Why is the Commonwealth introducing MFA?
MFA is an important part of our efforts to keep the Commonwealth’s information and assets safe and secure, by making it more difficult for attackers to access our systems with login credentials obtained by phishing, guessing, or theft. After financial and healthcare organizations, public sector organizations are the third most targeted organizations by hackers, with stolen and/or weak passwords leveraged in 81% of all hacking-related data breaches. (Source: Verizon’s 2017 Data Breach Investigations Report, available here).
Private sector organizations are not immune from these types of attacks either, and you may well be prompted for MFA before you access your bank account online or your personal emails. In July 2018, Timehop announced that the personal data of 21 million users had been breached by attackers who had discovered the login credentials of one of its administrators. Timehop has subsequently introduced MFA for all its employees (Source: Tech Crunch, available here).
What is Multi-factor Authentication (MFA)?
MFA is when a user is prompted for at least two pieces of identification when logging into services or applications. The first is normally a password, and the second is something they don’t know — like a randomly generated PIN that is sent to them via a text message or mobile authentication application. MFA is offered by many different online services, including most email providers and banks.
What cybersecurity threats does MFA help us guard against?
If an attacker discovers a user’s password, through phishing attacks, leaks and data breaches, or simply guessing it, then having MFA turned on would decrease — but not completely prevent — the likelihood of unauthorized users gaining access to Commonwealth emails and services.
I am already enrolled in MFA using Idaptive “ex. Centrify”, why do I need Microsoft Azure AD MFA?
We are standardizing on Azure AD MFA for all users that access applications used by and data owned by the Commonwealth. In some cases, you may be required to use Idaptive for specific applications. In addition, some users may need to maintain both Centrify/Idaptive and Azure forms of MFA authentication profiles.
When and how often will Commonwealth employees be prompted to sign in using MFA?
Whenever they:
- Connect to the Commonwealth secure network after either being disconnected or logging in for the first time;
- Try to access Commonwealth applications and files (including O365 applications and OWA email) either when not connected to the Commonwealth secure network/working from a remote location or logging in for the first time;
- Reset or change their Azure AD password; and
- Every ninety (90) days (security default).
Note that Commonwealth employees must complete a one-time setup to sign up for Azure AD MFA.
Do I have to use my personal mobile phone/device?
If you have a Commonwealth-issued device, you can set this up as your MFA. We expect that for most people they will have to use their personal mobile device to provide their MFA.
The recommended mobile authenticator apps do not use up mobile phone data or share personal information with the Commonwealth. According to Microsoft, “The codes don't require you to be on the Internet or connected to data, so you don't need phone service to sign in. Additionally, because the app stops running as soon as you close it, it won't drain your battery”.
If you choose to enter your mobile number to use the SMS/text message or the phone call/PIN option this number will NOT be visible to other employees in the Commonwealth’s address book. The details of your Azure AD MFA profile are not published.
**PLEASE REFER TO YOUR CURRENT VOICE & DATA PLAN FOR MORE INFORMATION ON INCOMING CALL AND TEXT MESSAGE FEES**
What is my user ID for the Azure AD MFA Portal?
Go to: https://myaccount.microsoft.com/
Enter your Commonwealth email address.
For example:<firstname>.<lastname>@mass.gov
What MFA options can I use if I do not have a mobile phone?
If you have a mobile phone, but do not have a smart phone, you can still use the text message and phone call/PIN options.
There are several options available for users who do not have any kind of mobile or cell phone:
- If you have a tablet or other Android or iOS-powered device then you may be able to install a mobile authenticator application on this – check your app store to see what’s available.
- If you plan to access Commonwealth resources from home then you will still be able to use the phone call/PIN option, using your home phone number to receive the call. To do this, enter your home phone number in the ‘mobile phone’ field in the Portal (see the instructions on setting up the phone call/PIN option). The number will NOT be visible to other employees in the Commonwealth’s address book.
Do I have to use MFA?
MFA is a critical pillar of the Commonwealth’s cybersecurity program – namely stopping phishing attacks and unauthorized access by users who have obtained the login details of Commonwealth employees. You are expected to take reasonable precautions to protect yourself and the Commonwealth from unauthorized access to your account.
Can I use my desk phone to receive my PIN?
This will only work if you have access to your physical phone (working inside the office) or access to the softphone application linked to your desk phone. If you are not working in the office and do not have access to the softphone application for your desk phone then you have set up your MFA profile to use your mobile phone or mobile application on a smartphone.
If I set my desk phone to forward calls to my cell, will my mobile phone number appear in the GAL?
No. Only phone numbers entered directly in the portal will appear in the Global Address List.
Will I be prompted for MFA if I have a VPN?
MFA will be required regardless of physical location. Personnel will be prompted for MFA when attempting to login into the network or access applications and files that are part of the Commonwealth, including access to Office 365 applications.
What options can I use if I don't have a smart phone?
You can use the SMS/text message and the phone call/PIN options. You should note that if you choose to enter your mobile number to use the SMS/text message or the phone call/PIN option then this number will NOT be visible to other employees in the Commonwealth’s address book.
I live in an area with poor mobile phone coverage. Which MFA options can I use?
The Mobile authenticator app does not require mobile phone signal or data to work and can be used in areas with limited mobile phone coverage. You will need a data connection to download your preferred app – which could be via mobile data or wireless internet.
What are my options if I don't want to have my mobile phone number entered in the GAL?
Details of your Azure AD MFA profile are not published in the Global Address List.
What personal information of mine is shared with the Commonwealth via mobile authenticator apps?
None of the details entered in your Azure AD MFA profile are shared with any applications.
How do I access Office 365 products and apps outside of the Commonwealth's networks?
Information on accessing Office 365 apps and products, including downloading Office apps to your personal device can be found here:
I am outside of the Commonwealth's networks and I have forgotten to set up MFA. What can I do?
Your service desk will be able to unlock your account for 10 minutes so you can go to the portal and set up your preferred MFA method.
I have lost my phone outside of the Commonwealth's networks and I cannot access O365. What can I do?
Your service desk will be able to unlock your account for 10 minutes so you can go to the portal and set another MFA method. This could be using a friend’s phone or your home phone (via the phone call/PIN option). Remember to change your MFA method back to your device when you retrieve it.
I purchased a new phone and want to move my authenticator app to this new phone. How do I do this?
Please follow the instructions to set up a new mobile authenticator app on your new phone. This will disable your app on your existing device.
How can I request a hard token authenticator?
Hard tokens are no longer supported in the Commonwealth.