[MFA Modernization Pilot] MFA Authentication Methods

This article describes the multi-factor authentication (MFA) methods available to University of Maine System (UMS) users, which methods are recommended, and which are not allowed.

Detailed Information

MFA method explanations

Passkeys

Passkeys are the preferred MFA method at UMS because they are phishing-resistant — they cannot be stolen through fake login pages, reused, or leaked in data breaches. When you use a passkey, you verify your identity with biometrics (fingerprint or face recognition) or a PIN on your device. You do not need to enter your password separately.

There are two types of passkeys:

• Device-bound passkeys are stored on one specific device (such as your phone or a YubiKey) and cannot be copied elsewhere. They are the most secure option.
  • Add MFA Sign-in Method: Hardware Security Key (FIDO2)
  • Add MFA Sign-in Method: Microsoft Authenticator Passkey
  • Add MFA Sign-in Method: Windows Hello
• Syncable passkeys are backed up to a cloud account (such as iCloud or Google) and are automatically available on any device you sign in to with that account. They are very convenient and still phishing-resistant, though their security depends on the security of your personal account.
  • Add MFA Sign-in Method: Passkey in Google Password Manager (Chrome)
  • Add MFA Sign-in Method: Passkey on iPhone or iPad (iOS)
  • Add MFA Sign-in Method: Passkey on macOS (Mac, MacBook, iMac)

Microsoft Authenticator app

Microsoft Authenticator is a free app for iOS and Android. It provides MFA through push notifications with number matching. When you sign in, a number appears on the screen — you open the app and enter the same number to approve the sign-in. This is the minimum requirement; once the app is set up, you can add a passkey inside it for a better experience.

• Add MFA Sign-in Method: Microsoft Authenticator App
• Add MFA Sign-in Method: Microsoft Authenticator Passkey

See Microsoft's support page for current device requirements (External Site).

FIDO2 security key (YubiKey)

A YubiKey is a small physical key that plugs into a USB port or taps via NFC. It is phishing-resistant and does not require a smartphone. YubiKeys are available to faculty and staff who cannot use a smartphone. See Getting a Hardware Security Key (YubiKey) for details.

• Add MFA Sign-in Method: Hardware Security Key (FIDO2)

Hardware OATH tokens

Hardware OATH tokens display a one-time passcode that changes every 30 to 60 seconds. They work offline. These are only available to existing Duo hardware token users — they will not be issued to new users.

Recommendations by device and user type

All users

Minimum requirement: Microsoft Authenticator app — set this up first. It is the minimum requirement for MFA methods.

• Add MFA Sign-in Method: Microsoft Authenticator App
• Add MFA Sign-in Method: Microsoft Authenticator Passkey

Employees (faculty/staff) with UMS-managed Windows computers

Best option: Windows Hello for Business (WHfB) — built into your managed Windows computer. Uses your face, fingerprint, or PIN. Note that WHfB requires access to UMS domain controllers, so it must be set up while connected to eduroam or VPN.

If you have an auxiliary (aux) account, you can also save its passkey to Windows Hello for Business.

• Enrolling in Windows Hello for Business
• Add MFA Sign-in Method: Windows Hello

Employees (faculty/staff) with UMS-managed Mac computers

Best option: iCloud Keychain syncable passkey — stored in your Apple iCloud account and available across all your Apple devices, including iPhone, iPad, and Mac.

• Add MFA Sign-in Method: Passkey on macOS (Mac, MacBook, iMac)

Students and Employees on Personal Devices (BYOD: Bring Your Own Device)

Students and users on personal devices should set up MFA in the following order — each step improves the experience:

1. Microsoft Authenticator app (minimum requirement) — set this up first. It is required before you can add a passkey in the app.
   • Add MFA Sign-in Method: Microsoft Authenticator App
2. Passkey in the Authenticator app (device-bound) — the simplest passkey to set up. Stored on your phone; does not sync to other devices.
   • Add MFA Sign-in Method: Microsoft Authenticator Passkey
3. Syncable passkey via iCloud Keychain or Google Password Manager (best day-to-day experience) — automatically available on all your personal devices. Set this up on every personal device you use regularly.
   • Add MFA Sign-in Method: Passkey in Google Password Manager (Chrome)
   • Add MFA Sign-in Method: Passkey on iPhone or iPad (iOS)

Lab computers and shared computers

To sign in on a lab computer, use one of these approaches:

• Passkey via QR code — the sign-in screen shows a QR code. Scan it with your phone to complete authentication using the passkey on your phone. This requires Bluetooth to be enabled on the lab computer.
  • Add MFA Sign-in Method: Microsoft Authenticator Passkey
• Microsoft Authenticator push notification — if Bluetooth is not available on the lab computer, use the Authenticator app on your phone to approve a push notification instead.
  • Add MFA Sign-in Method: Microsoft Authenticator App

Remote access (RDP)

Remote Desktop Protocol (RDP) access continues to use Duo. There is no change to the RDP authentication process. Duo and Microsoft MFA are separate systems — changes to one do not affect the other.

Methods that are not allowed

The following methods are not available for MFA at UMS:

• SMS text message — not secure enough; vulnerable to SIM-swapping attacks.
• Voice phone call — not secure enough.
• Email one-time password — not secure enough.

All available methods at a glance

Environment

• Microsoft Entra (formerly Azure Active Directory)
• Windows, macOS, iOS, Android
• FIDO2-compatible browsers and devices
• Remote access (RDP): Duo — no change