Multifactor Authentication (MFA) – Frequently asked questions

Phone authentication not working

I attempted phone authentication and the system says "Request failed due to exceeding the number of allowed attempts". Phone authentication allows five unsuccessful attempts within an hour, after which the authentication method is locked for 24 hours. The only way to log in during this time is to use other authentication methods, such as the Authenticator application.

We recommend adding at least two additional authentication methods using separate devices. Phone authentication may be the alternative method. Select a more reliable method. To change the default authentication method, see the deployment page.

I no longer have access to the MFA method I used. What should I do?

NB! Remember to register at least two separate authentication methods using separate devices, so that if you lose one, the other is still available.

• You can reset all MFA methods at https://mfa.it.helsinki.fi where your identity is verified using your Suomi.fi identification (Read more about the Suomi.fi identification). After this, you will be required to register the authentication method the next time you log in to the University’s MFA authentication service.
• If you can’t use the Suomi.fi identification, please contact IT Helpdesk to reset your MFA methods.
• After resetting your MFA methods, your old MFA methods will still be visible on the Security Info page, but they will no longer work. You can re-enable MFA methods by selecting "Enable two-step verification" next to the method or by re-registering the method.
• Note! Resetting your MFA methods will not log you out of software or user sessions. If your ID has fallen into the wrong hands, the sessions must be logged out separately on the Security Info page https://mysignins.microsoft.com/security-info.

I’m unable to sign up or log in because the browser gets stuck and nothing happens

Try using your browser's privacy mode (privacy, incognito) and/or a different browser. If this works, the problem is either caused by a browser plugin or by cached data. In this case, disabling browser plugins or clearing the browser cache is likely to help. 

• Read the IT Helpdesk instructions for clearing the cache.

The service says that the call was not answered even though my phone did not ring at all

Check the call log to see if you received a call and that the number is not on the blocked list.
MFA requests come from US numbers +1 866 539 4191, +1 855 330 8653 and +1 877 668 6536.

In some double SIM phones, the problem is that the other SIM card sometimes drops off the phone network and the call is directed to the answering machine. These are usually smartphones where authentication is best done using the Microsoft Authenticator application.

You can also authenticate using the number of the subscription that has active mobile data.

• Read more about phone identification problems in Microsoft’s own instructions.

The service says the TOTP code is incorrect even though it isn’t

As TOTP codes have a time limit, just a few seconds of discrepancy prevents the code from working for the entire 30 seconds of its validity. Check the time on the device issuing the code.

Registering an authentication method gives an error message "You are blocked from performing this operation. Please contact your administrator for help."

Managing authentication methods has been blocked due to suspicious behaviour, usually resulting from several unsuccessful attempts to register an authentication method. Please contact Helpdesk to remove the block.

I am not trying to log in, but I still receive notifications from the Authenticator app

If you are not trying to log in to any service and you receive a login request from the Microsoft Authenticator app, take the following steps:

• Check the applications you are logged in to with your University ID on all your devices (mobile devices, laptops). It may have been more than 90 days since your latest authentication for an application, which is now requesting a new authentication.

Please note that you do not have to complete the authentication, you can also close the Microsoft Authenticator app without replying. 

If you checked the applications on your devices but could not find a device or an application that is waiting for authentication, select No, it’s not me. This sends a notification in the system. This notification alone does not cause any action, but if you suspect that you have become the victim of phishing, please contact IT Helpdesk immediately.

After the MFA has been implemented, the e-mail application says "You are receiving this message because your e-mail has been disabled by your IT department."

The application does not support the OAuth2/Modern Authentication method required by MFA or is unable to switch to it automatically. If the app should support this login method (e.g. iOS Mail), deleting and resetting your account may help. Otherwise, you'll need to use another app. We recommend using the Microsoft Outlook application for e-mail on your mobile.

Issues not mentioned above

Try using your browser's privacy mode (private, incognito, InPrivate) and/or a different browser. If this works, the problem is either caused by a browser plugin or by cached data. In this case, disabling browser plugins or clearing the browser cache is likely to help.
If this does not help, please contact IT Helpdesk to resolve the problem.

How often is Multifactor Authentication required?

