Microsoft Authenticator Setup

Download a PDF version of this setup by clicking HERE

Download a Word Document of this setup by clicking HERE

Prefer to watch a video? Get to step 7 first, then visit this link.

What is factor authentication?

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves.

The first factor will primarily be a computer/laptop and the second factor can be your phone, a verbal call or a text message. Two-factor makes it harder for criminals to break into your account. If you only use a password to authenticate and the password is weak or has been exposed elsewhere, it leaves an insecure avenue for attacks or fraudulent entry.

When you require a second form of ID, security is increased because this additional factor isn’t something that’s easy for an attacker to obtain or duplicate.

How does authentication work?

When you sign into your O365 account, you will receive a prompt for ID verification using one of the following authentication methods:

Something you know, typically a password
Something you have, such as a trusted device like a phone
Something you are, such as biometrics like a fingerprint

You can authenticate your second factor several ways, however, we strongly encourage you to use the Microsoft Authenticator App if your phone is able to utilize it. It is the fastest verification option allowing you to just tap approve on your phone and adds an extra layer of security.

The Microsoft Authenticator app will function and generate new codes every 30 seconds even when you don’t have cellular coverage.

Can two factor be hacked?

Although it is possible for two-factor authentication to be hacked, the odds are very low and 2FA is certainly the best practice when it comes to keeping accounts and systems secure.

One way two-factor authentication could be hacked happens through the SMS method or, in other words, the method by which a one-time use code is sent to a user’s phone number via SMS or an automated phone call.

This is why we recommend using the Microsoft Authenticator app because it adds extra security and codes are contained within the app.

There have been stories of hackers tricking mobile phone carriers into transferring someone else’s phone number to their own phone. The hackers contact the carriers pretending to be their victims, requesting a new SIM with the victim’s number. They then have access to any authentication code sent to that phone number. Called SIM swapping, this is probably the most common way of getting around 2FA.

But carriers’ own security processes are improving and even acknowledging those risks, 2FA remains a strong and essential tool in the fight against cyber-attacks and identity fraud.

Pre-Requisite

In order to use multi-factor authentication with your Capital account, you will need to ensure the following pre-requisites are met:

  • You have a phone that can receive SMS texts and/or download the Microsoft Authenticator app
  • Have a computer with Office 2016 (or higher) installed
  • Internet access to complete the setup

What if I don’t own a phone or my phone doesn’t work with the app?

If you don’t have a phone or your phone can’t use the authenticator app, you can use a mobile device like your university iPad. Install the Microsoft Authenticator app on the iPad. You will need to keep the iPad with you at all times to authenticate.

You can also receive verification codes via text or receive a voice call to your cell, home or office line. Instructions on how to set this up can be found HERE.

What other factors can I use to authenticate?

Verification method Description
Phone call Sign into your 0365 account from your computer. A call from Microsoft to your phone asking you to verify that it is you signing in. Press the # key on your phone to complete the verification process.
Text message Sign into your 0365 account from your computer. A text message from Microsoft is sent to a your mobile phone with a 6-digit code. Enter this code to complete the verification process.
Microsoft Authenticator App (Passwordless) Sign into your 0365 account from your computer. Microsoft sends a verification request to your mobile app on your phone asking you to Verify or Approve to complete verification process. This needs to be setup.
Code Generator with Microsoft Authenticator App Sign into your 0365 account from your computer. Microsoft sends a verification request to your mobile app asking for the generated verification code. Code changes every 30 seconds. Use this code to sign into your account.

Getting started

  1. If you will be using the Microsoft Authenticator app, you should download and install the app to your cell or mobile device (iPad) first. Visit the app store for your operating system and download for either Android and iOS devices. Setup instructions can be found HERE. You can also watch a video HERE.
  2. Go to your PC and open this link in your web browser – https://aka.ms/mfasetup. This will prompt you to pick a Microsoft account. Select your Capital email account.                                                         
  3. You will be re-direct to the “Capital Gate” sign in page. Enter your Capital email address or username along with your password and click Sign in.

Follow the instructions in the help document to complete registration of 2FA HERE.

What if I need help?

Contact the IT Help Desk, helpdesk@capital.edu or 614-236-6508. We are here to help if you have questions or a special situation that would require our assistance.

What is Two Factor (2FA)?

Two-Factor Authentication (2FA) is used to strengthen ​the security of user accounts and University business systems that hold sensitive information. It adds another layer of online protection from damaging cyber criminal attacks that cost organizations millions.

As part of this initiative, effective July 12th, 2021, all Windows PC Users will be required to use 2FA when accessing University business systems and resources via VPN (virtual private network). Macintosh Users are currently using 2FA.

