Setting up multifactor authentication

Note this when installing and using multifactor authentication
Setting up TUNI multifactor authentication with a smartphone
Setting up TUNI multifactor authentication if you don't have a smartphone
Number matching and passwordless authentication 

The electronic services of the university community require multifactor authentication.

Multifactor authentication (MFA) involves an additional authentication on your mobile phone or USB security key when logging in to cloud services. MFA adds an extra layer of security to your account when you log in to the TUNI electronic services, especially if your password has ended up in the wrong hands.

The use of MFA is free of charge and only requires a smartphone that is connected to the internet and can be equipped with the Microsoft Authenticator app that is available for download on Android and Apple phones.  

The authenticator app is recommended due to its ease of use.

You can install the Microsoft Authenticator app on multiple phones and use it when logging into to other personal services, such as Google services. 

Read more Use of mobile phones (for staff)

If you don't have a smartphone, you can use a USB security key (e.g. Yubikey Security Key U2F FIDO2 NFC, available at most electronics stores). TUNI staff can order a USB security key directly to their home address using the IT-Small accessories order form of the helpdesk.tuni.fi service channel.
 

Note this when installing and using multifactor authentication

• TUNI personnel´s work computer must be a Windows computer centrally maintained by the the universities community or, alternatively, TUNI-STAFF online or for remote working with TUNI VPN connected on. When using your own personal device, you need to install eduVPN on your computer and turn it on. Read the instructions on how to get a VPN connection on your personal computer (Windows, Linux tai macOS).
• Students and visitors (including those with the same access rights as staff) do not need a VPN connection to enable multifactor authentication.
• If you get a new phone, you have to enable the multifactor authentication on your new phone. Only after this, remove the old phone from the authentication service at https://aka.ms/mfasetup by clicking delete.
• If you have not already installed the Google or Apple account on your phone, you may install it with your own account or with a newly created account on your mobile phone.
• All email applications (eg Samsung phones’ own e-mail applications) do not support the multifactor authentication method yet, which is why the University cannot approve the use of TUNI email and calendar with such an application for security reasons. So, remember to enable Outlook for Android on your phone in order to manage your TUNI email and calendar. A list of supported email applications and installation instructions
• When using something other than your personal device, be sure to answer "No" to the question in the Stay signed in window, so that no one else can log in with your user account to your information and the TUNI electronic services you have used.
• At this stage, multifactor authentication does not yet affect the services' own local accounts.
• Multifactor authentication is not used in:
  • Linux SSH and remote desktop servers (SSH server for staff uses different multi factor authentication method)
  • TUNI eduVPN logins
  • the systems used in the electronic exam (Exam, Plussa, Älyoppi-Moodle).

Setting up TUNI multifactor authentication with a smartphone

The setting up of MFA involves three phases. You will need an Android/Apple smartphone and a computer equipped with a browser, such as Edge or Google Chrome. 

Setting up TUNI multifactor authentication (pdf)

Install the Microsoft Authenticator app on your phone

1. Download and install the Microsoft Authenticator app on your phone from the app store. 
2. Open the Microsoft Authenticator app after downloading. 
3. The first time you log in, allow the collection of anonymised data when prompted to do so. You can turn off data collection later. 
4. If prompted, select Allow to allow notifications. 
5. Select Add a new account, Work- or school account
6. Select Scan QR code. 
7. Allow the authenticator app access to your camera to take a picture of the QR code in the next phase. 
8. The app waits for a QR code to add your TUNI account to the Microsoft Authenticator app on your phone.

Put your phone aside for a moment and go to phase 2.

NOTE! If the authentication application indicates that it is locked and asks you to enter the lock code, then use the same code that you use to unlock your phone screen/display.

Add your TUNI account to the Microsoft Authenticator app  

1. Go to the web address https://aka.ms/mfasetup 
2. Log in with your TUNI email address and password. 
3. When your web browser asks whether the login will be saved, you can select No.
4. The browser displays a notification about the definition of additional details, select Next.
5. The browser displays information about the use of the Microsoft Authenticator app. 
6. Click Next, and a QR code appears on screen.  
7. Take your phone and scan the provided QR code with the QR code reader of the Microsoft Authenticator app.  If the authenticator application asks for a lock code, this is the lock code of the phone display.
8. After the Microsoft Authenticator app has scanned the QR code, click Next on the browser window. 
9. The app will send a notification to your phone as a test which you shall Approve.
10. In your browser window, click Next. 
11. Then click Done. 
12. Your TUNI account has now been added to the Microsoft Authenticator app on your phone. 

We also recommend that you enable SMS-based authentication as a secondary authentication method if, for example, you accidentally remove the authentication application from your phone. In your browser, leave the Security info page open and go to phase 3.