• Multifactor Authentication is always required when logging in with a new device or application.
• With applications such as Microsoft Outlook or Teams, the authentication is automatically remembered for 30 days.
• When logging in to Web services such as Outlook for Web, you can, when prompted for strong authentication, set your browser to remember your login. The information is remembered by the browser cookie.
  • For students, the login is remembered for a maximum of 30 days and for staff for 5 days. On a risk basis, it can also be asked more frequently.
  • Please note that if you exit the M365 service using the "Log out" link, this cookie will be deleted along with other login details and Multifactor Authentication will be required again the next time you log in.

Why is additional authentication constantly required when implementing Multifactor Authentication?

The purpose of Multifactor Authentication is to prevent logging in with stolen credentials. For this reason, additional authentication is always required when logging in with a new application. At the beginning, you will need to use additional authentication more often because different browsers, e-mail applications of smartphones or computers and other applications requiring authentication require their own login. The additional authentication is remembered for 30 days in each application.

The information about additional authentication is stored in browser cookies. Therefore, when using privacy mode or after clearing the browsing history, you will be asked for new authentication. Similarly, exiting the M365 service using the "Log out" link will result in the deletion of the authentication data and a request for authentication again the next time you log in. If the same application keeps asking for authentication over and over again, please contact IT Helpdesk to resolve the issue.

Is the e-mail application X supported?

The recommended application for both mobile and desktop devices is Microsoft Outlook, and for browsers, Outlook for Web.

Multifactor Authentication requires the e-mail application to support OAuth2 login (also referred to as Modern Authentication). This is also supported to varying degrees by many other e-mail applications. E-mail has been known to work with the following applications, for example:

• Thunderbird, Evolution, Alpine: instructions especially for Cubbli in the Cubbli wiki (page only in English) 

NB! In many cases, the e-mail account must be deleted and reinstalled in order to use the new login method.

How do I change the default method?

We strongly recommend using the Microsoft Authenticator application as your default method. You can change the default method on the Security Info site.

The option to change the default method will appear on top of the Add method button once you have added another authentication method and then reloaded the Security Info site (press F5). Instructions for adding authentication methods can be found on the page: MFA – Deployment of multifactor authentication.

What authentication methods are supported?

I have an old work phone that does not support the latest version of the Microsoft Authenticator app. What should I do?

If you have an old work phone with an operating system that is no longer supported (older than Android 8 or iOS 14), and you are unable to install the latest version of the Microsoft Authenticator app from your app store, make a purchase request for a new work phone, following the phone purchase instructions (link to Flamma, login required). 

• We recommend buying a new phone, but you can also use other authentication methods to avoid replacing your phone.

I don't have a work phone, how do I get Multifactor Authentication?

• Instructions for acquiring a work phone can be found in Flamma (login required).
• If you do not want a work phone, you can also use the Microsoft Authenticator application and call identification on your phone.
• See also "I don't have a phone, what other options do I have for authentication?"

I don't have a phone, what other options do I have for authentication?

Multifactor authentication always requires a technical tool. The recommended tool is the Microsoft Authenticator app for smartphones. If you do not have a smartphone or if it is not possible to use it for, for example, health reasons, authentication is also possible by a phone call verification through your personal mobile phone number. If a phone is not in use, it can be replaced with an affordable FIDO2-standard USB key, for example.

In addition, apps are available for different operating systems that offer TOTP codes. There is no official support from the University for these, and they are used under the user's responsibility. 

Examples of such applications are:

• There are several different TOTP applications for mobile devices, such as andOTP (Android), FreeOTP (Android/iOS) and Google Authenticator.
• KeePassXC Password Safe, available for different operating systems, incl. Linux, macOS and Windows.
  • Example of usage on an external site.
  • Also available from the Software Centre.
• Authenticator plugin for your browser.
  • Warning: If you clear the cache of the browser you are using, this authentication method will be deactivated. For this reason, it can only be used as a temporary login method.

To add an app using a TOTP code on the Security Info site, select Add method > Authenticator App > I want to use a different authenticator app.

The University does not compensate for the technical tools required for students to log in, but they must be acquired by the students themselves.

What are the safest authentication methods?

The most secure methods are considered to be Passkey/FIDO2 technologies, i.e. Passkey in Microsoft Authenticator, or a FIDO2-compatible USB security key with a PIN code. These tools alone meet the definition of Multifactor Authentication and may allow login without a password in the future.