Multi-Factor Authentication (MFA) Management

Owned by David Blood
Last updated: Jul 25, 2023 by David Warden
6 min read

Please visit Microsoft's My Security Info to manage your MFA authentication methods and default method.

Adding MFA methods

Just One Is Never Enough!

Please configure multiple MFA methods so that losing one does not prevent you from accessing your Geneseo account!

Common ways to lose access to MFA methods are:

  1. Deleting the Microsoft Authenticator app or transferring it to a new phone

  2. Traveling abroad and losing access to receive text messages or phone calls on your primary phone number

  1. Access your Microsoft security info, or sign into my.geneseo.edu, click on your initials in the upper right corner, and select "Manage Security Info" 

  2. To Add a method, click + Add method. If you do not have any methods, you will be automatically prompted to create your first one.

  3. Select the type of method you want to add.

  4. Follow the prompts for the selected method. See the Available Methods section below for specific instructions.

Remove an MFA Method

  1. Access your Microsoft security info

  2. Find the method you want to remove in the list and click the delete option

Change your default MFA method

  1. Access your Microsoft security info

  2. Click Change


  3. Select the method you would like to use from the drop down menu

Available Methods

Microsoft Authenticator App

The free Microsoft Authenticator app (available for iOS and Android devices) is our recommended authentication method, and sends a "push" notification to your device to verify your login attempt. It also provides a rotating code you can type in if your mobile device doesn't have internet connectivity and can't receive push notifications.

Please see Microsoft's official Authenticator App method documentation for instructions on adding this method to your account.

Unexpected Notifcations?

If you receive a notification when you are not attempting to log in, deny the request and use the 'report as fraud' function within the app.

Don't get locked out!

Deleting Microsoft Authenticator or transferring it to a new phone will break the trust between Microsoft and your device, and you'll need to use one of your other configured MFA methods to reestablish that trust. If have no other MFA methods configured and cannot sign in to your account, please call the CIT HelpDesk at 585-245-5588. They will verify your identity over the phone, and walk you through reestablishing a working MFA method.

"Other" Authenticator Apps

Any app that supports scanning MFA QR codes (ie. implements the Time-based One Time Password, or TOTP, protocol) may be used with your Geneseo account. The following are popular choices:

Add one of these apps by going to your Security Info page, then:

  1. Click the add sign-in method

  2. Select authenticator app and click Add

  3. Click I want to use a different authenticator app

  4. Click next

  5. Follow the instructions from your other authenticator app for reading the QR code. Once your app displays a 6-digit code for this new account, click next

  6. Enter the 6-digit code displayed in your other authenticator app when prompted by Microsoft, and click next. This confirms to Microsoft that your other authenticator app correctly parsed the secret information in the QR code.

Phone Verification

For US phone numbers, located in the US only, Microsoft will call your phone number and prompt you to approve your pending sign-in.

Please see Microsoft's official Phone method documentation for instructions on adding this method to your account.

Text (SMS) Message

For US phone numbers, located in the US only, Microsoft will send a text (SMS) message with a code to be entered in the login window.

Please see Microsoft's official SMS method documentation for instructions on adding this method to your account.

Security Key

Any FIDO2-compatible physical security key can be registered and used with Geneseo accounts. See Microsoft 365 Passwordless Authentication for more details.

Security Fob

If you do not have access to a mobile phone or desk phone, your department can purchase a security fob. The security fobs are small (about the size of a car key fob). Press the button on the fob to generate a number that can be typed in to the authentication screen to confirm your login. *Please note - hardware tokens must be purchased from CIT for $16. Third party hardware tokens are not supported.

Troubleshooting and Questions

We are required to use MFA by new SUNY security guidelines. Our systems are under constant attack. The most common are password spray attacks where attackers send thousands of logins using usernames and passwords harvested from the web to phishing attacks where attackers attempt to get your username and password. Multi-factor Authentication stops all these attacks. 

If you would like a detailed analysis of how MFA protects logins Your Pa$$word Doesn't Matter lays out Microsoft's research across millions of logins explaining why passwords are insecure and how MFA results in protecting against all but the most targeted attacks.

Logins to most Geneseo web based services and Microsoft's OneDrive and Office will require you to sign in and use MFA at least every 14 days. Sign in frequency varies between services based on security and vendor requirements.

When prompted to sign in, click on the Sign in another way button and select a new method.

You should notify the CIT HelpDesk as soon as possible if you lose your phone or authenticator.

Yes. Using a device for multi-factor login comes with the obligation to take reasonable precaution to protect it. Such precautions normally include the use of a password or a PIN to unlock the phone, as well as maintaining current versions of your device's operating system and Authenticator App.

Related articles