Set up SMS-based authentication method

It is good to enable text message recognition to ensure the functionality of multifactor authentication, if, for example, your phone goes out of order, all you have to do is place the SIM card in a working phone and the recognition will work. However, we do not recommend that it works as your only authentication method, as it is vulnerable to e.g. information security attacks.

1. Open your browser to go to the web address https://aka.ms/mfasetup, if you already have time to close it.
2. Log in with your TUNI email address and password.
3. If you have a smartphone and have already installed Authenticator, click + Add method -button on Security info -page and skip to step 5. 
4. If you do not have a smartphone and have not been able to install Authenticator, click the I want to set up a different method -link at the bottom of that box. 
5. In the drop-down menu, select Phone and click Confirm. 
6. In the drop-down menu, select country code and type the rest of your phone number in the provided field.  
7. Click Next. 
8. You will receive an SMS on your phone containing a numeric code of 6-digits. Enter this code in the field displayed in your web browser. 
9. In your browser, click Done. 
10. Your TUNI account has now been connected to your phone number.

You will initially receive frequent verification prompts when you log in to TUNI electronic services, but the number of prompts will decrease after you have logged in to the different services using MFA. 

The next verification prompt will appear in about two months if you always use the same device or browser. If you use a different device or browser, you will be prompted to log in with a second verification. Using the app outside of Finland may also trigger a prompt.
 

Setting up TUNI multifactor authentication if you don't have a smartphone

If you don't have a smartphone, you can use the data security key used in the USB port of your computer. The USB security key is primarily intended for computer use, but also works to a limited extent on mobile devices. TUNI login works in browser use on iOS mobile devices, but Android mobile devices are not supported for now. More information about compatibility: Browser support of FIDO2 passwordless authentication | Microsoft Learn

The USB security key is connected to the computer's USB port. They are available with two different USB connections: USB-A or USB-C. Check your computer's USB connection options. TUNI staff can order a USB security key directly to their home address using the helpdesk.tuni.fi service channel's IT-Small accessories order form.

The multifactor authentication with the USB security key is implemented in two different steps. You need a phone, a USB security key and a computer with a browser installed, e.g. Edge or Google Chrome.

Enabling the USB security key

The following installation instructions are based on the use of Yubico's Yubikey Security Key U2F FIDO2 NFC key. You can also use security keys from other manufacturers, but we do not offer support for their use.

1. Open the address: https://aka.ms/mfasetup in your computer browser
2. Log in using your TUNI email address password.
3. The computer's browser asks to save the login, you can choose No(No).
4. The browser will notify you about the configuration of additional information, select Next.
5. Next, the browser introduces the use of the Microsoft Authenticator application.
6. On the Security info page, click the + Add method button.
7. Select Security key from the drop-down menu and click the Add button
8. Select USB device as the type of USB security key (access key) you own.
9. You will be prompted to insert your security key into your USB port when you select next. So put the USB security key into your computer's USB port.
10. Click the Next button in the Security Key notification window on your computer.
11. You can close the QR code that appeared on your screen by selecting Use a different device
12. In the Create a passkey window that opens, select Windows Hello or external security key
13. Select Ok in the Security key setup window
14. Enter the security key PIN code of your choice
15. Security key: To set up a security key, you need to sign in with two-factor authentication -> Next
16. Do multifactor authentication
17. Select the USB device
18. The browser opens a new small window where you can set a PIN code for the USB road safety key. The PIN code must be at least four digits long. If you have already set a code for the data security key, enter the code you set previously as normal.
19. The USB security key light will flash. Press the flashing light.
20. Name the USB security key. After naming, the deployment of the USB security key is complete.
21. Click the OK button (Next).
22. Click the Done button in the browser.
23. Two-step authentication is now installed.

Using the USB security key

After activation, if you receive multifactor authentication approval requests, do not enter your TUNI email address when logging in, but select Sign-in options at the bottom of the login window and then Sign in with a Security Key. After that, enter the PIN and touch the USB security key. The key does not read fingerprints, only touch.

Number matching and passwordless authentication

The number confirmation will provide additional security against phishing attempts. The number confirmation has been automatically activated on 14 February 2023.

Once you have written your TUNI user account and password in the login window, you will see a number in the login window that you enter into your phone's Authenticator application. In the staff phones this means the Authenticator application of the work profile.

Number matching (pdf)

After implementing number matching, those who wish can use the passwordless authentication. After that, you can login to the TUNI electronic services without the TUNI password with strong authentication.

Passwordless authentication (pdf)

 

IT Helpdesk
0294 520 500
it-helpdesk [at] tuni.fi (it-helpdesk[at]tuni[dot]fi)
helpdesk.tuni.fi