In 2022, Purdue adopted Microsoft Multi-Factor Authentication for all personal University email accounts. This page provides information about setting up Microsoft MFA, as well as answers to frequently asked questions.
If you do not receive an email to register for Microsoft MFA, sign into https://portal.office.com and then follow the simple instructions found here (if you are already signed into your Microsoft account, you'll need to sign out and log back in).
If you need additional instructions, they can be found in the video below:
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as entering a code on their cell phone or providing a fingerprint scan.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.
In 2023, Microsoft is adding "number matching" to MFA as an additional security measure to protect your account.
To combat “MFA fatigue,” the Authenticator app will now require users to type a number displayed on the screen to complete the authentication process. The measure is designed to prevent accidental approvals and attacks where users are bombarded with approval requests.
When a user responds to an MFA push notification using the Authenticator app, they will be presented with a number. They need to type that number into the app to complete the approval.
Users who use text messaging or a phone call to complete authentication will not be affected by the change.
Microsoft multi-factor authentication allows users to verify authentication using three methods: the Microsoft Authenticator App (default method), SMS text messaging, or an audio phone call.
Users without a smartphone should follow the instructions in the video above, but instead of selecting "Authenticator App" they should select "phone." Users will then be prompted to choose if they want to receive an authentication code via text message or a phone call. Follow the prompts provided by Microsoft to complete the enrollment processes.
If you do not own a smartphone, or plan to be in a part of the world where you will not have Internet access and are therefore unable to use Microsoft Authenticator, a physical token may be utilized. To learn more, see "How do I obtain a physical token (FOB) for MFA?" in the Purdue iT knowledge base.
MFA works on iPhone and Mac devices without issue if the device is up to date. If you are experiencing issues accessing your email on these devices, while using the included mail application, this means you either need to update the device, or re-add your mail account to the application. At this time, the only mail client we support fully is Outlook. However, we have had no issues with current mail clients provided by Apple, as they support modern authentication.
Microsoft Authenticator app (Default Method)
SMS Codes
Phone Calls
Physical token (FOB) for MFA
If you do not own a smartphone, or plan to be in a part of the world where you will not have Internet access and are therefore unable to use Microsoft Authenticator, a physical token may be utilized. Learn more by reading "How do I obtain a physical token (FOB) for MFA?" in the Purdue iT Knowledge Base.
Microsoft and Purdue IT highly recommend using the Outlook Web App (OWA), Outlook email client, or the Outlook mobile app to access your Purdue Office 365 email.
Depending on your phone and/or email client, Microsoft MFA may not work with unsupported desktop and third-party email applications and are not recommended. Changes to Microsoft MFA and security policies may affect the ability to use these clients after enrollment.
In some cases, already established mail profiles can't make the transition to MFA from single factor authentication and users should remove the profile from their mail client on their phone, then re-add it to enable MFA security.
For the best experience and complete support, Microsoft recommends connecting through one of the following ways:
Microsoft's mobile Outlook App is a proven option that works with MFA; you can learn more by visiting the link below:
Microsoft DOES NOT recommend the use of other clients with Office 365, as there are often significant limitations in client functionality as a result.
Because of this, Purdue IT is only able to offer best-effort support for non-Microsoft supported clients, and certain issues may require the use of a Microsoft client to be resolved.
To find help with other clients, please visit:
Current Applications that are protected by MFA:
You can update your authentication methods by going to https://mysignins.microsoft.com/security-info.
Multi-factor authentication means that anyone logging into your email account must know both the password and have something with them – like a cell phone or access to your landline telephone number.
If your account becomes compromised – say because of phishing or someone stealing your password – they still won’t be able to access your account because they are unable to provide the second required authentication factor.
To learn more, visit this page from Microsoft which explains more fully how MFA works.
No, but it should greatly reduce them.
Most phishing emails and other email-based scams sent to Purdue accounts are caught by spam filters. Occasionally, however, a phishing attack is successful, and the scammer gains access to a compromised account and uses it to send out additional emails to users within the Purdue system. Once 100 percent of our students, staff, and faculty have MFA, there will be very low likelihood of any additional compromised accounts thus drastically reducing successful phishing campaigns. However all email users should continue to be wary and follow the phishing advice found here.