WARNING: This article is intended for participants in the
MFA Modernization Pilot only. If you are not a pilot participant, the information in this article may not apply to you. Contact the
IT Service Desk if you have questions about your current sign-in experience.
This article describes the phishing resistant multi-factor authentication (PRMFA) methods available to University of Maine System (UMS) users, which methods are recommended, and which are not allowed.
Detailed Information
PRMFA method explanations
Authentication methods define how users can verify their identity in Microsoft Entra and some highly sensitive data or roles within applications require the use of phishing-resistant MFA authentication methods. Some examples of applications that require PRMFA include IT systems, highly privileged Salesforce users, GLBA compliant users and applications. PRMFA methods cannot be stolen through fake login pages, reused, or leaked in data breaches. When you use PRMFA, you verify your identity with biometrics (fingerprint or face recognition) or a PIN on your device. You do not need to enter your password separately. The MFA Authentication Methods article breaks down the different PRMFA methods in more detail.
There are two types of passkeys:
- Device-bound passkeys are stored on one specific device (such as your phone or a YubiKey) and cannot be copied elsewhere. They are the most secure option.
- Syncable passkeys are backed up to a cloud account (such as iCloud or Google) and are automatically available on any device you sign in to with that account. They are very convenient and still phishing-resistant, though their security depends on the security of your personal account.
WARNING: "UMS MFA" aka as Duo MFA is not phishing resistant and will not fulfill the requirements for PRMFA in applications that require it.
Recommendations by device and user type
Employees (faculty/staff) with UMS-managed Windows computers
Best option: Windows Hello for Business (WHfB) — built into your managed Windows computer. Uses your face, fingerprint, or PIN. Note that WHfB requires access to UMS domain controllers, so it must be set up while connected to eduroam or VPN.
If you have an auxiliary (aux) account, you can also save its passkey to Windows Hello for Business.
Employees (faculty/staff) with UMS-managed Mac computers
Best option: iCloud Keychain syncable passkey — stored in your Apple iCloud account and available across all your Apple devices, including iPhone, iPad, and Mac.
Students and Employees on Personal Devices (BYOD: Bring Your Own Device)
Students and users on personal devices should set up MFA in the following order — each step improves the experience:
- Microsoft Authenticator app (minimum requirement) — set this up first. It is required before you can add a passkey in the app.
- Passkey in the Authenticator app (device-bound) — the simplest passkey to set up. Stored on your phone; does not sync to other devices.
- Syncable passkey via iCloud Keychain or Google Password Manager (best day-to-day experience) — automatically available on all your personal devices. Set this up on every personal device you use regularly.
WARNING: Do not save a passkey on someone else's computer or a shared computer. Passkeys are personal — saving one on a shared machine means others could potentially sign in as you.
Lab computers and shared computers
WARNING: Do not register or save a passkey on a lab or shared computer.
To sign in on a lab computer, use one of these approaches:
- Passkey via QR code — the sign-in screen shows a QR code. Scan it with your phone to complete authentication using the passkey on your phone. This requires Bluetooth to be enabled on the lab computer.
Environment
- Microsoft Entra (formerly Azure Active Directory)
- Windows, macOS, iOS, Android
- FIDO2-compatible browsers and devices
- Salesforce administration