[MFA Modernization Pilot] Enrolling in Phishing Resistant MFA

Summary

This article describes the phishing resistant multi-factor authentication (PRMFA) methods available to University of Maine System (UMS) users, which methods are recommended, and which are not allowed.

Body

 

WARNING: This article is intended for participants in the MFA Modernization Pilot only. If you are not a pilot participant, the information in this article may not apply to you. Contact the IT Service Desk if you have questions about your current sign-in experience.

This article describes the phishing resistant multi-factor authentication (PRMFA) methods available to University of Maine System (UMS) users, which methods are recommended, and which are not allowed.

Detailed Information

PRMFA method explanations

Authentication methods define how users can verify their identity in Microsoft Entra and some highly sensitive data or roles within applications require the use of phishing-resistant MFA authentication methods. Some examples of applications that require PRMFA include IT systems, highly privileged Salesforce users, GLBA compliant users and applications. PRMFA methods cannot be stolen through fake login pages, reused, or leaked in data breaches. When you use PRMFA, you verify your identity with biometrics (fingerprint or face recognition) or a PIN on your device. You do not need to enter your password separately. The MFA Authentication Methods article breaks down the different PRMFA methods in more detail.

There are two types of passkeys:

WARNING: "UMS MFA" aka as Duo MFA is not phishing resistant and will not fulfill the requirements for PRMFA in applications that require it.

Recommendations by device and user type

Employees (faculty/staff) with UMS-managed Windows computers

Best option: Windows Hello for Business (WHfB) — built into your managed Windows computer. Uses your face, fingerprint, or PIN. Note that WHfB requires access to UMS domain controllers, so it must be set up while connected to eduroam or VPN.

If you have an auxiliary (aux) account, you can also save its passkey to Windows Hello for Business.

Employees (faculty/staff) with UMS-managed Mac computers

Best option: iCloud Keychain syncable passkey — stored in your Apple iCloud account and available across all your Apple devices, including iPhone, iPad, and Mac.

Students and Employees on Personal Devices (BYOD: Bring Your Own Device)

Students and users on personal devices should set up MFA in the following order — each step improves the experience:

  1. Microsoft Authenticator app (minimum requirement) — set this up first. It is required before you can add a passkey in the app.
  2. Passkey in the Authenticator app (device-bound) — the simplest passkey to set up. Stored on your phone; does not sync to other devices.
  3. Syncable passkey via iCloud Keychain or Google Password Manager (best day-to-day experience) — automatically available on all your personal devices. Set this up on every personal device you use regularly.
WARNING: Do not save a passkey on someone else's computer or a shared computer. Passkeys are personal — saving one on a shared machine means others could potentially sign in as you.

Lab computers and shared computers

WARNING: Do not register or save a passkey on a lab or shared computer.

To sign in on a lab computer, use one of these approaches:

Environment

  • Microsoft Entra (formerly Azure Active Directory)
  • Windows, macOS, iOS, Android
  • FIDO2-compatible browsers and devices
  • Salesforce administration

Details

Details

Article ID: 174377
Created
Mon 6/29/26 12:03 PM
Modified
Mon 6/29/26 3:37 PM
Applies To
Students
Faculty
Staff