Geneseo users can add new authentication methods to their Microsoft 365 accounts that satisfy both the primary (password) and secondary (multi-factor) requirements, effectively reducing the number of steps to log in to Microsoft 365. These methods require either the Microsoft Authenticator mobile app, or a FIDO2-compatible security key such as a Yubikey Security Key Series.
After authenticating with a Passwordless method, Microsoft will make that your default authentication (overriding your default method on your Security Info page).
You can still authenticate with your password + MFA method by clicking Other ways to sign in when prompted for your passwordless method.
Phone Sign-In (Microsoft Authenticator)
This is an evolution of the push notification method in Microsoft Authenticator. After submitting your email address, you will be asked to approve the sign-in and enter a specific number in Microsoft Authenticator.
This method requires device registration, which establishes a trust relationship between your mobile device and CIT's Microsoft systems. This makes it possible for CIT to enforce certain security settings on your device. It does not allow CIT to remotely access or wipe your device. More details on this can be found at Microsoft's page for Azure AD Registered Devices.
You will no longer be able to approve logins with your Apple Watch.
This limitation is on Microsoft's roadmap to fix, and CIT will update this document once the fix implemented.
Only one Microsoft work/school account per Microsoft Authenticator can have Phone Sign-In enabled.
Your Microsoft Authenticator accounts are not backed up or transferable to another device.
There is an advanced feature that allows iPhone users to sync their accounts to iCloud if they also add a personal Microsoft account to Microsoft Authenticator. CIT does not recommend this feature; it did not play well with Phone Sign-In and device registration in testing.
There are two methods for removing Phone Sign-In and depend on if you're migrating to a new mobile device or not:
Unregister your device if you are migrating to a new mobile device:
Microsoft Authenticator settings → Device Registration
Tap Unregister device.
Disable Phone Sign-In if you want to retain device registration:
Tap your Microsoft Authenticator account with Phone Sign-In
Tap Disable phone sign-in
FIDO2 Security Key (WebAuthn)
These are USB/NFC devices with a button that users are prompted to unlock with a PIN and tap during login. They store secret cryptographic keys for accounts registered via the WebAuthn protocol. The most popular compatible devices are Yubikey Security Key Series.
CIT recommends assigning a descriptive name to all registered security keys to help you distinguish between multiple registered keys.
Microsoft has timeouts at various stages of the registration process, and tends to show a confusing error if you hit a timeout. Please click cancel and go through the registration process again if you see the following error.