Setting up multifactor authentication

Note this when installing and using multifactor authentication
Setting up TUNI multifactor authentication
Number matching and passwordless authentication 

The electronic services of the university community require multifactor authentication.

Multifactor authentication (MFA) involves an additional authentication on your mobile phone when logging in to cloud services. MFA adds an extra layer of security to your account when you log in to the TUNI electronic services, especially if your password has ended up in the wrong hands.

The use of MFA is free of charge and only requires a phone that is connected to the intranet and can be equipped with the Microsoft Authenticator app that is available for download on Android and Apple phones.  

The authenticator app is recommended due to its ease of use.

You can install the Microsoft Authenticator app on multiple phones and use it when logging into to other personal services, such as Google services. 

Read more Use of mobile phones (for staff)

Note this when installing and using multifactor authentication

• TUNI personnel´s work computer must be on the TUNI-STAFF network or TUNI VPN has to be connected, if you're working off campus in order to enable multifactor authentication. When using your own personal device, you need to install eduVPN on your computer and turn it on. Read the instructions on how to get a VPN connection on your personal computer (Windows, Linux tai macOS).
• If you get a new phone, you have to enable the multifactor authentication on your new phone. Only after this, remove the old phone from the authentication service at https://aka.ms/mfasetup by clicking delete.
• Students and visitors (including those with the same access rights as staff) do not need a VPN connection to enable multifactor authentication.
• If you have not already installed the Google or Apple account on your phone, you may install it with your own account or with a newly created account on your mobile phone.
• All email applications (eg Samsung phones’ own e-mail applications) do not support the multifactor authentication method yet, which is why the University cannot approve the use of TUNI email and calendar with such an application for security reasons. So, remember to enable Outlook for Android on your phone in order to manage your TUNI email and calendar. A list of supported email applications and installation instructions
• When using something other than your personal device, be sure to answer "No" to the question in the Stay signed in window, so that no one else can log in with your user account to your information and the TUNI electronic services you have used.
• At this stage, multifactor authentication does not yet affect the services' own local accounts.
• Multifactor authentication is not used in:
  • Linux SSH and remote desktop servers (SSH server for staff uses different multi factor authentication method)
  • TUNI eduVPN logins
  • the systems used in the electronic exam (Exam, Plussa, Älyoppi-Moodle).

Setting up TUNI multifactor authentication

The setting up of MFA involves three phases. You will need an Android/Apple phone and a computer equipped with a browser, such as Google Chrome or Firefox. 

• Phase 1: Install the Microsoft Authenticator app on your phone from the app store
• Phase 2: Add your TUNI account to the Microsoft Authenticator app at aka.ms/mfasetup
• Phase 3: Set up SMS-based authentication method

Phase 1: Install the Microsoft Authenticator app on your phone

1. Download and install the Microsoft Authenticator app on your phone from the app store. 
2. Open the Microsoft Authenticator app after downloading. 
3. The first time you log in, allow the collection of anonymised data when prompted to do so. You can turn off data collection later. 
4. If prompted, select Allow to allow notifications. 
5. Select Add a new account, Work- or school account
6. Select Scan QR code. 
7. Allow the authenticator app access to your camera to take a picture of the QR code in the next phase. 
8. The app waits for a QR code to add your TUNI account to the Microsoft Authenticator app on your phone.
9. Put your phone aside for a moment and go to phase 2. 

 NOTE! If the authentication application indicates that it is locked and asks you to enter the lock code, then use the same code that you use to unlock your phone screen/display.

Phase 2: Add your TUNI account to the Microsoft Authenticator app  

1. Go to the web address https://aka.ms/mfasetup 
2. Log in with your TUNI email address and password. 
3. When your web browser asks whether the login will be saved, you can select No.
4. The browser displays a notification about the definition of additional details, select Next.
5. The browser displays information about the use of the Microsoft Authenticator app. 
6. Click Next, and a QR code appears on screen.  
7. Take your phone and scan the provided QR code with the QR code reader of the Microsoft Authenticator app.  If the authenticator application asks for a lock code, this is the lock code of the phone display.
8. After the Microsoft Authenticator app has scanned the QR code, click Next on the browser window. 
9. The app will send a notification to your phone as a test which you shall Approve.
10. In your browser window, click Next. 
11. Then click Done. 
12. Your TUNI account has now been added to the Microsoft Authenticator app on your phone. 
13. We also recommend that you enable SMS-based authentication as a secondary authentication method if, for example, you accidentally remove the authentication application from your phone. In your browser, leave the Security info page open and go to phase 3.

Phase 3: Set up SMS-based authentication method

Although we do not recommend this as the primary authentication method, it is good to enable this to ensure functionality. If your phone goes out of order, all you have to do is place the SIM card in a working phone and the authentication will work again.

1. Open your browser to go to the web address https://aka.ms/mfasetup, if you already have time to close it.
2. Log in with your TUNI email address and password.
3. If you have a smartphone and have already installed Authenticator, click + Add method -button on Security info -page and skip to step 5. 
4. If you do not have a smartphone and have not been able to install Authenticator, click the I want to set up a different method -link at the bottom of that box. 
5. In the drop-down menu, select Phone and click Confirm. 
6. In the drop-down menu, select country code and type the rest of your phone number in the provided field.  
7. Click Next. 
8. You will receive an SMS on your phone containing a numeric code of 6-digits. Enter this code in the field displayed in your web browser. 
9. In your browser, click Done. 
10. Your TUNI account has now been connected to your phone number.

You will initially receive frequent verification prompts when you log in to TUNI electronic services, but the number of prompts will decrease after you have logged in to the different services using MFA. 

The next verification prompt will appear in about two months if you always use the same device or browser. If you use a different device or browser, you will be prompted to log in with a second verification. Using the app outside of Finland may also trigger a prompt.
 

Number matching and passwordless authentication

The number confirmation will provide additional security against phishing attempts. The number confirmation will be automatically activated on 14 February 2023.

Once you have written your TUNI user account and password in the login window, you will see a number in the login window that you enter into your phone's Authenticator application. In the staff phones this means the Authenticator application of the work profile.

After implementing number matching, those who wish can use the passwordless authentication. After that, you can login to the TUNI electronic services without the TUNI password with strong authentication.

IT Helpdesk
0294 520 500
it-helpdesk [at] tuni.fi
helpdesk.tuni.fi