Why Two Factor?

We are all used to having one layer of security to protect our account which is our password, however, passwords aren’t enough to protect the University or you against cyber criminals who desire to gain access to resources using compromised credentials.

The goal of 2FA is to provide a higher degree of identity assurance of a user accessing University resources via VPN.  If cyber criminals obtain your username and password, they will still need access to your phone and/or a passcode to get into your account.

Having a second form of identification greatly decreases the chance of a criminal gaining access to devices, sensitive information, fraud and will build secure online relationships due to compromised credentials.

How Does 2FA Work?

You will need to download and install the Microsoft Authenticator App on your phone and configure it to work with your work PC. Detailed step by step instructions can be found below.

Once configured, you will need to use 2FA any time you log into the University’s VPN. You will need to enter your Capital username and password as well as authenticate through your phone. You will be required to use two different sources (factors) to verify your identity:

  • Something you know:  your Capital credentials (username and/or password), and
  • Something you have:  a phone and/or passcode

What If I Don’t Own a Cell Phone?

Please contact the IT Helpdesk, helpdesk@capital.edu or 614-236-6508 to have a ticket created and assigned to our network team. We will work with you directly for a resolution.

Can I Use VPN on my iPad or Other Mobile Device?

At this time, we are only recommending 2FA for your work PC. We will notify you once we are ready to roll out and support 2FA for mobile devices and the iPad.

Need Help? Have A Question or Concern?

If you have questions, concerns or need technical assistance, please contact the IT Helpdesk, helpdesk@capital.edu or 614-236-6508.

===========================================

If you would like to download a PDF copy of these instructions so that you can click on the embedded links in the documentation, please click here.

Microsoft Authenticator Setup

The following is a Phishing Alert from EIIA – Educational & Institutional Insurance Administrators concerning recent sharp increases in phishing attacks occurring over the past week related to Coronavirus and COVID-19.

All emails from the outside with the words COVID-19 or Coronavirus will be flagged with a header:


Good afternoon,

I am sending this email to alert everyone about the recent sharp increase in phishing attacks occurring over the past week. Hackers and cybercriminals are using public apprehension over the coronavirus outbreak to advance their agendas. IBM recently warned consumers that ransomware has entered the mix of coronavirus-themed payloads hackers are unleashing. Emails purporting to contain information about the spread of the coronavirus will secretly download the Emotet malware that allows hackers to steal information and deliver malware.

The types of emails you may receive to get your attention to click a malicious link or open an attachment include:

  1. Fake school or CDC emails could make you think you or your child has been exposed to COVID-19. They could say your family may face quarantine.
  2. False claims that there’s a vaccine for sale or some form of remedy available.
  3. Misleading ads about masks that may not be effective or other helpful hints to combat the virus.
  4. Emails with “latest” updates to keep you informed as criminals are aware that everyone wants to know everything first.

What can you do?

  1. Be careful opening any web links or attachments, even if you know the sender, it may be a compromised sender.
  2. Look for “Red Flags” in emails you receive. Red Flags include abnormalities in the sender, topic, links, content, etc. To help everyone on this topic, please refer to the following link on our website for a helpful one page document: https://members.eiia.org/wp-content/uploads/assets/SocialEngineeringRedFlags.pdf
  3. Contact your IT department whenever you have any doubts or concerns.

Please let me know if you have any questions. I hope this information is helpful and everyone be careful out there.

Thank you.

Gerry Hamill, MBA, CISSP
Executive Director
IT Risk Management
888.260.7416
ghamill@eiia.org
www.eiia.org

Update:

The Lenel door access control issues from this morning have been resolved. The department of Information Technology had to do a system restore and we will continue to monitor the access control system very closely over the next 24 hours to address any functionality complications. If you encounter any problems accessing any campus buildings, please reach out to the IT helpdesk, 614-236-6508 or helpdesk@capital.edu so that we can help.

Thank you again for your patience and understanding. Have a great day!


The department of Information Technology would like to report that the Lenel door access control system experienced an anomaly this morning that is currently hindering some card readers and ID card functionality on campus. The main symptom that some of you may experience is your ID card not being read correctly by some card readers on the buildings which will prevent you from accessing the building.

We are currently investigating and working closely with our third party support to resolve this issue as quickly as we can. We apologize for the inconvenience and appreciate your patience and understanding as we work through the problem. We will update the campus with more information soon. You can contact the IT Help Desk, helpdesk@capital.edu or 614-236-6508 for periodic updates or to put in a ticket.

Thank you.

