Multi-Factor Authentication - JHU

INTRO

JHU IT now has new authentication security protection measures in place for several of their central services in the form of Multi-factor Authentication (MFA).
For example, both your online JHU W2 and Employee Self Service (ESS) in MyJH use it. The JHU VPN system from JHU requires MFA as well. ("Two factor authentication" is a type of MFA you might have heard of before.) We will see more and more JHU sites/services requiring MFA, and you will need to configure your MFA access.
JHU uses Microsoft Azure for providing JHU's Multi Factor Authentication service.

Details About The JHU Multi Factor Enrollment And Use Process

For more details on JHU's implementation of MFA and and instructions on how to configure and use it, please visit WSE IT's documentation on the subject at:
http://wseit.engineering.jhu.edu/get-help/multi-factor-authentication
JHU's Azure MFA page to enroll or manage your MFA configuration can be found at:
https://it.johnshopkins.edu/services/directoryservices/jhea/AzureMFA/AzureLoginMFA
Also, we will outline the basic steps to set up MFA directly below...

Setting Up Multi-Factor Authentication

To get started with MFA, you will need to visit the Azure MFA Resource Center's Enrollment Page to enroll.
That page and its video will show you how to enroll your JHED ID with the Azure MFA. The video is very helpful in explaining the process. You are encouraged to watch it all the way through.

Authenticators

As part of the MFA setup process, you will end up having to choose an authenticator method to use. There are several authenticator methods:
  • Text your phone for approval to connect to the website. Called Push-To-Approve, your phone would receive a text from the secured JHU website asking you to approve the connection. You would use the Microsoft Authenticator app to respond to that prompt. As of Fall, 2022 (estimated November 16, 2022), JHU is removing the method that some users have used, called "Notify me through App (Push to Approve)", where JHU would text you to approve the connection access. Instead, you will need to use one of the below methods, where you'll need to enter a numerical authentication code (what JHU calls, Number Match.)
  • Text your phone for a numerical code: Being implemented Fall, 2022 When JHU needs you to enter your MFA code during login to JHU's MFA-required pages/apps, they will text your phone with the MFA code that you will use to enter into whatever prompt they send you. You may need to do this via a Microsoft Authenticator app you'd run on your device. This is called the "Number Match" method.
  • Use an app/program: This method will continue to remain With this method, you are not texted by the website. Instead, the website will prompt you to enter a code. On an authenticator app you'd install on your phone or computer, you would run the authenticator app, and that will provide a 6-digit number code to enter when you are prompted at JHU for your MFA code. JHU suggests you use the Microsoft Authenticator App (for Windows) to generate that numerical code. You can download Microsoft Authenticator according to instructions from the enrollment process video. Additionally, you can choose to run other authenticators to run (under Windows) instead, including a program called WinAuth. Macs, Androids and IPhones have various authenticators available as well. Note that the codes are generated using time-based factors... so, the code you generate needs to be entered soon (up to a minute) when you are prompted, otherwise, you need to generate another code.

Adding An MFA Authentication Method Or Changing Your Default MFA Authentication Method

Once you have your MFA set up... By default, the MFA authentication process seems to make texting your phone the way JHU provides you your MFA code. Some users might want to change this from receiving a text from JHU to using an authenticator app (e.g., WinAuth on PC or a similar app on a phone, for instance, as described above) instead.
  • To change your default authentication method, simply log into https://mysignins.microsoft.com/security-info Once logged in, if you're not directed directly to the Security Info page, simply click Security info on the left. You'll see a list of your authentication options, and you can change the default option to using a Hardware Token (Authenticator App) instead of the Phone (text) option.
  • It is also recommended to add an additional authentication method -- should your phone (or your app) be unavailable, you will have an alternative method with which to authenticate with MFA. To add a new/additional authentication method, again log into https://mysignins.microsoft.com/security-info (and click Security info on the left, if needed) and choose Add method (it is preceded by a blue plus sign.)


NOTE: If you have any issues with setting up Multi-factor authentication, you should contact JHU IT Support.