Hidden)‬ Students: Requirements for receiving and activating your hardware token

Students may purchase an MFA hardware token if they desire this additional secondary authentication method. Hardware tokens are billed to a student's account.

To get a hardware token while on campus

  1. Make an appointment with the IT Service Desk to pick up a hardware token. Masks are required for all Service Desk visits.

  2. Bring your University ID and one additional form of picture ID (See "Allowed forms of ID" below).

Your hardware token will be activated and ready for use.

To request a hardware token be mailed to you

For COVID-19 distancing purposes, if you do not wish to come to the IT Service Desk, you can request a hardware token be mailed to you.

You must:

  • Schedule a video call with the IT Service Desk (e.g. Zoom or Microsoft Teams video call).

  • Present your University ID and one additional form of picture ID during this video call (See "Allowed forms of ID" below).

Your hardware token will be mailed to you via registered mail. It must be activated before it can be used.

To activate your hardware token: email the serial number (SN) to the IT Service Desk from your UWSP student email.  The serial number will be matched to the serial numbers on file. This confirms your receipt of the device and lets the Service Desk know that it can be activated.

IMPORTANT: Hardware tokens are billed to a student's account. The IT Service Desk does not take direct payment in any form.

Allowed forms of ID:

  • University ID (required)

AND one additional form of picture ID from the following:
  • Drivers license

  • Passport

  • State ID


IMPORTANT: How to change your default authentication method

Knowing how to change your default authentication method is important as it allows you to quickly replace your default if ever needed.

Information Technology strongly recommends that you set the MFA app to be your default authentication method.  Using the MFA app offers a higher level of secure identity assurance than does SMS or voice calls. If the MFA app is not currently set as your default, the following information will help you to easily make this change.

 Change your default authentication method

Setting your default authentication method to Microsoft Authenticator - Notifications offers the easiest authentication.  Fortunately, Microsoft Authenticator - Notifications automatically becomes your default if the Microsoft Authenticator app is installed before other authentication methods are added.


To see what your default authentication method is, or to change your default authentication method:
  1. On a computer or mobile device, sign into myaccount.uwsp.edu with your UWSP logon.

  2. In the Security info box, click UPDATE INFO >


  3. Your default authentication method displays at the top.

  4. To change your default, click Change.

  5. Click the dropdown and select your preferred authentication method to make it your new default.

  6. Click Confirm.



​How to test your MFA

Information Technology provides the following easy tool to test your Microsoft Security Verification methods added under your My Account > Security Info

At any point if you have questions or need help with your Microsoft MFA authentication please contact the IT Service Desk.

 Testing your authentication methods

To test the authentication methods you have added under your myaccount.uwsp.edu portal,

  1. go to testmfa.uwsp.edu/ and click Sign In.

  2. Sign in with your UWSP logon.

  3. Select Azure Multi-Factor Authentication to test your Microsoft MFA authentication methods.

  4. The default authentication method that you selected in your myaccount.uwsp.edu portal will immediately prompt you to authenticate.

    To test your additional back up method(s),

  5. Click Use a different verification option.

  6. From the list of verification methods that displays, select the back up method you would like to test.  See the following section, "Access your secure UWSP resources with MFA".

  7. When you have verified your authentication method click Sign Out. This will take you to the Sign In screen. From here, you can either close your browser or click Sign In to test another authentication method. Note: to test another verification method, you must sign out and then click Sign In again.



Access your secure UWSP resources with MFA

When logging into a secure UWSP resource, MFA authentication will prompt you: 

  • the first time you log in after setting up the MFA app, and, 

  • each time your MFA authentication expires.

See the section, "UWSP resources requiring MFA, deadlines, and other information" below for a list of MFA prompt frequencies for UWSP protected resources.

Depending on which UWSP resource is requesting authentication, you will see one of two different prompts. A Microsoft branded authentication prompt or a prompt with UWSP branding. 

There are slight differences between the two.


