Using multi-factor authentication (MFA) while outside the District's network

This article discusses the District's implementation of multi-factor authentication (MFA) using Microsoft Azure, with the intent to get you the information you need to make the right choices for you. It covers the importance of MFA, the second factors that can be used, and how the activation process works with Azure.

The importance of multi-factor authentication

MFA has become a widespread security requirement for online access across various industries; for example, many of us are already familiar with the practice through what our personal banking institutions require of us to access our accounts online. As part of our own ongoing commitment to security, the District in July 2023 implemented two-factor authentication (aka 2FA), the simplest form of multi-factor authentication, for staff accounts when accessing KPBSD resources while outside the District network. (We focus on staff accounts because those inherently have a higher level of access to sensitive and protected information.)

The whole point of MFA is to add an extra layer of security protection to your account, when you are outside the protections afforded by our internal network. By requiring two distinct forms of identification during the login process, we significantly reduce the risk of unauthorized access to your account, even if your password has been compromised. This increased security helps protect sensitive data and resources from potential cyber-attacks, and ensures that only authorized users can access their accounts.

How it works, summarized

Here's how the process works. When you attempt to access a District resource requiring account authentication (e.g., Webmail, Google Docs, PowerSchool, Canvas, etc.), you will first be presented with the normal challenge to provide your account credentials (e.g., E-number and password). Once that is accepted, what happens next depends on where you are. If you are within the District's network, you should go straight to the resource you are trying to get to; the network itself provides additional security layers of protection. If you are outside the District's network, you don't have those protections, and so you will then be challenged for a second, independent, authentication factor for additional account security. Once you supply the second factor and that is accepted, you will then go to the resource you are trying to get to. (And, once you have supplied that second factor, it will remain effective for an interval of time--meaning, if you are in and out of your email all weekend, you shouldn't "get 2FA'd" every time you hit your mail. You'll know the interval has expired, when you get challenged for your second factor again.)

First time setup. If you have never set up your account's option for a second factor, or if your account has been actively cleared to allow you to re-register your second factor, you will be guided to register a second factor during the above process. (See below for details.)

Change in devices or phone numbers. If your MFA method is text message and you get a new phone, or if your MFA method is an authenticator app and you get a new device, you will need to unregister the old details and register the new ones. There is a tool to assist you in doing this yourself (see below for details), or you can contact the Helpdesk and we can administratively clear the path for you to register a new method.

Managing your own methods. There is a resource (see below for details) to allow you to manage your own MFA methods, if you want. (You can also call us, of course.)

Second factors for authentication

For your staff account, you will need to set up a second authentication factor to complement your existing username and password. The following are the options which can be used as a second factor, and the behavior you'll see when using them:

Text messages with an existing mobile phone. After entering your username and password, you will receive a text message containing a one-time passcode (OTP) that you must enter to complete the login process.
Authenticator app on an existing mobile device. After entering your username and password, an authenticator app (e.g., Microsoft Authenticator) will generate a one-time passcode (OTP) that you must enter to complete the login process.
Phone call to a mobile or landline. After entering your username and password, you will receive a phone call that speaks a one-time passcode (OTP) that you must enter to complete the login process.

Registering your second factor

As summarized above, when you access a District resource from outside the network, and you do not have a registered method on your account, the flow of the MFA challenge will automatically guide you into the prompts to register a second factor for the account. The following describes the user experience that triggers and goes through the registration process:

Sign in to a KPBSD resource. First, you sign in to a District resource, such as Office 365, Google Apps, or Webmail, with your username and password as usual.
Azure prompts for more information. After accepting your credentials, Azure will see that a second factor does not yet exist on your account, and will prompt you to register one. Click on the Next button to proceed.
Choose your preferred second factor. By default, Azure will guide you toward the Microsoft Authenticator app, but that is not your only option! Many people prefer a simple text message, and you just need to be on the lookout for the text link that offers that option; it will appear as I want to set up a different method. When you see that link, click it to register a phone number for a text message or phone call.
Continue to your requested resource. After the registration process is complete and confirmed, you should be able to continue to arrive at your originally-requested resource.

Note that during this setup/registration sequence, once you are on the right path for your choice--either for the default Microsoft Authenticator app, or for registering a phone number for text message or phone call--the on-screen instructions are reasonably self-explanatory, but the following notes illustrate a few key points for each chosen path.

For an authenticator app

You'll be working both within the browser-based registration process described above, and also with the device you'll be using the method with, at the same time. (Sometimes, your browser is on the device you'll be using to provide 2FA, and other times it will be a separate device like your District laptop.)

You'll need to install the Microsoft Authenticator app (or a similar, compatible authenticator app) on your mobile device.
Open the app and click the "+" button to add a new account. If prompted for account type, select "Work or school".
When prompted, scan the QR code displayed on the Azure setup screen.
Approve the authentication request on your phone (or enter the one-time passcode (OTP) generated), and click Next to complete enrollment.

For a text message or phone call

Similarly, you'll need to have handy, during registration, the phone you'll be using to register the MFA method. Once you've indicated you want to register a phone number and not an authenticator app:

Enter your phone number.
Choose whether you would like the one-time password via text or call.
You will then receive a text message or phone call containing a verification code.
Enter the verification code on the setup screen, and click Next to complete enrollment.

Managing or updating your own MFA methods

You can add, modify, or delete registered MFA methods for your account by visiting https://aka.ms/mfasetup.

One quirk of leaning on this Azure tool, that you should keep in mind, is that there will be perfectly logical scenarios when you cannot use it even if you want to. If you're away at a conference, for example, and you've just got a new phone, you may not be able to change your MFA method because Azure will require you to provide the existing MFA method on record, to access the tool itself. In this case, you'll need to contact the Helpdesk. (A good incentive to be proactive whenever possible!)

And, in having to contact the Helpdesk for assistance, please understand that in some scenarios we may have to validate your request ourselves. Remember that the whole point of this MFA exercise, is to keep your account secured against threat actors, and we cannot honorably do that by simply greenlighting any incoming call from an outside line from someone whose voice we may not immediately recognize. We'll do our best to recognize you as quickly as possible and get you on your way, but understand that we may need to use different ways of challenging you to make sure that the caller we're talking to on the phone is, in fact, you, and not a scammer. We understand that such a call, when it is legitimately from you, is sometimes made while in the middle of trying to do something important, but please bear with us as we try to be honorable to the whole point.

For more information

The District implemented Azure MFA as a critical step towards ensuring the security of KPBSD resources and protecting sensitive information. Azure provides a reasonably seamless experience for the user, and the above information should give you at least a start on what you need to make the right choices for yourself. If you need further information, we're always happy to talk with you about it; just contact the Helpdesk and we'll help you get what you need.