Multifactor Authentication (MFA) – Frequently asked questions

Phone authentication not working

I attempted phone authentication and the system says "Request failed due to exceeding the number of allowed attempts". Phone authentication allows five unsuccessful attempts within an hour, after which the authentication method is locked for 24 hours. The only way to log in during this time is to use other authentication methods, such as the Authenticator application.

I no longer have access to the MFA method I used. What shall I do?

NB! Remember to register at least two separate authentication methods, so that if you lose one, the other is still available.

• You can reset all MFA methods at https://mfa.it.helsinki.fi where your identity if verified using your Suomi.fi identification. After this, you will be required to register the authentication method at the next login to a university service that uses MFA.
• If you can’t use the Suomi.fi identification, please contact IT Helpdesk to reset your MFA methods.
• After resetting your MFA methods, your old MFA methods will still be visible on the Security Info page, but they will no longer work. You can re-enable MFA methods by selecting “Enable two-step verification” next to the method or by re-registering the method.
• NB! Resetting your MFA methods will not log you out of software or user sessions. If your ID has fallen into the wrong hands, the sessions must be logged out separately on the Secure Info page https://mysignins.microsoft.com/security-info.

I’m unable to sign up or log in because the browser gets stuck and nothing happens

Try using your browser's privacy mode (privacy, incognito) and/or a different browser. If this works, the problem is either caused by a browser plugin or by cached data. In this case, disabling browser plugins or clearing the browser cache is likely to help. Read the IT Helpdesk instructions for clearing the cache.

The service says that the call was not answered even though my phone did not ring at all

Check the call log to see if you received a call and that the number is not on the blocked list.
MFA requests come from US numbers +1 866 539 4191, +1 855 330 8653 and +1 877 668 6536.

In some double SIM phones, the problem is that the other SIM card sometimes drops off the phone network and the call is directed to the answering machine. These are usually smartphones where authentication is best done using the Microsoft Authenticator application.

You can also authenticate using the number of the subscription that has active mobile data.

The service says the TOTP code is incorrect even though it isn’t

As TOTP codes have a time limit, just a few seconds of discrepancy prevents the code from working for the entire 30 seconds of its validity. Check the time on the device issuing the code.

Registering an authentication method gives an error message "You are blocked from performing this operation. Please contact your administrator for help."

Managing authentication methods has been blocked due to suspicious behaviour, usually resulting from several unsuccessful attempts to register an authentication method. Please contact Helpdesk to remove the block.

After the MFA has been implemented, the e-mail application says "You are receiving this message because your e-mail has been disabled by your IT department."

The application does not support the OAuth2/Modern Authentication method required by MFA or is unable to switch to it automatically. If the app should support this login method (e.g. iOS Mail), deleting and resetting your account may help. Otherwise, you'll need to use another app. We recommend using the Microsoft Outlook application for e-mail on your mobile.

Issues not mentioned above

Try using your browser's privacy mode (privacy, incognito) and/or a different browser. If this works, the problem is either caused by a browser plugin or by cached data. In this case, disabling browser plugins or clearing the browser cache is likely to help.
If this does not help, please contact the Helpdesk to resolve the problem.

How often is Multifactor Authentication required?

• Multifactor Authentication is always required when logging in with a new device or application.
• With applications such as Microsoft Outlook or Teams, the authentication is automatically remembered for 90 days.
• When logging in to Web services such as Outlook for Web, you can, when prompted for strong authentication, set your browser to remember your login for the next 90 days. The information is remembered by the browser cookie.
  • Please note that if you exit the O365 service using the "Log out" link, this cookie will be deleted along with other login details and Multifactor Authentication will be required again the next time you log in.

Why is additional authentication constantly required when implementing Multifactor Authentication?

The purpose of Multifactor Authentication is to prevent logging in with stolen credentials. For this reason, additional authentication is always required when logging in with a new application. At the beginning, you will need to use additional authentication more often because different browsers, e-mail applications of smartphones or computers and other applications requiring authentication require their own login. The additional authentication is remembered for 90 days in each application.

The information about additional authentication is stored in browser cookies. Therefore, when using privacy mode or after clearing the browsing history, you will be asked for new authentication. Similarly, exiting the O365 service using the "Log out" link will result in the deletion of the authentication data and a request for authentication again the next time you log in. If the same application keeps asking for authentication over and over again, please contact IT Helpdesk to resolve the issue.

Is the e-mail application X supported?

The recommended application for both mobile and desktop devices is Microsoft Outlook, and for browsers, Outlook for Web.

Multifactor Authentication requires the e-mail application to support OAuth2 login (also referred to as Modern Authentication). This is also supported to varying degrees by many other e-mail applications. E-mail has been known to work with the following applications, for example:

• Thunderbird, Evolution, Alpine or Pine instructions can be found in the Cubbli wiki.

NB! In many cases, the e-mail account must be deleted and reinstalled in order to use the new login method.

How do I change the default method?

We strongly recommend using the Authenticator application as your default method. You can change the default method on the Security Info site.

The option to change the default method will appear on top of the Add method button once you have added another authentication method and then reloaded the Security Info site (press F5). For instructions on how to add authentication methods, see the Use and management of MFA methods page.

• Read more about how to use the Microsoft Authenticator app.

What authentication methods are supported?

Currently supported authentication methods:

• Microsoft Authenticator application. Recommended and preferred method. To confirm your login, enter the numbers displayed on your browser screen in the app.
• Other Authenticator applications or devices that generate TOTP codes. These generate a numeric code that changes every 30 seconds and function on devices even without an internet connection. Enter the code to access the system.
• FIDO2 keys. USB/NCF Keys that use a certificate-based solution in combination with a PIN code.
• Phone call. An automatic telephone call to the number specified during setup, with instructions on how to use it. By pressing the # sign, the recipient accepts the login.

I don't have a work phone, how do I get Multifactor Authentication?

• Instructions for obtaining a work phone can be found in Flamma.
• If you do not want a work phone, you can also use the Microsoft Authenticator application and call identification on your phone.
• See also "I don't have a phone, what other options do I have for authentication?"

I don't have a phone, what other options do I have for authentication?

The recommended authentication methods are the Microsoft Authenticator app and a backup phone call. If these are not possible, applications that provide TOTP codes are also available for different operating systems. There is no official support from the university for these, and they are used under the user's responsibility. Commonly used applications include:

• Authenticator plugin for your browser.
  • Helpdesk instructions (section C) on installing the plugin
• There are several different TOTP applications for mobile devices, such as andOTP (Android), FreeOTP (Android/iOS) and Google Authenticator.
• KeePassXC Password Safe, available for different operating systems, incl. Linux, macOS and Windows.
  • Example of usage on an external site.
• WinAuth app for Windows.
• oathtool command line application for Linux.
  • Example of usage on an external site.

To add an app using a TOTP code on the Security Info site, select Add method > Authenticator App > I want to use a different authenticator app.

What are the safest authentication methods?

The most secure methods are considered to be the Microsoft Authenticator app when the app uses key lock or biometric authentication, as well as FIDO2 keys with a PIN code. These tools alone meet the definition of Multifactor Authentication and may allow login without a password in the future.