Multifactor Authentication (MFA) – Frequently asked questions

    Troubleshooting

    Phone authentication not working

    I attempted phone authentication and the system says "Request failed due to exceeding the number of allowed attempts". Phone authentication allows five unsuccessful attempts within an hour, after which the authentication method is locked for 24 hours. The only way to log in during this time is to use other authentication methods, such as the Authenticator application.

    We recommend adding at least two additional authentication methods using separate devices. Phone authentication may be the alternative method. Select a more reliable method. To change the default authentication method, see the deployment page.

    I no longer have access to the MFA method I used. What should I do?

    NB! Remember to register at least two separate authentication methods using separate devices, so that if you lose one, the other is still available.

    I’m unable to sign up or log in because the browser gets stuck and nothing happens

    Try using your browser's privacy mode (privacy, incognito) and/or a different browser. If this works, the problem is either caused by a browser plugin or by cached data. In this case, disabling browser plugins or clearing the browser cache is likely to help. 

    The service says that the call was not answered even though my phone did not ring at all

    Check the call log to see if you received a call and that the number is not on the blocked list.
    MFA requests come from US numbers +1 866 539 4191, +1 855 330 8653 and +1 877 668 6536.

    In some double SIM phones, the problem is that the other SIM card sometimes drops off the phone network and the call is directed to the answering machine. These are usually smartphones where authentication is best done using the Microsoft Authenticator application.

    You can also authenticate using the number of the subscription that has active mobile data.

    The service says the TOTP code is incorrect even though it isn’t

    As TOTP codes have a time limit, just a few seconds of discrepancy prevents the code from working for the entire 30 seconds of its validity. Check the time on the device issuing the code.

    Registering an authentication method gives an error message "You are blocked from performing this operation. Please contact your administrator for help."

    Managing authentication methods has been blocked due to suspicious behaviour, usually resulting from several unsuccessful attempts to register an authentication method. Please contact Helpdesk to remove the block.

    I am not trying to log in, but I still receive notifications from the Authenticator app

    If you are not trying to log in to any service and you receive a login request from the Microsoft Authenticator app, take the following steps:

    • Check the applications you are logged in to with your University ID on all your devices (mobile devices, laptops). It may have been more than 90 days since your latest authentication for an application, which is now requesting a new authentication.

    Please note that you do not have to complete the authentication, you can also close the Microsoft Authenticator app without replying. 

    If you checked the applications on your devices but could not find a device or an application that is waiting for authentication, select No, it’s not me. This sends a notification in the system. This notification alone does not cause any action, but if you suspect that you have become the victim of phishing, please contact IT Helpdesk immediately.

    After the MFA has been implemented, the e-mail application says "You are receiving this message because your e-mail has been disabled by your IT department."

    The application does not support the OAuth2/Modern Authentication method required by MFA or is unable to switch to it automatically. If the app should support this login method (e.g. iOS Mail), deleting and resetting your account may help. Otherwise, you'll need to use another app. We recommend using the Microsoft Outlook application for e-mail on your mobile.

    Issues not mentioned above

    Try using your browser's privacy mode (private, incognito, InPrivate) and/or a different browser. If this works, the problem is either caused by a browser plugin or by cached data. In this case, disabling browser plugins or clearing the browser cache is likely to help.
    If this does not help, please contact IT Helpdesk to resolve the problem.

    General questions

    How often is Multifactor Authentication required?

    • Multifactor Authentication is always required when logging in with a new device or application.
    • With applications such as Microsoft Outlook or Teams, the authentication is automatically remembered for 30 days.
    • When logging in to Web services such as Outlook for Web, you can, when prompted for strong authentication, set your browser to remember your login. The information is remembered by the browser cookie.
      • For students, the login is remembered for a maximum of 30 days and for staff for 5 days. On a risk basis, it can also be asked more frequently.
      • Please note that if you exit the M365 service using the "Log out" link, this cookie will be deleted along with other login details and Multifactor Authentication will be required again the next time you log in.

    Why is additional authentication constantly required when implementing Multifactor Authentication?

    The purpose of Multifactor Authentication is to prevent logging in with stolen credentials. For this reason, additional authentication is always required when logging in with a new application. At the beginning, you will need to use additional authentication more often because different browsers, e-mail applications of smartphones or computers and other applications requiring authentication require their own login. The additional authentication is remembered for 30 days in each application.

    The information about additional authentication is stored in browser cookies. Therefore, when using privacy mode or after clearing the browsing history, you will be asked for new authentication. Similarly, exiting the M365 service using the "Log out" link will result in the deletion of the authentication data and a request for authentication again the next time you log in. If the same application keeps asking for authentication over and over again, please contact IT Helpdesk to resolve the issue.

    Is the e-mail application X supported?

    The recommended application for both mobile and desktop devices is Microsoft Outlook, and for browsers, Outlook for Web.

    Multifactor Authentication requires the e-mail application to support OAuth2 login (also referred to as Modern Authentication). This is also supported to varying degrees by many other e-mail applications. E-mail has been known to work with the following applications, for example:

    NB! In many cases, the e-mail account must be deleted and reinstalled in order to use the new login method.

    Authentication methods

    How do I change the default method?

    We strongly recommend using the Microsoft Authenticator application as your default method. You can change the default method on the Security Info site.

    The option to change the default method will appear on top of the Add method button once you have added another authentication method and then reloaded the Security Info site (press F5). Instructions for adding authentication methods can be found on the page: MFA – Deployment of multifactor authentication.

    What authentication methods are supported?

    The authentification methods listed here are in the order in which they are recommended to be used. We recommend you to adapt multiple different authentification methods using two different devices so that you have alternative ways to authenticate your sign-in in case one of the other methods is not available (i.e. your mobile phone is lost or broken) . You can add multiple methods of authentification as backup and choose an alternative method while you sign in in case you do not have access to your primary authentification method. Phone authentification should only be used as a backup method.


    I have an old work phone that does not support the latest version of the Microsoft Authenticator app. What should I do?

    If you have an old work phone with an operating system that is no longer supported (older than Android 8 or iOS 14), and you are unable to install the latest version of the Microsoft Authenticator app from your app store, make a purchase request for a new work phone, following the phone purchase instructions (link to Flamma, login required)

    I don't have a work phone, how do I get Multifactor Authentication?

    I don't have a phone, what other options do I have for authentication?

    Multifactor authentication always requires a technical tool. The recommended tool is the Microsoft Authenticator app for smartphones. If you do not have a smartphone or if it is not possible to use it for, for example, health reasons, authentication is also possible by a phone call verification through your personal mobile phone number. If a phone is not in use, it can be replaced with an affordable FIDO2-standard USB key, for example.

    In addition, apps are available for different operating systems that offer TOTP codes. There is no official support from the University for these, and they are used under the user's responsibility. 

    Examples of such applications are:

    To add an app using a TOTP code on the Security Info site, select Add method > Authenticator App > I want to use a different authenticator app.

    The University does not compensate for the technical tools required for students to log in, but they must be acquired by the students themselves.

    What are the safest authentication methods?

    The most secure methods are considered to be Passkey/FIDO2 technologies, i.e. Passkey in Microsoft Authenticator, or a FIDO2-compatible USB security key with a PIN code. These tools alone meet the definition of Multifactor Authentication and may allow login without a password in the future.

    Give feedback

    The instructions site of the University of Helsinki's IT Helpdesk helps you with IT-related issues related to your work. Let us know how we can improve our instructions. We greatly appreciate your feedback!

    How would you improve these instructions?
    Back to top