Home » Services and Admin » ICT Service » FAQ » Multi-Factor Authentication (MFA)

Frequently Asked Questions - Multi-Factor Authentication (MFA)

For this and several other frequently asked questions, please directly check Micorsoft's online Authenticator App FAQ.

For this and several other frequently asked questions, please directly check Micorsoft's online Authenticator App FAQ.

Push Notifications have been disabled for security reasons.

Adding the Microsoft Authenticator App to your new device will not automatically remove the app from your old device.

Even deleting the app from your old device is not enough!

You must both delete the app from your old device as well as forget the old device and unregister it from your account.

If you do not have access to your old device anymore (stolen, lost, etc.), please contact the EUI Helpdesk for support!

As the App gets updated very often, please check the most up-to-date requirements directly on the app store's dedicated page:

 

Once MFA has been activated for your EUI email address, you may need to re-configure the concerned email profile whitin Apple Mail by re-creating.

If the above still does not work, make sure to update Apple Mail and/or your macOS X operating system to the most up-to-date version.

IMPORTANT: your macOS X must be AT LEAST version 10.14 (Mojave) in order to support MFA!

If you cannot or do not wish to upgrade to macOS X 10.14 (Mojave), you will be unable to use Apple Mail with MFA. Please consider installing Microsoft Office 2016 and using Outlook, or you can use Outlook Web Access (EUI Webmail).

 

Yes, MFA may have costs depending on the following:

  • your telco may charge you for receiving SMS text messages. This may particularly be the case when you are abroad (that is while roaming)
  • your telco may charge you for receiving phone calls. This may particularly be the case when you are abroad (that is while roaming)

Please inquire with your telephone operator for any costs you may incur into. You simply need to ask if receiving SMS text messages has a cost based on your contract.

Please note, however, that the App does NOT incur into any cost, as it works even while your phone is offline (no internet, no coice covergae, no roaming)!

It depends as it is less a question of the age of the device as it is the application (email client) that is being used.

Legacy applications exist for the newest devices as well as devices that are quite old, so it is important to make sure that your device is compatible with one of the supported email clients.

In some cases, there may not be a supported application compatible with older devices.

If you changed the phone number and therefore you cannot receive the One-time Code anymore, please contact the EUI Helpdesk.

To avoid similar issues in the future, the ICT Service strongly suggests to define additional verification options.

Problem:

The following "Your session has timed out" message is displayed when trying to access the online MFA settings:

 time-out
Image 1: Time out error message

 

Systems Affected:

This problem affects only Mac users with out-dated Operating System.

 

Workaround:

  1. update your Operating System:
  2. if your Mac is out-dated (i.e. cannot be updated any further) and/or you do not wish to update it, try to reach the MFA Settings page by clicking on the Edit security info menu (right pane) of the Password Portal instead.

If you lost your device and/or for some reason cannot receive the One-time Code anymore, please contact the EUI Helpdesk.

Please note, however, that if you previously enrolled an additional authentication method (or device), you can use that method both to access your Email and to delete your lost or stolen phone in your Security Info.

As a consequence of the (unsecure) POP3/SMTP/IMAP protocols not being supported under MFA, fetching EUI email through GMail will not work anymore after MFA implementation.

Alternatively, you may set up automatic email forwarding (to GMail) on your EUI email account. However, you will not be able to send "on behalf of your EUI email account" from whitihn GMail.

The following authentication methods are shared therefore they can be used both for MFA authentication as well as self password reset:

  • Using the Authenticator App
  • Sending a text to a mobile number
  • Calling a mobile number
  • Calling the office number (if available)

The following ADDITIONAL authentication method is available for self password reset ONLY:

  • Emailing an alternative address
The smoothest options are App or text (SMS) message:
  • the App does NOT need any active connection and can basically be used any time, even while completely offline (no internet connection, no voice coverage, no roaming) and/or while in Flight Mode
  • SMS will always work as long as you find yourself in an area with AT LEAST voice coverage on your mobile
  • both require you to input a 6-digit One Time Code (OTC) on the device you are accessing your email from

Alternatively, you can be called on your office phone or different phone number (both fixed or mobile), in which case you have to listen to the voice call and hit the hash/pound key (#) when asked to: very useful if you forgot your mobile!

There are several ways for an email client to connect to one's mailbox. These modes are called "protocols".

Some protocols are very old and do not support the protection provided by MFA. POP3/SMTP and IMAP are examples of such protcols and are tupically called "legacy".

Legacy modes are no logner allowed beacuse legacy-based applications bypass the protection provided by MFA. An attacker could still take over such an account and send out phishing emails impersonating the account owner which makes the phishing attack much harder to detect. Additionally, an attacker could potentially access sensitive information within the account.

In order to secure the mailbox, if your email client uses legacy mode to connect to your EUI email address, the connection will NOT be allowed!

 

Only those mailboxes receiving the MFA "invitation" email will be affected.

Please check your functional mailbox regularly to verify if this is the case.

No, you will be asked for the additional authentication only when logging into your email client. Once you have succesfully signed in, you will not be asked anymore until you start a new session.

Yes, as long as the mail forward is/was set thorugh the specific option inside your webmail or via mail forward request form.

 

Currently, only UPDATED versions of the following are support:

What Applications Work With MFA?
 OSEmail Clients 
Android Microsoft Outlook app
Nine app
iOS Microsoft Outlook 2016
Apple Mail app (iOS 11 or above)
macOS X Apple Mail (macOS X 10.14 Mojave or above)
Microsoft Outlook 2016 (recommended)
Microsoft Windows Microsoft Outlook 2016 (recommended)
Microsoft Outlook 365
Microsoft Windows 10 Mail app

 

The following email clients will NOT work anymore:

  • Android Mail app
  • Apple Mail app (iOS 10 and prior)
  • Apple Mail (macOS X 10.13 High Sierra or prior)
  • GMail
  • Mailspring
  • Mozilla SeaMonkey
  • Mozilla Thunderbird
  • Microsofot Outlook 2013 or prior
  • Microsoft Outlook Express

Please Note: ANY email client configured in any legacy mode (POP3/SMTP or IMAP) will NOT work as these protocols will no longer be supported.

No, for each login attempt you will receive one token, or OTC (One-Time Code), valid for just a few minutes.

In these regards, please do NOT consider the token equivalent to your fixed ATM card PIN.

ICT Service will populate this section while it receives questions from its users: please make sure to visit this page often!

 

 

The purpose of the FAQ pages is to provide general guidance, additional clarification and examples. In case of doubt or differences of interpretation, the governing ICT Policies shall prevail.
 

Page last updated on 04 June 2019