Multi-Factor Authentication

An increasing number of campus partners are requiring FLCC to use MFA. SUNY security guidelines now require MFA, as does Brightspace LMS. Some of our insurance providers even require MFA. Our systems are under constant attack. Two of the most common attacks are password sprays, where attackers send thousands of logins using usernames and passwords harvested from the web, and phishing attacks, where attackers attempt to get your username and password. MFA can stop many of these attacks and is no longer considered an optional enhancement, but a required security measure.

If you would like a detailed analysis of how MFA protects logins, read Your Pa$$word Doesn't Matter. This article lays out Microsoft's research across explaining why passwords are insecure and how MFA results in protecting against all but the most targeted attacks.

Logins to some FLCC Enterprise Applications and Microsoft's OneDrive and Office will require you to sign in and use MFA at least every 14 days. Sign in frequency varies between services and is based on security and vendor requirements.

When prompted to sign in with the authenticator, click on "I can't use my Microsoft Authenticator app right now" button and select a new method.

If you lose your primary authentication device, you should notify the HelpDesk as soon as possible. The HelpDesk can help you register another method or reset an existing method.

Yes. Using a device for multi-factor login comes with the obligation to take reasonable precautions to protect it. This includes using a password or PIN to unlock the phone and updating your device to the latest operating system and Authenticator App.

Yes. Third-party apps such as 1Password, Duo, and Google Authenticator can be used to generate an OATH verification code. Users may have up to five OATH hardware tokens or authenticator apps such as the Microsoft Authenticator app configured for use at any time.

See Microsoft's Authenticator app setup instructions.

You should report all messages that you did not generate. This may be a sign of someone attempting unauthorized access to your account, and your password may be compromised. Deny the notification and then confirm that it's a fraudulent attempt. You should change your FLCC password after reporting the fraudulent login attempt.

The Microsoft Authenticator needs access to your camera to take a picture of the QR code (the weird barcode looking square) on your screen. It does not use camera access for anything else.

The Microsoft authenticator does not track you and it does not log location data. The only push notifications it will ever send you are approval requests for logins to FLCC systems. The Microsoft Authenticator does not give IT or Microsoft access to any data or information on your device.

If you would like to know more about the Microsoft Authenticator, please read the Authenticator FAQs.

You may not think you have access to any information worth protecting, but all our faculty and staff have access to secure information of one kind or another, from your W-2 (which an attacker could use to commit fraud and receive your tax return) to student health data, FERPA protected student data, or college financial data.

If your FLCC account is compromised, it can be used to trick other staff into responding to a phishing email. Your account can help an attacker to more easily access systems or compromise users that do have access to the data they are looking for, even if you don't have access yourself.