The following is a Cyber Security Alert from Ohio Homeland Security a division of The Ohio Department of Public Safety. The document contains information related to active Cyber Incidents that are taking place throughout Ohio.

The document states that:

“During a 2018 ransomware attack, on a city government entity in Ohio, a contact list was stolen. This information is currently being used to spoof email addresses that send out malicious Microsoft (USBUS) Word Documents and conduct social engineering attempts.

The delivery of these attacks are very similar to our previous post this past September.

Warning: Email of an Encrypted document

Please see the full PDF from Ohio Homeland Security below.

OHS-SAIC Cyber Bulletin 54 11-6-19

DATE: Monday, October 21, 2019
To: Faculty, Staff and Students
From: The Department of Information Technology
Subj: WebAdvisor Authentication Change

 

The Department of Information Technology will be updating WebAdvisor authentication on Thursday, October 24th, 2019 between 4pm and 5pm.  During this time frame, all users will experience a brief WebAdvisor outage as we upgrade the configuration. This is in preparation for replacing WebAdvisor with a new online service.

 

Please contact the IT Help Desk via email, helpdesk@capital.edu or telephone, 614-236-6508 if you experience any issues logging in to WebAdvisor after 5pm.  Thanking you in advance for your understanding and cooperation.

 

What to expect after October 24th

After selecting “Login” on WebAdvisor, you will be redirected to a Capital University gateway.

WebAdvisor login

On the gateway page, login using your Capital email address and password.

SAML gateway

A recent trend in email phishing attacks is something called whaling. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, manager and supervisors. “In many whaling phishing attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker” (More info)  In our case we are getting many email attacks where someone is trying trick people into buying gift cards and sending the card numbers to them.

The basic way it works is the attacker creates an email from a free email service such as Gmail, Yahoo, and a couple of others. They usually choose names of people that are department leaders and have staff. They then send emails to members of that department hoping to trick an employee in to thinking it is from their manager. The initial email is extremely brief such as “Are you available?” and may have a subject hinting at urgency. Some have also have created a signature text that is quite convincing. Their hope is to trick the potential victim into replying.

Once they hook someone then their 2nd message says they that they are in a meeting with no idea when it will end (they commonly say they do not know when the meeting will “round up”). They go on to say that they cannot use their phone and can only communicate through email and that they need something very important done right away. Their next email says what they want… lately they have been asking for some amount in Amazon Gift cards (I have seen amounts of $100 to $500) and they reiterate that they will reimburse and that they need it right away and are still in the meeting. They may say in this message or a following one that once the victim has the cards they are to scratch off and send the numbers on the back of the card.

This gift card spoofing is the latest twist in Whaling attacks that we have received, many of you may remember that we have been seeing similar spoofed emails for over a year ago with the attackers using a variation of Dr. Paul’s name as part of the sender’s name and email address from Gmail or Yahoo. These were mostly trying to pass off some document for all employees to read and then sign into a web page to indicate they have read and agree. These were a phishing attack that were designed to capture the victim’s login name, password and possibly other personal information from that non capital.edu website.

As a tool to help you better identify these we have added and External Sender Disclaimer to Email received externally.

external header notice

This new disclaimer message will be a constant reminder to use caution when opening, sharing your personal information or responding to emails from unknown or external senders. Exclusions for emails from official university systems are being identified and created so that the disclaimer will not appear in the body of the messages.

Past helpful posts

How to Spot a Phish
https://inside.capital.edu/ITStatus/index.php/2018/10/11/how-to-spot-a-phish-101118/

Top 10 List for Cyber Security Awareness Month (October 2018)
http://inside.capital.edu/itstatus/index.php/2018/10/10/top-10-list-for-cyber-security-awareness-month-october-2018/

 

Spam Definitions

SPAM Spam is unsolicited or junk email that clogs up your email inbox trying to get you to buy something. The best way to deal with spam is not to open it or reply to it.
Spoofing Spoofing is a fraudulent or malicious practice in which communication is sent from an unknown source disguised as a source known to the receiver. Email spoofing is the most popular tactic used by scammers because users are more likely to open an email when they think it has been sent by a legitimate or familiar source. The goal of spoofing is to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons.

If you suspect spoofing, check the email’s header to see if the email address generating the email is legitimate. Visit phishing.org for more information on phishing attacks.

Phishing Phishing is an unsolicited email message trying to get you to give up something. Typically they are trying to get your username and password. Sometimes they try and get you to click on a link or run an attachment that will infect your computer with a virus. To learn more about phishing attacks and tactics, visit phishing.org for more information.
Spear Phishing Spear phishing email customized for a particular organization or person. It will use the same graphics and language as an official email. The goal is the same as a phishing attack.

