MFA: Choosing a preferred method of Multi-Factor Authentication (MFA) for M365

Summary

The purpose of this article is to provide information about the various options for using Multi-Factor Authentication (MFA) for Microsoft 365 Single-Sign On and the expected sign-in experience.  Understanding all the options and selecting the best fit for you, will help streamline your set-up process.

Content

Your sign-in experience when logging into MFA-protected resources will differ depending on what authentication method you choose to use as your second factor.   Options include using the Microsoft Authenticator app (recommended for MFA), a phone call, a text message with a code, or a hardware token such as a YubiKey, etc. 

Below you will find several MFA verification methods and the expected sign-in experience.

Note:  For Password Recovery methods (as opposed to MFA verification), also see our article on Updating Security Info for password recovery and MFA verification 

 

Sign in experience with the FREE Microsoft Authenticator app (recommended for MFA)

The following information describes the experience of using the Microsoft Authenticator app for two-step verifications. There are two different ways to use the app. You can receive push notifications on your device, or you can open the app to get a verification code.

 

Warning: Be sure you select the "Microsoft Authenticator" app provided by the Microsoft Corporation for FREE.  Several other apps with similar names have similar icons but are not the trusted, free Microsoft app.

 Icon for the Microsoft Authenticator app provided by the Microsoft CorporationThis is a FREE app - do not pay for an app for this purpose.

 

To sign in with the Microsoft Authenticator app via push notification

  1. Sign in to an M365 application or service using your username and password.
  2. Microsoft sends a notification to the Microsoft Authenticator app on your device.
  3. Open the notification on your phone and select the Verify key. You should now be signed in.

NOTE:  If you use the Microsoft Authenticator app to get push notifications on a mobile device with enhanced Biometric feedback, you may be prompted to use Face ID or Finger Print ID verification.  This feature adds an additional level of security to your M365 authentication experience, but is entirely optional and not required.

Beginning February 27, 2023, when you respond to an MFA push notification using the Microsoft Authenticator app, you'll be presented with a number. You need to type that number into the Microsoft Authenticator app app to complete the approval.  This feature called Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator.

Screenshot of prompt with number plus app view with box to enter in the number and click "Yes"

 

To sign in using a verification code with the Microsoft Authenticator app

If you use the Microsoft Authenticator app to get verification codes, then when you open the app you see a number under your account name. This number changes every 30 seconds so that you don't use the same number twice. When you're asked for a verification code, open the app and use whatever number is currently displayed.

  1. Sign in to an M365 application or service using your username and password.
  2. Microsoft prompts you for a verification code.
  3. Open the Microsoft Authenticator app on your phone and find the USNH code
  4. Enter the code in the box provided on the sign-in page.

Back to top

 

Sign in experience with a phone call

The following information describes the two-step verification experience with a call to your mobile or office phone.

  1. Sign in to an M365 application or service using your username and password.
  2. Microsoft calls you at the phone number you provide.
  3. Answer the phone and press the # key.

Back to top

 

Sign in experience with a text message

The following information describes the two-step verification experience with a text message to your mobile phone.

  1. Sign in to an M365 application or service using your username and password.
  2. Microsoft sends you a text message that contains a verification code.
  3. Enter the code in the box provided on the sign-in page.

Back to top

 

Sign in experience with a YubiKey USB security key

Warning:  Microsoft may require a PIN when using some models of YubiKey for M365 MFA.  The YubiKey PIN is maintained through a desktop app provided by the YubiKey manufacturer called "YubiKey Manager".  Remember your YubiKey PIN or it will not work for M365 MFA.  

If you lose or forget your YubiKey PIN, you will have to work with the YubiKey "YubiKey Manager" application to reset your PIN, or work with the YubiKey manufacturer directly - ET&S has no access to assist with lost YubiKey PINs.  This is why ET&S Strongly recommends you have a secondary method set up for MFA.

The following information describes the two-step verification experience with a YubiKey 5C NFC (non-FIPS):

  1. At the Microsoft Sign in page, skip entering your email address and instead click the Sign-in options link at the bottom.
  2. Select the Sign in with Windows Hello or a security key option.
  3. In the browser pop-up, select USB security key.
  4. Insert the USB Security key (YubiKey) into your computer where you are trying to sign in, then touch the security key.
  5. When prompted, enter your YubiKey PIN then click Next.

Back to top

 

Sign in experience with an alternate method

Sometimes you don't have the phone or device that you set up as your preferred verification method. This situation is why we recommend that you set up backup methods for your account. The following section shows you how to sign in with an alternate method when your primary method may not be available.  Note that the exact wording you will see depends on which method you had selected as your default or preferred MFA method.

  1. Sign in to an M365 application or service using your username and password.
  2. Click the link labelled something like Use a different verification option or Sign in another way or I can't use my Microsoft Authenticator app right now.  You see different verification options based on how many you have set up.
  3. Choose an alternate method and sign in.

Back to top

 

Further Readings

Multi-factor Authentication and USNH Systems

Setting up Multi Factor Authentication (MFA) for M365

Updating Security Info for password recovery and MFA verification

Installing the Microsoft Authenticator App

YubiKey Facts & Purchasing Guide

Common questions about the Microsoft Authenticator app - Microsoft.com support page 

 

Need additional help?

Visit the Technology Help Desk Support page to locate your local campus contact information or to submit an online technology support request.  For password issues you must call or visit the Help Desk in person.  

 

Details

Article ID: 4430
Created
Thu 6/9/22 2:19 PM
Modified
Fri 1/5/24 12:31 PM
Applicable Institution(s):
Keene State College (KSC)
Plymouth State University (PSU)
University of New Hampshire (UNH)
USNH System Office