 How to authenticate using the MFA App

If your default authentication method is set to Microsoft Authenticator - Notification your authentication method is as easy as tapping Approve on your mobile device screen. 

  1. Log into the secure resource when prompted. 

  2. Depending on the resource, a request to authenticate will display.

  3. If you are authenticating to a Microsoft branded screen prompt (for products such as Office 365, OneDrive and Teams) you will see a notification telling you to respond to the MFA app on your mobile device.


    ~ OR~

    If you are authenticating to UWSP's integrated third-party services that require an extra authentication security layer, click Azure Multi-Factor Authentication to authenticate with Microsoft MFA.

    You will again see a window notification to respond to the MFA app on your mobile device.


  4. On your mobile device, you should see a notification letting you know that the MFA app has received an authentication request. Make sure that notifications and alerts are enabled for the Authenticator app on your device.


  5. Tap to open this notification or open the MFA app on your mobile device. You may additionally be prompted to enter your device passcode.

  6. Tap Approve to approve signing in to the secure resource.

IMPORTANT:  When logging into a secure UWSP resource, make sure to immediately check your mobile device and MFA app for a prompt asking you to Approve your authentication to that resource.

Some, but not all, secure resources may also display a notification on your computer screen reminding you to approve MFA authentication on your device. 

Information Technology strongly recommends that you install the MFA app on all of your mobile devices and set the app as your default method of authentication.  Make sure to have your device next to you whenever you anticipate needing to access protected UWSP resources.

 How to authenticate with a hardware token

Make sure to see the section,
"Special requirements when using your hardware token with Remote Computer Access and VPN"
.

 

If authenticating to a Microsoft resource:

On the Approve sign in request screen, click Sign in another way.

Then from the list of verification options, select the option to use a verification code.



If authenticating to one of UWSP's integrated third-party services:

Select Azure Multi-Factor Authentication (for Microsoft MFA) and select Use a different verification method on the next screen.

Then from the list of verification options, select the option to use a verification code.


 How to authenticate with SMS or phone call

Note: SMS and phone methods of authentication are available to students only. To use this authentication method you must have a phone added under your myaccount.uwsp.edu portal.

If authenticating to a Microsoft resource:

On the Approve sign in request screen, click Sign in another way.

Then from the list of verification options, select the option for Text  or Call.



If authenticating to one of UWSP's integrated third-party services:

Select Azure Multi-Factor Authentication(for Microsoft MFA) and select Use a different verification method on the next screen.

Then from the list of verification options, select the option for Text or Call



Special requirements when using your hardware token with Remote Computer Access and VPN

Remote computer access (e.g. Remote Desktop, Remote/Online Access Labs) and VPN are older technologies that are unable to accept the entry of a numeric code as a verification method.

Because of this, if your mobile device is not available and you must use a hardware token to authenticate to these remote access services a secure, intermediary tool must be installed on your personal computer.  The verification code generated by your hardware token is then entered into this tool which passes your authentication to the remote service allowing you to log in.

UWSP uses the BIG-IP Edge Client to provide this intermediary service.

Note: only your hardware token and the codes generated by the MFA app require authentication via the BIG-IP Edge Client.  For easiest authentication, Information Technology strongly encourages you to install the MFA app on your mobile device and have your device with you when you work.

 Set up BIG-IP Edge Client

To use BIG-IP Edge Client it must be installed on the off-campus computer (e.g. your personal computer) which is connecting to UWSP.

 

To install BIG-IP Edge Client for PC

  1. You must first download the BIG-IP Edge Client for PC (Download the Mac version here) on the off-campus computer.

  2. On a Windows 10 computer, the download will display at the lower-left corner of the screen.

  3. Click the Ellipses and select Keep. From here you can continue with step 2, or instead, open your Downloads folder in File Explorer and skip to step 6.

