Frequently asked questions about UNCG MFA.
What is multi-factor authentication (MFA), and why should I use it?
Do I have to enroll in Microsoft Azure MFA?
Clarification on the use of hardware tokens
What are my available options to use as a second factor?
Do I need a second factor every time I log in?
What happens if I don’t have my device?
What do I do if I get a message saying I’m locked out of my account?
Can I change, add, or remove default devices?
How many devices can I register?
I selected “don’t ask for 15 days,” why does MFA still ask me to approve my login?
When will my secondary account be required to use MFA?
Can the University mandate that employees use personal devices for University business?
Multi-factor authentication, simply known as MFA, is a security tool that requires more than one method to verify the identity of an account user.
When you log in with your UNCG username and password, you are using one, single authentication method or "factor."
Types of factors fall into one of three categories of something you...
Verifying your identity by using a second factor in your physical possession like a phone or mobile device or a biological trait like a fingerprint, prevents anyone but you from logging in, even if they know your password.
MFA adds an additional layer of protection to your accounts by requiring a second factor.
Verifying your identity by using a second factor in your physical possession (phone or mobile device) or a biological trait (fingerprint) prevents anyone but you from logging in, even if they know your password.
UNCG Information Technology Services (ITS) has robust network security. Our campus network firewall continuously blocks approximately 50 new cyber attacks per second. In just one month in 2020, our firewall prevented more than three million attack attempts. However, these security measures alone are not sufficient to protect our students, faculty, and staff from sophisticated hackers.
In 2020, 81% of data breaches reported worldwide were due to compromised credentials. When a second level of authentication (such as Microsoft Authenticator) is used, the likelihood of compromised credentials drops to 0.1%.
Yes. All UNCG account holders will be required to use Microsoft Azure AD MFA. New employee accounts will be enrolled when their accounts are created. Further, Microsoft will require the registration of the Authenticator application for mobile devices.
The use of hardware tokens for MFA is only authorized on an exception basis, where hardships or extenuating circumstances make phone or mobile device use impossible. Hardware token exceptions will be evaluated on a case-by-case basis. Faculty and staff require AVC approval; students and non-employees require approval from the University’s Chief Information Security Officer.
For details about the criteria for exceptions, the approval process, and approved tokens, see these articles for students and non-employees or for faculty and staff.
Factor options are:
For more information on each of these types of second factors, see Compare Second Factor Options.
UNCG Enterprise Single Sign On (SSO) and many enterprise apps such as Canvas, Office 365, MyCloud, among others
Yes. You must present one of your enrolled factors every time you log in. However, you can choose the "Don't ask again for 15 days" option which enables MFA to remember the browser and machine you are using.
If you select this option when logging in, you will be able to log in without MFA for a period of 15 days.
The setting only applies to the browser that you are using when you select the "Don't ask again for 15 days" option. This option must be selected for each browser.
As a personal setting saved to your local computer's browser, "Don't ask again for 15 days":
You will not be able to access MFA-protected services if you don't have a device previously associated with your account. In these situations, 6-TECH staff can help you to log in by other appropriate means. Call 6-Tech to be verified. If you are out of the country, you can use the chat function located at https://uncg.service-now.com/support.
When there are too many failed log-in attempts, accounts are locked for 20 minutes. You can attempt to log in again after that time.
Yes. Manage your devices at https://mysignins.microsoft.com/security-info
If you have trouble with the QR code, close the app and your web browser and start over. If that doesn’t work, register your phone number and then go to https://mysignins.microsoft.com/security-info. Click Add method and select Authenticator app to register the app. When registered, you can change the default method on the same page. if you still can’t get it to work, contact 6-TECH@uncg.edu or (336) 256-TECH (8324).
| Method of Authentication | # of Devices |
|---|---|
| Authenticator apps (MS Authenticator or code generation) | 5 |
| Phone for text or calls (This option is less secure and will soon be obsolete) | 1 |
| Additional numbers for calls (This option is less secure and will soon be obsolete) | 2 |
Check privacy settings in the preferences or settings for your browser to make sure that the history is enabled and that cookies are allowed. The “don’t ask for 15 days” setting is saved in your browser’s history and cookies. Clearing the history and cookies resets this feature, which will prompt another approval.
Formally recognized Auxiliary Accounts, such as Service Accounts or Administrative Privilege Accounts, will be migrated to MFA over the summer. Legacy Secondary Accounts will not be migrated to MFA in light of parallel efforts that are retiring or converting these legacy offerings on an independent timetable. If you are unsure which categorization your additional accounts fall under, see Legacy Secondary Accounts or contact 6-TECH.
No. Use of one’s personal device for MFA does not subject the device to disclosure under the public records act or in litigation, unless the user has university-related business on a personal device. There is no distinction between using a personal device for any kind of University business and using it for multi-factor authentication. The legal obligations required by the public records act or during discovery in a lawsuit are not related to the ownership of the device. Instead, it is the content contained on the device that would be subjected to either of these provisions, irrespective of where the content is housed. If the content being communicated is related to University business, the content may be subject to disclosure under the public records act or in discovery. It is for this reason that we encourage the use of University tools to communicate University business.
Yes. In fact, North Carolina law permits an employer to require employees to provide tools needed to perform their job duties (required uniforms, necessary supplies, specialized tools). Use of personal devices for MFA provides significant protection for the University as a whole, without any significant financial cost to the employees. In this instance, despite that the University could mandate employees use personal devices for the performance of University duties, the University is not doing so. Using a personal device for MFA is one option to verify identity. See the University Position on Multi-Factor Authentication at UNCG for more information.
No. The best option for a second factor is a cell phone or tablet. The Microsoft Authenticator app is paired with a University community member’s identity and delivers the following verification tool options:
Most users find authentication using one of the first four of the previously discussed methods preferable due to convenience. Use of a personal device involves no significant cost to individual employees and MFA and can be configured in such a way that the end user is only required to re-authenticate once every 15 days.
Mobile Communication Device (MCD) allowances intended for this sole purpose will not be permitted. The purchase of new university devices to be used solely for this purpose will not be permitted. MCD allowances are given to employees who are required to utilize their personal mobile communication devices/services to conduct state business when their duties and responsibilities require mobile communication and/or remote internet access. This includes making and receiving telephone calls, reviewing and transmitting business documents, and other similar activities. The use of a personal device for MFA does not meet the criteria allowing payment of an MCD.