Microsoft MFA

Enroll Now

Utah State University is replacing Duo with Microsoft Multifactor Authentication to better defend against increasing social engineering cyberattacks, meet new regulatory requirements, and more economically extend safeguards for sensitive data to all University groups.

Faculty, Emeriti, Staff, and Student Employees

Faculty, emeriti, staff, and student employees should do this as soon as you are able. If you haven't opted-in before August to Microsoft MFA, you will be required to make the change at login. Benefits include:

Significantly reduce or eliminate MFA fatigue attacks
Better meet USU cybersecurity insurance requirements
Ability to go passwordless

Students

Students may also choose to opt-in for Microsoft MFA voluntarily for the following benefits:

No password expiration
Better account security and data protection
Ability to go passwordless

Steps to Opt-in

Once you begin the opt-in process, you must complete every step. Please allow yourself adequate time to complete all the steps in one session.

Opt-in through ServiceNow

Go to ServiceNow and submit the request. All new employees after May 25 are automatically enrolled and do not need to submit this request; please continue to step 2 below.

Link your account

On a desktop, laptop, or tablet, visit usu.edu/mfasetup

Login with your A#@aggies.usu.edu and strong password
Select Next to provide more information
Select Next when prompted to download the app (this will be done in a later step)
Select Next to set up your account. A QR code will appear to be scanned later

After completing step 3, be sure to return to your desktop, laptop, or tablet to click Next.

Download the free app

Go to the app store for your device and download the Microsoft Authenticator app (Apple | Android).

On your mobile device, open the Microsoft Authenticator app. If you have a screen lock enabled on your device, you will need to use it to unlock the app. This can be disabled in your Authenticator app settings.

Select the + button in the top right corner
Choose work or school account
From the pop-up, select scan QR code and scan the code from your desktop. If large text is enabled on your device, navigate the screen until the QR code option is accessible.

On your desktop or laptop, click Next

Now that you’ve tested, we HIGHLY recommend setting up a phone number, secondary mobile device, or a USB security key as a backup option. This ensures you can access your account even if your primary device is unavailable.

Need Support?

If you need help with any of these steps or encounter any issues, restart your mobile device. If the issue persists, please reach out to your assigned technical support professionals (for staff & faculty) or the IT Service Desk.

Systems Still Using Duo

The following services will still require Duo (if you have employee status), so please keep the Duo application on your devices if you presently use it. Eventually all systems will move to Microsoft MFA.

Cisco VPN
Citrix (secureapps.usu.edu)

Quick Links

Helpful resources as you opt-in and get set up with Microsoft MFA at USU:

Opt-in for Microsoft MFA (KB Article)
How to Manage Microsoft MFA Devices for Your Account (KB Article)
Frequently Asked Questions

Frequently Asked Questions

Learn more about supported devices, USB keys, authentication options, etc.

Will my Duo fob work?

Unfortunately, the Duo fob only works with the Duo platform. Affordable security keys are available to purchase. For more information and guidance on purchasing options, refer to the Security Key KB Article.

What devices are supported?

Apple and Android devices (including smartphones and tablets) that support the Microsoft Authenticator App
Physical USB Security Keys
Other phone numbers that can receive a voice call.
If possible, you should have more than one device or phone number registered.

What are my authentication options?

Mobile Notification Push: Microsoft Authenticator App and mobile device required. You will be asked to enter the two-digit number displayed on the website into your mobile device. Your device must have wifi or cellular connectivity.
Mobile Verification Code: Microsoft Authenticator App and mobile device required. You will be asked to enter a six-digit “one-time password code” from your Microsoft Authenticator App into the website. No cellular or wifi connectivity is required! Works on an airplane, for example.
Phone Call Verification: Microsoft will place a voice call to a registered phone number. You will acknowledge the call on the phone keypad.
Physical USB Security Key: Enables authentication without a mobile device or phone, as long as that computer has a compatible USB port and supported web browser. Great for classroom or airplane use without a phone.
You can enroll and manage devices and options at https://usu.edu/mfasetup. If possible, you should have more than one device or phone number registered.

How do I enroll, add, or remove mobile devices, phone numbers, or security keys?

You can make changes to your authentication settings and devices by visiting Microsoft's Security Verification page. For instructions, see our Authentication Options FAQ.

How do I change or update my authentication method?

You can make changes to your authentication settings and devices by visiting Microsoft's Security Verification page. For instructions, see our Authentication Options FAQ.

What if I don't want to use my personal device or do not own a smart phone?

You can opt to purchase and use a USB security key. We recommend still setting up a phone number as an alternate method in case you forget or lose the security key. See our Authentication Options FAQ.

What if I forget my mobile device or security key at home?

Use one of your alternate methods of verification (e.g. phone call)
If you have no alternates available, Contact the Service Desk

What are USB security keys and how can I get one?

USB security keys enable MFA on compatible browsers without a phone present. For example, on an airplane or in a classroom without your phone, etc.
See the USB Security Key information page

I got a new phone. What should I do?

If you kept the same phone number, and have added the number as an alternative form of authentication. Select the option: “I can’t use the app right now” to sign into your account, then add a new authentication option.
If you got a new phone number, Contact the Service Desk

I have lost or misplaced my phone or security key and have no other options. What should I do?

Contact the Service Desk

Can I use my smartwatch to authenticate?

When receiving a Mobile Notification Push your smartwatch may notify you, however, you will be required to enter the two-digit code on the phone. Microsoft Authenticator does not support entering the two-digit code from a watch.

How can I go passwordless and what does that mean?

To go passwordless means you don’t have to enter your strong password each time you login
Microsoft MFA allows you to go passwordless using the Authenticator App or a USB security key. We are working to develop instructions, please check back later.

How does switching to Microsoft MFA make life easier?

Your strong password will no longer expire automatically each year (we will contact you proactively if your password is at risk and needs to be changed).
It will help safeguard your USU data and accounts.
It better protects you against social-hacking efforts like MFA push fatigue.

Duo Fob
Supported Devices
Authentication Options
Enroll, Add, or Remove Mobile Devices, Phone Numbers or Security Keys
How do I change or update my authentication method?
What if I don't want to use my personal device or do not own a smart phone?
What if I forgot my phone or security key at home?
USB Security Keys
What do I do when I get a new phone?
What can I do if I don't have my phone and I didn't set up an alterative method?
Will my smartwatch work?
Going Passwordless
Benefits of Microsoft MFA