Body
Why MFA?
CWU has implemented multi-factor authentication for the security of the whole campus community. This means that all CWU faculty, staff member and student will need to enter a username and password, and also use a “second factor” when logging in to systems including PeopleSoft, MyCWU, Canvas, Outlook, and other CWU systems that use the single sign-on.
Why are we doing it?
Passwords alone are no longer a secure method of accessing systems. CWU faculty, staff, and students have been the targets of countless phishing attacks and other malicious activities. When successful, attackers can gain access to employee confidential personal information, use their accounts to send spam or more phishing emails, change payroll information thus stealing your pay check, steal information, and perform many other malicious activities. Users frequently reveal their passwords during phishing attacks, share passwords with others, or use simple passwords that can be easily guessed.
Multi-factor authentication greatly decreases the possibility of a hacker gaining unauthorized access to CWU systems. Simply knowing a username and/or password will not be sufficient to access a system; bad actors would also need a user’s second factor before they could login. This is similar to the process used when accessing online banking.
How does it work?
When you log into your CWU account, you will need to verify your identity with a second device (factor).
The available second factors include:
- Using an app on a mobile device to do a "number match" and approval at a pop-up notification
- Using an app on a mobile device to generate a number (One Time Passcode - OTP), and entering that number when prompted during login.
- Answering a phone call and pushing a button on the phone to approve login
If you elect to use options one or two, you will need to install the Microsoft Authenticator app on your smartphone or tablet. Instructions for initial set up of MFA are available through the Knowledge Base article MFA - Initial Multi-Factor Authentication Setup.
What if I don’t have a smartphone or tablet?
If you do not have a smartphone or tablet, you can use the phone call option. You can enter the phone number for up to two phone numbers for office phones, home phones, or cell phones.
How often will I need to use MFA?
MFA will prompt you for your second factor once every 21 days for most CWU systems. You may be prompted more frequently if you use a VPN, if you use more than one computer, or if you frequently clear your browser cache.
Why am I getting MFA authentication requests on my smartphone or by phone call when I’m not expecting them (such as in the evening, on weekends, etc.)?
The MFA process is on an eight day cycle, and it will request that you re-authenticate every 21 days if your computer is turned on and logged in – even if you are not actively trying to login to a system. The best way to prevent this from happening is to log off of your computer at the end of the day or when you’re not using it. If your computer is logged in when the 21 day time runs out, you will get an MFA request regardless of the time or day.
If you get an MFA request when you are not expecting it, we recommend that you do NOT tap Deny, but rather ignore the request or hang up your phone. Tapping Deny will trigger a process that blocks your account from further attempts to login, and you will not be able to access any CWU systems until Information Services unblocks your account. If you tap Deny, you will need to call the Service Desk for assistance (509-963-2001), and there may be a delay in unblocking your account. Ignoring an MFA request will not block your account, but it will also prevent an unauthorized person from accessing your account.
WARNING! If you only have the phone call method of authentication, PLEASE be extremely cautious about approving an MFA request. Since you do not have to submit a number match (as with the MFA Apps) it is very easy to approve an MFA phone call by reflex. If you approve a login that was not you trying to log in, your account will be compromised, and you put yourself and potentially the whole university at risk.
Will installing the Microsoft Authenticator app on my personal phone allow CWU to see anything on my phone?
No. The Microsoft Authenticator app is a tool provided by Microsoft for anyone with an Apple or Android smartphone. Many other websites and services also rely on the Microsoft Authenticator app for MFA; the app is not provided by CWU, nor does it provide CWU with access to your phone.