Multi-Factor Authentication (MFA)
What is Multi-Factor Authentication (MFA)?
MFA adds an extra layer of security to your UPEI account by requiring two or more pieces of evidence (or factors) before allowing access to a service. Verifying your identity using a second factor (like your phone or other mobile device) prevents others from accessing your accounts, even if they know your password.
The Microsoft Authenticator App on your mobile device is UPEI’s recommended MFA method for the most secure and convenient MFA experience.
How do I set up MFA?
Who needs to set up MFA?
Which services do I need MFA for?
What MFA methods are currently available?
What if I damage or lose my phone?
What if I buy a new phone?
Do I always need to have my MFA method with me?
Do I need data or Wi-Fi to use the MFA app on my phone?
What if I’m having trouble getting the Microsoft Authenticator notification?
How do I change my “default” MFA method?
How often do I see the MFA prompt?
Why does my Microsoft authenticator app now require a verification code when I log in?
I am using the Microsoft authentication app for MFA. When I try to log into my UPEI email or another UPEI service, the MFA authentication step doesn’t display a code even though it requires one. Where can I find it?
My MFA tap approval on my Apple Watch no longer works. Did something change?
Contact the UPEI Help Desk
How do I set up MFA?
Watch a video to set up MFA using two devices (computer and mobile device).
Text-based instructions (.pdf)
Who needs to set up MFA?
The following groups are required to use MFA:
- Faculty (including sessional instructors and adjunct professors)
- Staff (including casual and term employees)
- Students
- Sponsored accounts (including visiting scholars, contractors, etc. who have been issued an @upei.ca email account)
- Alumni who have recently graduated but have not yet transitioned to an alumni email account
Which services do I need MFA for?
- myUPEI
- All M365 and Google services (including Outlook and Google Drive)
- UPEI Zoom accounts
- myapps.upei.ca and mylabs.upei.ca virtual computing environments
- Other applications that support Microsoft's single sign-on service
What MFA methods are currently available?
- Microsoft Authenticator mobile app (recommended!) - available for free download for your iOS mobile device and Android mobile device and can be installed and registered on your UPEI account for up to five devices.
- Automated voice calls.
- If neither of these options are available to you, please contact the ITSS Helpdesk for further discussion. (helpdesk@upei.ca | 902-566-0465)
What if I damage or lose my phone?
If your MFA method (e.g., phone) is lost, stolen, or damaged, please report it as such to the ITSS Help Desk as soon as possible so that they can deactivate it (helpdesk@upei.ca | 902-566-0465).
If you previously registered an alternate, or backup, MFA method (e.g., tablet, iPad), you can continue to sign in using that method. You can also use your backup method to gain access to your account and register a new MFA method when you obtain a new phone.
What if I buy a new phone?
If you still have access to at least one existing registered MFA method and can log into your UPEI account, just go to the MFA Setup page and click the "+ Add Method" button.
If you do not have access to your UPEI account or any previously registered MFA methods, you will need to contact the ITSS Help Desk for assistance (helpdesk@upei.ca | 902-566-0465).
Do I always need to have my MFA method with me?
Yes! While ITSS has tried to find a balance between security and convenience (meaning you do not necessarily get prompted to sign in to your account every time you access an application or service), you must always be prepared to satisfy an MFA challenge.
Do I need data or Wi-Fi to use the MFA app on my phone?
No. The Microsoft Authenticator app has a time-based passcode option built in. This lives on your phone and does not require an internet connection. To use this alternative MFA method instead of your default method, follow the steps below:
- On the Microsoft sign-in window, when prompted to open your MS Authenticator app and approve the request, just click the “I can’t use my Microsoft Authenticator app right now” link.
- Next, click “Use verification code from my mobile app”
- On your mobile device, open the MS Authenticator app and tap the account you are trying to log into.
- A 6-digit code will be displayed – enter this code into the Microsoft sign-in window.
Helpful tip – this code automatically changes every 30 seconds, and there is a little timer next to the code to let you know how long until the code expires. Wait until a new code appears so that you have the full 30 seconds to enter the code into the sign-in window and for the code to be verified by the system.