  4. Click Show more.

  5. Select Keep anyway.

  6. Below UWSP_FOB_VPN_Setup.exe click Show in folder.

  7. This opens the Downloads folder in your Windows Explorer.

    To install:

  8. Double-click UWSP_FOB_VPN_Setup.exe

  9. In the Setup screen click Next >.

  10. Click Install.

  11. Wait for the install to complete, then click Next (the installer may immediately move to the Completing screen).

  12. Click Finish.


 Authenticating with MFA through BIG-IP Edge Client

  1. Open BIG-IP Edge Client from your Start menu.

  2. Click Connect.

  3. Log in with your UWSP logon.

  4. When the BIG-IP Client has finished connecting you will be prompted for your second authentication method.

  5. Select Azure Multi-Factor Authentication.

  6. To authenticate with your hardware token select Use a different verification method.

  7. Select Use verification code from moile or hardware token to enter the code from your hardware token screen.

  8. You can now log into your remote access service as you normally do.  BIG-IP Client should continue to run in the background for additional remote access sessions.

If the BIG-IP Client becomes disconnected you will no longer be able to authenticate to remote access services and will instead see an error prompt. For example, a computer restart will force a client disconnect.

If you find that you have been disconnected from BIG-IP Client, open the client from your Start menu again and reconnect as above.

If you experience further connection problems, please contact the IT Service Desk.

 

Can't find the answer?  Contact the IT Service Desk!

MFA help

 Will having the Microsoft Azure Authenticator app installed on my device open my device up to open records requests?

No. The Microsoft Azure Authenticator app is only used as a secondary authentication form and stores no data that could be requested via an open records request.

The Public Records Law applies based upon the content of a record, and not its location. A work related email or text message is a public record whether it is sent or received on a personally owned device or a UWS/institutional device. A personal email unrelated to work is not a public record no matter where it is located. Using an employment related application, such as Outlook or multi-factor authentication, on a personal phone might generate a public record. However, it won’t subject the rest of an employee’s phone to a public records request. For further resources on this topic, visit the UW System Public Records website.

 Which mobile devices support Microsoft MFA?

Microsoft MFA is supported on Microsoft, Android, and iOS mobile devices.

 UWSP resources requiring MFA, deadlines, and other information

Note: the following list is not all-inclusive. All web-based UWSP resources will eventually require a secondary form of authentication.


​Application
​MFA Use Enforced By Date
​MFA Prompt Frequency

Remote Desktop

12/31/2021 (All UWSP Accounts)

​Each use.

Remote/Online Access Labs

12/31/2021 (All UWSP Accounts)

​Each use.

VPN (Virtual Private Network)

12/31/2021(All UWSP Accounts)

​Each use.

Office 365 cloud and desktop apps includes Outlook and OneDrive
6/1/2021(Employees)
11/1/2021(Students)
Every 30 days per device and with password changes.*

​Microsoft Teams

6/1/2021(Employees)
11/1/2021(Students)
​Every 30 days per device and with password changes.*

accesSPoint*

​​6/1/2021(Employees)
11/1/2021(Students)
​Every 30 days per device and with password changes.*
​Canvas
​​6/1/2021(Employees)
11/1/2021(Students)
​Every 30 days per device and with password changes.*
​Docusign
6/1/2021(Employees)
11/1/2021(Students)
​​Every 30 days per device and with password changes.*

​HRS / SFS

​​6/1/2021(Employees)
11/1/2021(Students)
Each use.

Maxient

​​6/1/2021(Employees)
11/1/2021(Students)
​​Every 30 days per device and with password changes.*

​myPoint

​​6/1/2021(Employees)
11/1/2021(Students)
​Every 30 days per device and with password changes.*

​Navigate

​​6/1/2021(Employees)
11/1/2021(Students)
​Every 30 days per device and with password changes.*

ShopUW+

​​6/1/2021(Employees)
11/1/2021(Students)
​​Each use.

SPIN

​​6/1/2021(Employees)
11/1/2021(Students)
Every 30 days per device and with password changes.*

WISER

​​6/1/2021(Employees)
11/1/2021(Students)
​​Each use.

