Please visit Microsoft's Security Info page to manage your MFA authentication methods and default method.

Warning

title	Just One Is Never Enough!

Image Removed

Please configure multiple MFA methods so that losing one does not prevent you from accessing your Geneseo account!

Common ways to lose access to MFA methods are:

Deleting the Microsoft Authenticator app

Multi-Factor Authentication (MFA)

Image Added

All SUNY Geneseo students must use Multi-Factor Multi-factor authentication (MFA) when logging into campus systems to decrease the likelihood of others accessing their data.

Specifically, it enhances the security of your Geneseo User ID by using your phone, tablet, or other device to verify your identity when you attempt to access SUNY Geneseo’s network and resources.

Warning

Don't get locked out!

Deleting Microsoft Authenticator or transferring it to a new phone

Traveling abroad and losing access to receive text messages or phone calls on your primary phone number

Adding MFA methods

To prevent you from being locked out of your account, we suggest adding multiple methods that can be accessed from different devices. View the "Authentication Methods" section of this page for a list of various options for authenticating with MFA.

Access this link for your security info.

Or log into My.Geneseo.edu and click

number will break the trust between Microsoft and your device, and you'll need to use one of your other configured MFA methods to reestablish that trust.

If you have no other MFA methods configured and cannot sign in to your account, please call the CIT HelpDesk at 585-245-5588. They will verify your identity over the phone, and walk you through reestablishing a working MFA method.

Table of Contents

minLevel	1
maxLevel	6
include
outline	false
indent
exclude
type	list
class
printable	false

Download the Microsoft Authenticator App

Image Added

The free Microsoft Authenticator app (available for iOS and Android devices) is our recommended authentication method and sends a "push" notification to your device to verify your login attempt.

It also provides a rotating code you can type in if your mobile device doesn't have internet connectivity and can't receive push notifications.

Please see Microsoft's official Authenticator App method documentation for instructions on adding this method to your account.

MFA App for iOS MFA App for Android

Adding MFA methods

Access your Microsoft security info, or sign in to my.geneseo.edu.
See below for specific instructions.

Phone Verification

For US phone numbers, located in the US only, Microsoft will call your phone number and prompt you to approve your pending sign-in.

Please see Microsoft's official phone method documentation for instructions on how to add this method to your account.

Text (SMS) Message

For US phone numbers, located in the US only, Microsoft will send a text (SMS) message with a code to be entered in the login window.

Please see Microsoft's official SMS method documentation for instructions on adding this method to your account.

Security Key

Any FIDO2-compatible physical security key can be registered and used with Geneseo accounts. See Microsoft 365 Passwordless Authentication for more details.

Click on your initials in the upper right corner

to

, and select "Manage Security Info"
To Add a method, click + Add method.

Or if

If you

have not setup MFA yet

do not have any methods, you will be

prompted for "More Information"

Image Removed

automatically prompted to create your first one.
Image Added
Select the type of method you want to add.

Image Removed

Image Added
Follow the prompts for the selected method.

See the Available Methods section below for specific instructions

Warning

Just One Is Never Enough!

Configure multiple MFA methods so that losing one does not prevent you from accessing your Geneseo account! Common ways to lose access to MFA methods are:

Getting a new phone - the Microsoft Authenticator app does not support transfer or backup/restore.
Traveling abroad to a place where your US phone number cannot receive SMS or calls.

Remove an MFA Method

Access your Microsoft security info
Find the method you want to remove in the list and click the delete option

Image Removed

Image Added

Change your default MFA method

Access your Microsoft security info
Click Change

Image Removed

Image Added
Select the method you would like to use from the drop down menu

Available Methods

Microsoft Authenticator App

The free Microsoft Authenticator app (available for iOS and Android devices) is our recommended authentication method, and sends a "push" notification to your device to verify your login attempt. It also provides a rotating code you can type in if your mobile device doesn't have internet connectivity and can't receive push notifications.

Image Removed Image Removed

Please see Microsoft's official Authenticator App method documentation for instructions on adding this method to your account.

Info

title

Unexpected

Notifcations

Notifications?

If you receive a notification when you are not attempting to log in, deny the request and use the 'report as fraud' function within the app.

warning

title	Don't get locked out!

Deleting Microsoft Authenticator or transferring it to a new phone will break the trust between Microsoft and your device, and you'll need to use one of your other configured MFA methods to reestablish that trust. If have no other MFA methods configured and cannot sign in to your account, please call the CIT HelpDesk at 585-245-5588. They will verify your identity over the phone, and walk you through reestablishing a working MFA method.