Many of you may remember the spoofed emails from scammers who were using their own Gmail and Yahoo accounts to send out email messages to the campus using a variation of Dr. Paul’s name as part of the sender’s name and email. The goal was to try to pass off a document to all employees asking them to read it by signing into a “non Capital.edu” website which would then capture the victim’s login name, password and possibly other personal information.

Always check the sender’s information closely for validation and legitimacy.

Whaling A recent escalating trend on campus is the whaling email phishing attack. Whaling is a specific type of phishing attack that targets high-profile employees, such as the CFO, managers and supervisors. The cybercriminal’s goal is to manipulate the victim into authorizing high-value wire transfers to them or trick the victim into buying gift cards and send them the card numbers.

 

cyber security picture

 

October 2018 is Cyber Security Awareness month. The movement began several years ago and quickly spread across the country! To help keep our #CapFam aware of the cyber threats to our everyday lives, the following top-10 list has been collected and developed:


Tip #1 – You are a target to hackers

Don’t ever say “It won’t happen to me”.  We are all at risk and the stakes are high – to your personal and financial well-being, and to Capital’s standing and reputation.

  • Keeping campus computing resources secure is everyone’s responsibility.
  • By following the tips below and remaining vigilant, you are doing your part to protect yourself and others

Tip #2 – Keep software up to date

Installing software updates for your operating system and programs is critical. Always install the latest security updates for your devices: (this includes your gaming devices, virtual assistants and Smart TVs)

  • Turn on Automatic Updates for your operating system.
  • Use web browsers such as Chrome or Firefox that receive frequent, automatic security updates.

Tip #3 – Avoid Phishing scams – beware of suspicious emails and phone calls

Phishing scams are a constant threat – using various social engineering(link is external) ploys, cyber criminals will attempt to trick you into divulging personal information such as your login ID and password, banking or credit card information.

  • Phishing scams can be carried out by phone, text, or through social networking sites – but most commonly by email.
  • Be suspicious of any official-looking email message or phone call that asks for personal or financial information.

Tip #4 – Practice good password management

We all have too many passwords to manage – and it’s easy to take short-cuts, like re-using the same password. Funny bit about passwords from Jimmy Kimmel

You can always update your Capital password by going to PWChange.

Here are some general password tips to keep in mind:

  • Use difficult to guess passwords.
  • Use a strong mix of characters, and never use the same password for multiple sites.
  • Don’t share your passwords and don’t write them down (especially not on a post-it note attached to your monitor).

Tip #5 –  Be careful what you click

Avoid visiting unknown websites or downloading software from untrusted sources.  These sites often host malware that will automatically, and often silently, compromise your computer.

If attachments or links in email are unexpected or suspicious for any reason, don’t click on it.

Tip #6 – Never leave devices unattended

The physical security of your devices is just as important as their technical security.

  • If you need to leave your laptop, phone, or tablet for any length of time – lock it up so no one else can use it.
  • If you keep sensitive information on a flash drive or external hard drive, make sure to keep these locked as well.
  • For desktop computers, lock your scree when not in use.

Tip #7 – Protect sensitive data

Be aware of sensitive data that you come into contact with and use on a daily basis. In general:

  • Keep sensitive data (e.g., SSN’s, credit card information, health information, etc.) off of your workstation, laptop, or mobile devices.
  • Securely remove sensitive data files from your system when they are no longer needed.
  • Always use encryption when storing or transmitting sensitive data.

Tip #8 – Use mobile devices safely

Considering how much we rely on our mobile devices, and how susceptible they are to attack, you’ll want to make sure you are protected:

  • Lock your device with a PIN or password – and never leave it unprotected in public.
  • Only install apps from trusted sources.
  • Keep your device’s operating system updated.
  • Don’t click on links or attachments from unsolicited emails or texts.
  • Avoid transmitting or storing personal information on the device.
  • Most handheld devices are capable of employing data encryption – consult your device’s documentation for available options.
  • Use Apple’s Find my iPhone(link is external) or the Android Device Manager(link is external) tools to help prevent loss or theft.
  • Backup your data.

Tip #9 – Install anti-virus protection

Only install an Anti-Virus (A/V) program from a known and trusted source.  Keep virus definitions, engines and software up to date to ensure your anti-virus program remains effective.

For personally-owned systems, there are a variety of free and lost-cost A/V programs available for virtually any device.

Tip #10 – Back up your data

Back up on a regular basis – if you are a victim of a security incident, the only guaranteed way to repair your computer is to erase and re-install the system.

(Top-10 list credit: UC Berkeley)