Frequently Asked Questions about Multi-factor Authentication

What is multi-factor authentication (MFA)?

"Authentication" in IT speak can usually be generalized just to mean "login," so multi-factor authentication (commonly abbreviated to "MFA") describes a login process that requires a second factor in addition to your account password. In most cases, this is done by using a smart phone app to confirm your identity after you enter your password. Many people are already experienced with MFA, even if they're not familiar with the term, since it is a common requirement for most online banking services. MFA is also a very common method for adding extra security to social media accounts.

Basically, having MFA on your CMU account just means that, after you log in like usual, you will occasionally use a smartphone app to confirm that the login was you. This prevents unauthorized access to your CMU account, even if someone gets their hands on your password. MFA is one of the most powerful security tools for preventing your account from being compromised.

Why am I required to use MFA?

These days, online accounts contain an increasing amount of personally identifiable information. At the same time, passwords have become increasingly easy to compromise through phishing, social engineering, or other common methods. Relying solely on a password to protect your account isn't always enough. Adding MFA to your account provides an additional layer of security to keep your account and data safe.

Consider all of the too-good-to-be-true messages you receive about walking dogs for unbelievable sums of money, or think about the last time you received a suspicious email claiming that your CMU account will be closed if you don't reply with your Global ID and password. Those are both common scams. Even if you fall for one of those scams, the scammer won't be able to access your CMU account with just your password if you already have MFA enabled.

Now consider how many of those phishing emails come from @cmich.edu email addresses. The more accounts we secure with MFA, the fewer compromised accounts there are to deliver internal phishing messages.

Who is required to use MFA at CMU?

All current students, faculty, and staff at CMU are required to use MFA to access their accounts. Alumni are not licensed for Duo MFA. After graduation or separation from CMU, you will no longer receive MFA prompts once you are not a current student, faculty, or staff member.

I'd rather not use MFA. Can I just accept the security risks?

MFA is required not only for your protection, but for the protection of everyone else at CMU, so it's not possible to opt out of MFA. Scammers often use compromised CMU accounts to send phishing emails to the rest of campus, since emails that stay within CMU's email system are subject to less spam scanning than external emails. This makes compromised accounts a security problem for everyone, not just for the account holder.

When do I need log in using MFA?

You will only need to use MFA to confirm your identity when you log into CMU's online services from off-campus locations. You won't be prompted to use MFA as long as you're connected to CMU's Wi-Fi or wired network. We set it up this way to eliminate as much inconvenience as possible, since we can be reasonably sure that you're not a major scammer if you're located on campus.

How often do I need to use MFA?

By default, you will need to use MFA to confirm your identity each time you log in from off-campus. However, if you are on a trusted device, we recommend checking the "Remember me for 30 days" box on the MFA confirmation screen. That will prevent additional MFA verification on that device for 30 days.

Note: The "remember me" check box is both device- and browser-specific. You will still receive MFA prompts on other devices (or on the same device if you use a different web browser), but you can check the "remember me" box for those as well.

How do I set up MFA?

Setup is simple, requiring you to install an app on your phone and go through a brief activation process:

Download and install Duo Mobile from your phone’s app store.(Note: Make sure not to install Google Duo, which is a different app that is used for video chats, not MFA.)
Visit www.cmich.edu in your phone’s browser from an off-campus network or using cellular data, then click the Log In button.
Login with your Global ID and password as usual.
Choose to enroll in MFA now if asked.
Choose Mobile phone and enter your phone number, then continue.
Open Duo Mobile when asked, and the app will complete the setup for you.
Your Duo MFA is now active, and you can choose Send Me a Push when logging in to receive the MFA prompt on your phone.

Do I have to use my smartphone for this?

We highly recommend using your smartphone unless it's absolutely impossible for you to do so. Using the Duo Mobile app allows you to confirm your identity by pressing a button from a simple, on-screen prompt. The app also provides a constantly changing code that you can use instead if your phone does not have an active internet connection for any reason. If using the Duo Mobile app truly isn't an option for you, contact the OIT Help Desk to discuss potential alternatives.

How do I change devices or add a new device for MFA?

First, we strongly recommend that you setup Duo Mobile on your new phone before wiping your old phone. That simplifies things dramatically because that lets you use the old device to confirm your identity so that you can add the new device. With that in mind, just check out our knowledge base article on adding or changing an MFA device for step-by-step instructions (login required).

Of course, it's easy to get caught up in the excitement of getting a new phone, so the OIT Help Desk can help out if you find yourself without a current MFA device.

Note: If you have already set up the question and answer to your account security question, you have access to self-service options for your CMU Global ID account, including MFA configuration, which is found on our My Account site.

Can I use multiple devices with Duo Mobile?

Absolutely. After you've enrolled your first MFA device, just set up a second phone or tablet for MFA by following our knowledge base article on adding or changing an MFA device (login required). While most people find that using one device for MFA is sufficient, it never hurts to have a backup in case your phone breaks. Just remember to keep your backup MFA device in a secure location!

How much data does it take to use Duo Mobile?

Using the "push" method of verifying MFA (which sends a notification to your device for you to accept) uses only about two kilobytes (2KB) of data, which is an incredibly small amount. It would take about 500 MFA pushes to equal one megabyte (1MB), which is also a very small amount of data.

Can I instead receive a text message with a code?

Unfortunately, SMS ("short message service," the common standard for text messages) isn't as secure as it is commonly believed to be. Through social engineering, SIM jacking, or exploiting established vulnerabilities with SMS, text messages have been a weak link in the security chain for years. Because of these inherent vulnerabilities, CMU does not allow for SMS-based MFA confirmation.

What counts as being "on campus" for MFA purposes?

Being "on campus" means being connected to CMU's network over either Wi-Fi or a wired connection. This includes CMU's Mount Pleasant campus and some of CMU's satellite locations, but that depends on how their network is configured. Some things that seem like they might count as on campus do not. Notably, connecting to CMU's VPN network still requires MFA, as does using the Virtual Lab--even if you're accessing it from on campus.

Can I use another authenticator app instead of Duo Mobile?

Only the Duo Mobile app can be used to receive MFA authorization push requests from Duo. Duo Mobile can act as an authenticator app for other services (but not the other way around), so you may prefer to add your other accounts to Duo Mobile. Unfortunately, using another app (e.g., Google Authenticator) for Duo is not supported.