​Zoom

6/1/2021(Employees)
11/1/2021(Students)
​Every 30 days per device and with password changes.*


* To only authenticate every 30 days, you must check the option when prompted

 Why are employees only allowed to use the MFA app or a hardware token?

Using the MFA app or hardware token provides a strong form of secondary authentication. 

According to NIST standards (National Institute of Standards and Technology), SMS and voice calls are considered weaker forms of secondary authentication when securing an organization's resources.  Because employees frequently need to access UWSP systems that house sensitive data for the campus, a higher level of identity assurance is needed.

 I can't find my phone or other mobile device that I use for MFA!

If you believe that your UWSP account may be compromised due to a lost mobile device, contact the IT Service Desk. The Service Desk can help with resetting your password and check to ensure that no additional rules or auto-forwarding have been added to your UWSP email.

If you have a back up MFA authentication method which is not tied to your phone

If you lose or misplace your phone and have set up a backup authentication method which is not tied to your lost phone, click the link, "Sign in another way" in the authentication prompt you receive when attempting to log into a UWSP resource.


If you do not have a back up MFA authentication method, or all authentication methods are tied to your phone

If you lose or misplace your phone and your phone is your only MFA authentication method you will be unable to log into all university resources which require secondary authentication (see "UWSP resources requiring MFA, deadlines, and other information" above). You will also not be able to log into myaccount.uwsp.edu to add a new authentication method or remove a lost device.

  • If you know where your phone is, but forgot to bring it with you:
The IT Service Desk can provide a one-time bypass allowing you to log into myaccount.uwsp.edu to add a new authentication method.

  • If you do not know where your phone is:

Contact the Service Desk. Let them know that your device has been lost and to clear your MFA settings. Once your MFA settings have been cleared, you will be able to log into your myaccount.uwsp.edu with your UWSP logon and add a new authentication method.

 What should I do if I get a new phone?

Important: always make sure to have a backup authentication method set in your myaccount.uwsp.edu portal (see "Set up Microsoft MFA authentication" above).

Once you get your new phone you will want to:

  1. Install the MFA app on your new phone, 

  2. Log into your myaccount.uwsp.edu portal go to Security Info and add the newly installed MFA app as your new default authentication method.

  3. Remove the previous authentication methods connected to your old phone (e.g. the previous "Authenticator App" and any phone authentication methods).

  4. re-add the phone authentication methods. You must re-add the phone authentication methods as each installation of the MFA app has a unique identifier.

 Can I use the hardware token I previously received for Duo authentication?

No. Hardware tokens used for authenticating with Duo Security cannot be used for Microsoft MFA authentication. Duo security hardware tokens are specific to the Duo service.

 How are hardware tokens paid for?

Student hardware tokens:

Student hardware tokens are billed to the student's account.

Employee hardware tokens:

UWSP requires the use of hardware tokens by all faculty and staff including student employees.  Because of this requirement, the institution covers the cost of the first hardware token for all of its employees.  If a hardware token is lost, a replacement device will be billed to the employee's department/employer.

 ‭(Hidden)‬ Information for student employees

For security purposes, student employees have a staff account in addition to their university student account. 

To easily manage your MFA verifications for both accounts, you will want to add both accounts to the MFA app on your mobile device.


Add "how to add an additional account".

Set up first under myaccount.uwsp.edu

Info about BIG-IP



***Under Construction***


​​ ​

For questions or help with Microsoft MFA authentication at UWSP, please contact the IT Service Desk.

 ‭(Hidden)‬ Easy Panels Sample Panel ‭[1]‬

I'm not getting notifications from the MFA app


Possibly you did not allow notifications when setting up the app. To check, go to your mobile device Settings, and locate the Authenticator app


 ‭(Hidden)‬ Easy Panels Sample Panel ‭[5]‬

aaa

 ‭(Hidden)‬ Easy Panels Sample Panel ‭[2]‬

aaa

 ‭(Hidden)‬ Easy Panels Sample Panel ‭[3]‬

aaa

 ‭(Hidden)‬ Easy Panels Sample Panel ‭[4]‬

aaa