Information Technology

Student self-enrollment in Microsoft Multifactor Authentication is now available

Most students required to enroll in Microsoft MFA by May 8

Students should enroll in Microsoft MFA anytime between March 23 and May 7 to ensure a seamless transition and avoid disruptions signing in to secured Penn State systems and services prior to their Microsoft MFA enrollment deadline. Credit: Pat Besong. All Rights Reserved.

UNIVERSITY PARK, Pa. — Microsoft MFA is replacing Duo as Penn State’s identity verification system. Enrollment in Microsoft MFA is mandatory for most students by May 8.

The process for students to enroll in Microsoft Multifactor Authentication (MFA) is now available at accounts.psu.edu/mfa.

The Microsoft MFA enrollment deadline date for students in Penn State Dickinson Law, Penn State Law and Penn State School of International Affairs has been extended to May 17 to accommodate their two-week final exam period. Students in the College of Medicine will transition to Microsoft MFA along with the College’s faculty and staff members later this year. More information about the College of Medicine transitions will be provided later. Students graduating in May are not required to enroll. Faculty and staff members will also be required to enroll in Microsoft MFA. More information about faculty and staff transitions will be provided later.

Students not enrolled in Microsoft MFA by their deadline will not be able to register for classes, retrieve grades or access any secure University-affiliated sites and services such as Outlook email, Canvas and LionPATH until they enroll in Microsoft MFA.

Enrolling in Microsoft MFA is easy and takes about 15 minutes. Go to accounts.psu.edu/mfa and click on the “Enroll in MFA” button to access the enrollment form and begin the enrollment process. Once you start the process, you will need to complete it, or you will be prompted to do so the next time you try to sign into your Penn State Account.

After you add and register your MFA device(s), you will be able to select a verification sign-in method from a range of authentication options such as Microsoft’s Authenticator app, which is the preferred MFA method and is available via the App Store for iOS devices or Play Store for Android devices. Other sign-in methods include an alternate phone for calling or a security key/hardware token. Once enrolled, you will be prompted to verify your identity each time you log into a University-affiliated site or service through a notification sent to your enrolled device.

To prevent accidental approvals, those using the Microsoft Authenticator app on their smartphone will enter the two-digit number displayed on the sign-in screen when approving an MFA request in the Authenticator app. Each number-matching prompt generates a unique set of numbers for every login request. Those using the app cannot approve MFA requests without entering the numbers on their login screen. This guarantees that they do not accidentally approve an unrequested MFA prompt from muscle memory, as was possible in the Duo “Accept” or “Deny” prompts. Number matching is a key security upgrade to traditional second-factor notifications and is recommended by America’s cyber defense agency (the Cybersecurity and Infrastructure Security Agency) and is an industry best practice.

Currently, Apple Watch and Android wearable devices (such as Samsung Galaxy Watch) are incompatible with the Authenticator app’s security features. With the release of Authenticator 6.7.3 for iOS, the companion app was removed from the Apple Watch. This change only affects wearables, so you can still mirror Authenticator notifications from your phone to your wearable device. But how that experience looks will depend on your hardware's operating system.

The new Microsoft MFA authentication is different from Duo, but its purpose and functionality remain the same. Although Microsoft MFA is the University’s primary authentication method moving forward, do not uninstall Duo now, as there may be some systems and services within the University that still require it. You may also be using Duo for other non-Penn State instances outside the University. 

Transitioning to Microsoft MFA enables the University to reduce costs by aligning with other Microsoft tools it’s already using, streamline service management and enhance Penn State’s security posture.  

Step-by-step enrollment instructions are available on the Knowledge Base at MFA: Microsoft Authenticator Enrollment.

Frequently asked questions are available on the Knowledge Base at MFA: Common and Frequently asked questions about Microsoft MFA.

To learn more, visit MFA: Finding Help with Multifactor Authentication – Master List of Knowledge Base Articles.  

For help, contact the IT Service Desk via chat, submit a Get Help ticket, phone at (814) 865-4357, or email at ITservicedesk@psu.edu.  

Last Updated March 23, 2023