Multifactor Authentication (MFA)

Secure Your Account with Multifactor Authentication (MFA)

Protect Your Data

Securing your Western account is critical to protecting your private data, and if you work at the University, often the data of other students and employees.  To improve the security of your account when working off-campus, Western requires you to use both your password and an additional "factor" which constitute your "credentials" and prove your identity.  This process is known as multifactor authentication (MFA).  The most common 2nd factor is to send a SMS text message to your phone with a code that you enter into the logon screen of your application.  You can also use a mobile app known as the Microsoft Authenticator app, or a hardware device known as a FIDO2 key.  Western does not support a personal email as a 2nd factor other than for password resets.

Some MFA 2nd Factors are Better Than Others

SMS MFA is the weakest option for a 2nd factor.  Cybercriminals use many tricks to steal your credentials, even with SMS MFA.  The most common methods start with phishing attacks, due to their effectiveness and simplicity to carry out.  Phishing refers to a variety of attacks that are intended to convince you to hand over sensitive information to an imposter. These attacks can come in many forms but most commonly in the form of a convincing email, text message, or social media message. Some of the attacks they use are impersonating websites and logon screens, which result in adversary-in-the-middle (AiTM) and "session cookie" theft that lead to credential theft.

The Microsoft Authenticator app or a FIDO2 key are more "phish resistant".  You are not typing a code into a screen, which may be seen by the cybercriminal.  Additionally, both MFA methods can be set up in "passwordless" mode, by using two factors other than your password.  For the Microsoft Authenticator app, the two factors are a fingerprint (something you are) and your phone (something you have).

Read more about phish resistant MFA on the website of the National Institute of Standards and Technology.

Set Up the Microsoft Authenticator App

All the information on using multi-factor authentication (MFA) and setting up the Microsoft Authenticator app has been moved to the ATUS knowledgebase. They also have a FAQ that will answer your common questions about MFA.