"Other" Authenticator Apps

Any app that supports scanning MFA QR codes (ie. implements the Time-based One Time Password, or TOTP, protocol) may be used with your Geneseo account. The following are popular choices:

Authenticator Browser Extension
Google Authenticator
Apple iCloud Keychain (only on Apple devices)
Authy
BitWarden ($10/year subscription to unlock support for this MFA method)
LastPass

Add one of these apps by going to your Security Info page, then:

Click the add sign-in method
Select the authenticator app and click Add
Click I want to use a different authenticator app

Image Removed

Image Added
Click next
Follow the instructions from your other authenticator app for reading the QR code. Once your app displays a 6-digit code for this new account, click next
Enter the 6-digit code displayed in your other authenticator app when prompted by Microsoft, and click next. This confirms to Microsoft that your other authenticator app correctly parsed the secret information in the QR code.

Phone Verification

For US phone numbers, located in the US only, Microsoft will call your phone number and prompt you to approve your pending sign-in.

Please see Microsoft's official Phone method documentation for instructions on adding this method to your account.

Text (SMS) Message

For US phone numbers, located in the US only, Microsoft will send a text (SMS) message with a code to be entered in the login window.

Please see Microsoft's official SMS method documentation for instructions on adding this method to your account.

Security Key

Any FIDO2-compatible physical security key can be registered and used with Geneseo accounts. See Microsoft 365 Passwordless Authentication for more details.

Security Fob

If you do not have access to a mobile phone or desk phone, your department can purchase a security fob. The security fobs are small (about the size of a car key fob). Press the button on the fob to generate a number that can be typed in to the authentication screen to confirm your login. *Please note - hardware tokens must be purchased from CIT for $16. Third party hardware tokens are not supported.

Available Methods

Troubleshooting and Questions

Expand

title	Why are we requiring people to use MFA?

We are required to use MFA by new SUNY security guidelines. Our systems are under constant attack. The most common are password spray attacks, where attackers send thousands of logins using usernames and passwords harvested from the web

to

, and phishing attacks, where attackers attempt to get your username and password. Multi-factor Authentication stops all these attacks.

If

Suppose you would like a detailed analysis of how MFA protects

logins

logins. In that case, Your Pa$$word Doesn't Matter lays out Microsoft's research across millions of logins, explaining why passwords are insecure and how MFA results in protecting against all but the most targeted attacks.

Expand

title	What logins will require MFA?

Logins to most Geneseo web-based services and Microsoft's OneDrive and Office

will

require you to sign in and use MFA at least every 14 days. Sign-in frequency varies between services based on security and vendor requirements.

Expand

title	What if I forgot my primary authentication device?

When prompted to sign in, click on the Sign in another way button and select a new method.

Image Removed

Image Added

Expand

title	What if I lose my phone or authenticator app?

You should notify the CIT HelpDesk

as soon as possible

immediately if you lose your phone or authenticator.

Expand

title	Should I take any precautions regarding the security of my MFA-enrolled smartphone or tablet?

Yes. Using a device for multi-factor login comes with the obligation to take reasonable

precaution

precautions to protect it. Such precautions normally include

the use of

using a password or a PIN to unlock the phone

, as well as

and maintaining current versions of your device's operating system and Authenticator App.

Expand

title	Can I use a different authenticator app (like Google Authenticator)?

Yes. Third-party apps such as 1Password, Authy, or Google Authenticator can be used as a software token to generate an OATH verification code. Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time.

Expand

title	What if I get an authentication notification that I didn't expect?

You should report all messages that you did not generate. This may be a sign of someone attempting unauthorized access to your account, and your password may be compromised. Deny the notification and then confirm that it’s a fraudulent attempt. You should change your Geneseo password after reporting the fraudulent login attempt. Note: the authenticator app will warn you that reporting a fraudulent attempt may cause your account to be blocked or disabled, but this will only occur if you do not change your password

in a timely manner

promptly.

Expand

title	Why does the Microsoft Authenticator need to access my camera?

The Microsoft Authenticator needs access to your camera to take a picture of the QR code (

the weird

a barcode-looking square) on your screen. It does not use camera access for anything else.

Expand

title	Does the Microsoft Authenticator track me?

The Microsoft authenticator does not track you

and it does not

or log location data. The only push notifications it will ever send

you

are approval requests for logins to Geneseo systems. The Microsoft Authenticator does not give CIT or Microsoft access to any data or information on your device.

Expand

title	I don't have access to anything important why do I have to use MFA?

You may not think you have access to any information worth protecting, but all our faculty staff have access to

some

secure information of one kind or another, from your W-2 (which an attacker could use to commit fraud and receive your tax return) to student health data, FERPA-protected student data, or college financial data.

If your Geneseo account is compromised, it could also

could

be used to trick other Geneseo staff into responding to a phishing email. Your account can also allow an attacker to more easily access systems or compromise users

that

who do have access to the data they are looking for.

Versions Compared

Old Version 1

New Version Current