Understanding the Two-Factor Authentication (2FA) Requirement and Implementation with Microsoft Azure

Introduction

As part of our ongoing commitment to security, we are implementing Two-Factor Authentication (2FA) for staff accounts accessing KPBSD resources while outside the KPBSD network. As 2FA has become a widespread requirement for online access across various industries, our implementation focuses on staff accounts, which have a higher level of access to sensitive and protected information. This knowledgebase article will provide an overview of the importance of 2FA, the second factors that can be used, and how the activation process works with Microsoft Azure.

Importance of Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) is an essential security measure that adds an extra layer of protection to your account. By requiring two distinct forms of identification during the login process, 2FA significantly reduces the risk of unauthorized access to your account, even if your password has been compromised. This increased security helps protect sensitive data and resources from potential cyber-attacks and ensures that only authorized users can access their accounts.

Second Factors for 2FA

When implementing 2FA, you will need to select a second factor to complement your existing username and password. The following options can be used as a second factor:

Text messages with an existing mobile phone: After entering your username and password, you will receive a text message containing a one-time passcode (OTP) that you must enter to complete the login process.
Authenticator app on an existing mobile phone: After entering your username and password, an authenticator app (e.g., Microsoft Authenticator) will generate a one-time passcode (OTP) that you must enter to complete the login process.
Phone call to a mobile or landline: After entering your username and password, you will receive a phone call that speaks a one-time passcode (OTP) that you must enter to complete the login process.

Activating 2FA with Microsoft Azure

Our 2FA implementation is powered by Microsoft Azure, ensuring a seamless and secure user experience. All staff accounts will be automatically enrolled in 2FA beginning July 1, 2023.

What to Expect When 2FA is Activated

When you access a KPBSD resource from outside the network for the first time after the 2FA requirement has been implemented, you will be prompted to establish a second factor for your account. The following steps describe the user experience during the setup process:

Step 1: Sign in to a KPBSD resource

When you sign in to a KPBSD resource, such as Office 365, Google Apps, or Webmail, enter your username and password as usual.

Step 2: Azure prompts for more information

After you enter your username and password, Azure will prompt you for more information. This indicates that you need to set up your second factor. Click on the Next button to proceed.

Step 3: Choose your preferred second factor

By default, Azure will offer the Microsoft Authenticator app. To choose a different method (such as a phone), click I want to set up a different method and choose your preferred method from the provided options. Follow the on-screen instructions to complete the setup process.

Authenticator App

Install the Microsoft Authenticator app (or a compatible app) on your mobile device.
Open the app and click the "+" button to add a new account. If prompted for account type, select Work or school.
When prompted, scan the QR code displayed on the Azure setup screen.
Approve the authentication request on your phone, or enter the one-time passcode (OTP) generated and click Next to complete enrollment.

Phone Call

Enter your phone number.
Choose whether you would like the one-time password via text or call.
You will receive a text message or phone call containing a verification code.
Enter the verification code on the setup screen and click Next

Step 4: Confirmation and Backup Methods

After successfully setting up your second factor, a confirmation message will be displayed. The system may also prompt you to add a backup method for account recovery. Follow the on-screen instructions to set up a backup method, if desired.

Managing or Updating Your 2FA Methods

You can add, modify, or delete registered 2FA methods for your account by visiting https://aka.ms/mfasetup.

Conclusion

Implementing Two-Factor Authentication (2FA) is a critical step towards ensuring the security of KPBSD resources and protecting sensitive information. By understanding the importance of 2FA and the available second factors, you can make an informed decision on the best authentication method for your needs. Furthermore, our integration with Microsoft Azure ensures a seamless and secure user experience throughout the activation and authentication process.