- If you have registered an alternative MFA method in addition to the Microsoft Authenticator App (such as voice call), you can also choose to use that method during the sign-in process instead.
What if I’m having trouble getting the Microsoft Authenticator notification?
- Restart your mobile device - Sometimes your device just needs a refresh. When you restart your device, all background processes and services are ended. The restart also shuts down the core components of your device. Any service or component is refreshed when you restart your device.
- Verify that your notifications are turned on - Make sure your mobile device has notifications turned on, both "globally" and for MS Authenticator in particular.
- Turn off "Do Not Disturb" - Make sure you haven't turned on the "Do Not Disturb" feature for your mobile device. When this feature is turned on, notifications aren't allowed to alert you on your mobile device.
- Make sure you have an internet connection - Push notifications require a working Wi-Fi or cellular data (3G or LTE) connection. Try opening some web pages to verify your device is connected to the internet. If not, use the authentication code MFA method instead.
- Check your battery-related settings - If you set your battery optimization to stop less frequently used apps from remaining active in the background, your notification system has probably been affected. Try turning off battery optimization for both your MS Authenticator app. Then try to sign in to your account again.
- Temporarily disable third-party security apps - Some security apps my inadvertently block notification. Disable the security apps protections temporarily and try signing in again - just remember to re-enable once you've completed your test!
How do I change my “default” MFA method?
To change your default MFA method:
- Log into https://aka.ms/mysecurityinfo.
Note: You will need to pass an MFA verification to reach this page. Here you will see your "Default Sign-in Method" listed.
- Click the "Change" link to the right of your current default method.
- From the drop-down menu, select which method you would wish to set as your new default.
- Click 'Confirm'.
Note: You must first register additional MFA methods before you can choose them as your default. To add a new MFA method, click the "+ Add Method" button and follow the prompts.
How often do I see the MFA prompt?
Every time you sign in to a UPEI application or service which uses our Microsoft Single Sign-On Service. In other words, whenever you enter your UPEI email address and password in the UPEI/Microsoft sign-in windows, and when you sign in to the myUPEI portal.
Because UPEI utilizes a “Single Sign-On Service”, the number of times you are prompted to sign in from within the same web browser or on the same device is greatly reduced. This means that the number of times you are prompted with an MFA challenge is also greatly reduced. However, you should always have your MFA method on-hand and at the ready so that you are not caught off guard.
Why does my Microsoft authenticator app now require a verification code when I log in?
Effective, January 24, 2023, anyone using the Microsoft authenticator app for MFA will be required to enter a verification code as part of the authentication process. This approach is called “Number Matching” and was changed by Microsoft to provide additional security.
The action of entering a code will help reduce the risk of a cyber threat actor gaining access to your account using a technique called “MFA fatigue.” MFA fatigue, also known as “push bombing,” occurs when a cyber threat actor bombards a person with nonstop notifications until the person either approves the request by accident or out of annoyance.
When you are faced with an authentication challenge, the message will contain a number that will then need to be entered into the approval notification on your mobile device. Depending on the UPEI service you are logging into, you may also notice contextual information including the application being accessed and a map location from which the sign-in attempt originated. This information is provided to help you further determine whether it is indeed your activity that is prompting the challenge or not.
This change only affects individuals who are using the Microsoft app and does not apply to other methods such as non-Microsoft authenticator app, phone number, or hardware token.
I am using the Microsoft authentication app for MFA. When I try to log into my UPEI email or another UPEI service, the MFA authentication step doesn’t display a code even though it requires one. Where can I find it?
If no code appears in the verification message, you may not have the latest version of the Microsoft authenticator app installed. Visit Google Play or the Apple App Store to ensure you have the latest version installed.
My MFA tap approval on my Apple Watch no longer works. Did something change?
Yes, effective January 24, 2023, verification codes are required for anyone using the Microsoft authenticator app replacing the previous tap approval. As a result, tap approvals are currently unavailable for Apple Watches.
Contact the UPEI Help Desk
Need Assistance? Contact our Help Desk:
Email: helpdesk@upei.ca
Phone: 902-566-0465