With MFA, the more authenticators really is the merrier
MFA is brilliant and we highly recommend that everyone should set it up for all their accounts which support it, especially email and social media accounts as it protects you against hacking or compromised passwords.
However one of the major problem we find goes something like this.
Student: "Help, I've lost my phone and don’t have my MFA code and now I can’t logon to.......".
IT: <silent sigh> “Ok, have you setup an extra authenticator you can use?”
Student: “No!”
IT: <not so silent deep sigh>
Then begins a process to arrange for you to prove identity and set up new methods for you to regain access. At best this is annoying and causes delays (hours or days depending on when) for you and extra work for the IT Teams. Worst case could mean missing deadlines to submit coursework or unable to take any online examinations.
It’s particular frustrating in that to prevent this is so simple and just takes a few minutes of your time.
All you have to do is to add more than 1 authenticator on a separate device, after all you don’t want to put all your eggs in one basket.
Nexus365 as a Microsoft service supports the official Microsoft Authenticator, but will also work with any third parties Authenticator Apps, SMS text messages or a voice call. You can register each type of authenticator multiple times, so you can add 2 text messages to 2 different numbers. 2 authenticator and 2 phones.
There are many different 3rd party authenticators apps or methods and each have different advantages and disadvantages. I’ve summarised some of the more common ones. below
Authenticator |
Advantages |
Disadvantages |
---|---|---|
Microsoft |
Easy to authenticate – just need to enter the prompted number and press approve. Can also add other non-Microsoft Accounts to protect. Works offline with no data |
iOS/Android App only. There is no sync between devices however you can install the app on multiple devices and add accounts manually
|
Authy – dedicated MFA App |
iOS/Android/Mac/Windows clients Can synchronise all accounts across all devices Works offline with no data. |
have to enter a 6-digit code TOTP. Have to remember a backup password to sync data. This must be kept secure. Account is linked to mobile number. |
Text Message |
Easy to setup |
Linked to one phone. Requires phone signal – would you have this where you need it? |
Phone Call |
Universal |
Tied to a physical location |
Bitwarden/Lastpass or other Password Manager |
Windows/Mac desktop & Mobile Apps for cross platform support. Can integrate with browser to autofill username/passwords/TOTP keys. Can create/store complex passwords automatically. Works offline with no data Can synchronise all accounts across all devices
|
May have to pay for accounts to unlock all the features. Can be cloud based and in the event of a breach of the provider then all your keys/passwords may be exposed. Protected by a single master password to access ALL accounts. |
What do we recommend?
The main aim is to protect yourself against losing a single device. There is no single solution as this will depend on the number and types of the device. You could for example have one Authenticator (Authy) on 2 or more devices.
1 Phone & 1 Laptop |
Phone - Microsoft Authenticator (set as default) – recommend this as it’s the most simple way to Authenticate Phone – Bitwarden or Authy App – as this will sync between devices and is a great password manager. Works with phone Biometrics for extra security as backup Laptop – Bitwarden or Authy App as backup |
1 Phone & 1 Tablet |
Install Microsoft Authenticator on both devices Phone – SMS in case app gets deleted. Phone – SMS to parents/trusted person for emergencies |
1 Phone |
Phone - Microsoft Authenticator App - For ease of authentication Phone – Authy/Bitwarden - as this will sync between devices so can be added easily to any new devices. Phone - SMS - to someone trusted but must be a different number to you for emergencies. I’d recommend parents. |
Another simple way and act as an emergency would be, if you have an old phone lying around waiting to be recycled then put a Pay As You Go SIM card in it, register it as a SMS authenticator and turn it off until needed.
To set up the additional authenticator see the following
Guide to setting up additional authenticators
Alternative Desktop Apps
WinAuth Download - Windows
Authy - App & Guides - MacOS, Windows, iOS, Android
Definitions
Account: the user account that is being protected by MFA. E.g. Nexus365, Facebook, Email
Authenticator: software which is used to authorise access to the account.
Secret/key: this is a unique key which is given to you when you register an Authenticator. It is commonly given as a QR code to scan in via camera app, however if you can’t scan it then you can obtain the key, there is generally a link that says "Can't scan QR code". The keys must be secure as giving this away will enable anyone to generate the same TOTP key
TOTP: Time-based One Time Password. Generally, a 6-digit number which changes every 30secs. It is generated by the secret key in the Authenticator. The Account and the Authenticator must match for you to gain access. In security terms it's the “something you have” to compliment the “something you know” (passwords!)