Information Technology
Version: 1 (12/7/22)
by Jen Barna
Multi-Factor Authentication FAQ
Important Information
Multi-Factor Authentication (MFA) is a security measure which can help prevent unwanted access to your City accounts and associated confidential information. This article answers some frequently asked questions regarding MFA.
What is MFA?
MFA is a layer of security that keeps your account, you, the City, and the community safe by preventing cybercriminals from gaining access to personal and confidential information. With MFA, you will be using something you know (your password) in combination with something you have (your device/smartphone or a physical token) to confirm your identity.
Why do we use it?
MFA has become an industry standard for minimizing security risk. According to Microsoft, MFA can “prevent 99.9 percent of attacks on your accounts.” A 2022 Verizon Data Breach Investigations Report found that approximately 65 percent of malicious actions in 2021 were executed using stolen credentials. This action is second only to ransomware.
Because of the overall threat landscape and the fact that most cybersecurity incidents the City has experienced are related to password compromise, MFA has been implemented citywide.
What does it mean for me?
MFA protects your work account from being hacked, and that protects you, your co-workers, the City, and the community from identity and financial theft, ransomware, and other malicious activity. With MFA, you will periodically use something you know (your password), along with something you have (your device/smartphone or a physical token) to log-in.
Can I be excluded from MFA?
Staff in all City service areas are required to use MFA to access Office 365 accounts, including email, remote access to the City network via VPN, and some applications. Additionally, partners with VPN access to our systems and some entities to whom we provide IT services will use MFA.
You cannot be excluded if you have a City-provided email account or you access City systems via VPN.
Why aren't passwords enough?
Most of the cybersecurity incidents the City has experienced happened because an employee was tricked into giving away their password. Often, the employee never recognized they’d been conned. In a phishing test we performed in early 2021, nearly 10% of staff entered their user id and password into a fake website and few reported anything suspicious to IT.
With the frequency of breaches of popular services such as Dropbox, Chegg, Experian, Target, Adobe, and more, everyone should assume that one of their passwords has been stolen at some point. Although it may have been encrypted, if you didn't use a strong password, the criminals may have already cracked it.
In addition to being caught in data breaches, passwords can be stolen other ways. Phishing scams are a common method of stealing passwords, as is finding a password written on a piece of paper under a keyboard, in a wallet, or in the dumpster. Passwords can be intercepted when using unsecured Wi-Fi networks at the coffee shop, airport, or hotel. It is even possible to unknowingly have malware installed on your laptop that could be recording activity and sending it to thieves online. Given these possibilities, you should always be on the defensive, making sure to follow proper security precautions to protect your accounts.
We highly recommend you enabling MFA for your other personal accounts as well (i.e., social media, banking, shopping, email).
Does having MFA mean we don't have to change passwords so often?
At this time, there is no change planned for the password policy. MFA is not a replacement for passwords, rather another layer of protection.
What applications/systems will be protected with MFA?
Fcgov.com email, VPN access to the City network, Microsoft’s Office 365 suite (e.g., OneDrive, Teams), and other applications using Microsoft’s identify verification method will be protected.
What will and will not be affected by MFA?
It will affect
- Logging into your City email and Microsoft account
- Remote access to the city via VPN
- Applications which use Azure AD for authentication
It will not affect
- Logging on to City devices (i.e., laptops, desktops, servers, POS systems, etc.)
- Logging on to Applications/Systems which do not use Azure AD
I already have Rapid Identity/2FA on my laptop. Do I have to do this, too?
You will not be prompted to use the MFA authentication on devices ,such as laptops/MDTs, that use Rapid Identity/2FA.
You will be prompted to use the MFA authentication when accessing Cisco AnyConnect VPN, Microsoft applications, and other applications that authenticate via Azure AD on devices that do not use Rapid Identity/2FA.
Do I have to use MFA every time I sign in?
In most cases, no. You will be required to use your second factor every 30 days per application. It ends up feeling like you use your second factor every once in a while. It’s not onerous. There are several things that can trigger a new login sooner:
- A change to your fcgov.com password
- Logging in using a device that has never accessed your Office 365 account before
- Logging in from another geographical region or network
- Manually signing out of your Office 365 account the last time you used it
- Using a browser in private browsing mode
What are my options for the 2nd factor?
You have the option of using an Authenticator app on your phone or mobile device, or a physical token/fob you will need to keep with you. Most people prefer using their phone.
If you use an authenticator app other than Microsoft Authenticator for personal accounts, you may be able to use it. However, IT only supports Microsoft Authenticator.
What is a physical token/fob?
A physical token or fob is an object you have that’s linked to your fcgov.com account. The tokens/fobs the City offers are credit card sized, like the image below.
If you choose to be issued a token/fob, you must keep it with you any time you may need to access City computing resources (e.g., email, CityHub).
Does the Microsoft Authenticator app allow the City to track me or see what I'm doing on my phone?
No, registering with Microsoft Authenticator gives your device access to City services, but doesn't allow the City access to your device. It’s like the City is giving you a key, and you are adding that key to your own personal keyring.
If I don't have any valuable data or special access on my account, why should I worry?
Though it may not be obvious, you probably do have valuable information stored in your fcgov.com account, including confidential email messages, attachments, contact information in Outlook, private files in OneDrive and Teams folders, or personal notes in OneNote. The risk extends beyond stealing data. For example, someone posing as you could send malicious email from your account and engage in other behavior harmful to you and others if they gain access to your account.
Further Knowledge
Related articles:
Enroll in Multi-Factor Authentication (MFA), using Microsoft Authenticator Procedure
Cannot Login with MFA: Lost or Forgot your Phone or Token/FOB
Add Multi-Factor Authentication (MFA) to New Phone
Confirm Microsoft Authenticator app is properly set up - Properly Enrolled in MFA
Getting Help
If you encounter any issues or have any further questions, please contact your IT Service Desk by creating a ticket at https://support.fcgov.com/support/home, or calling 970-221-6791 if you are locked out.