Multi-factor authentication (MFA)
Multi-factor authentication (MFA) is a security technology that requires multiple methods of authentication. The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access your account. When you use MFA, you login using your username, password, and a third factor - either a smartphone app (Duo) or a hardware token. Even if your password is compromised your account will remain secure. It is likely that you may already be familiar with MFA for handling personal accounts such as online banking, social media apps, Google, etc. At Caltech multi-factor authentication is already required for certain groups and applications and for new Caltech accounts.
- One of the easiest and most effective ways to keep your account secure
- Account remains protected even if password is compromised
- Quick setup process, simple to use and free when using the Duo Mobile app
MFA (Duo) for Office 365
In order to protect your email account as well as other Office 365 services (SharePoint, OneDrive, Teams, etc.), IMSS strongly encourages the use of MFA for Office 365 via Duo. There are many groups on campus that already require this for their groups. Similarly, MFA is also enforced for new Caltech accounts. IMSS will now start working with students to get them enrolled on MFA for Office 365.
Getting Started with MFA (Duo) for Office 365
IMSS will enroll users in MFA (Duo) for Office 365 (email, SharePoint, OneDrive, Teams, etc.) in phases. When your account is ready to be enrolled, you will receive an email notification from CaltechIMSS@caltech.edu, to let you know of your effective enrollment date. To prepare for this change, take action on the following items:
III. Verify that you are using a supported email client or Outlook Web (OWA) - some email clients may require reconfiguration
Impacted Email Clients and Configurations
Download and Register Duo on Your Mobile Device
NOTE: If you already use the Duo mobile app for multi-factor authentication to other Caltech services, such as HPC, you do not need to re-download or re-register your mobile device. You can skip this section.
Step 1 - Download the Duo App
To prepare for your enrollment to MFA (Duo) for Office 365, download the Duo app on your mobile device. You can find this app on the Google Play app store for Android and App Store for Apple.
Step 2 - Register your Mobile Device to use Duo
You must also enroll your mobile device for Multi-Factor Authentication using Duo. This step is required to access your Caltech email account and other Office 365 applications once you have been enrolled in Duo for Office 365. To register, go to access.caltech, select the Duo Registration and Management link, and follow the instructions to set up the Duo Mobile app on your smartphone.
- Confirm your phone number and select Continue
- On the next screen, select the type of phone (iPhone, Android, or Windows Phone), select Continue
- Once you have installed the Duo mobile app on your phone select I have Duo Mobile installed
- Follow the provided instructions to finish activating Duo Mobile on your device
- Open Duo Mobile
- Tap the "+" button
- Scan the provided barcode (use the barcode provided to you in the Duo Device Registration app in access.caltech, scanning the QR code on this screen will NOT register your device)
NOTE: If you select the option to Email me an activation link instead , make sure to enter an email address that is NOT your @caltech.edu email address (i.e. your @gmail.com address), since you won't have access to this mailbox until Duo is registered.
Step 3 - Start Using the Duo App
Once your Office 365 account is enrolled for MFA (Duo), when logging in to Office 365 apps (email, SharePoint, OneDrive, Teams) you will need to authenticate with Duo by
Verify that you are using a supported email client or Outlook Web
Review the Email Configuration Guides for a list of supported email clients and configuration instructions. If you are already using one of these email clients, you can review your configuration to ensure that you are using the recommended authentication methods. Note that you can also check your email from a web browser via Outlook Web.
Some Email Clients May Require Reconfiguration
Native email client apps on your mobile device, such as Gmail for Android and Mail for iOS, will require you to reconfigure your email account once MFA (Duo) is enabled for your Office 365 account. It is likely that other email clients may also prompt you to reconfigure your email account. Depending on your mailbox size it may take some time for all your email to re-download. If you are using Outlook on your desktop or Outlook mobile you should not be prompted to reconfigure.
Gmail configurations used to receive and send Caltech email will stop working
If you previously configured your Gmail account to pull your Caltech email or to be able to reply from Gmail as @caltech.edu (send on behalf), note that this configuration will STOP working once MFA (Duo) for Office 365 is enabled for your account. Unfortunately, this is not something that IMSS can control. MFA (Duo) for Office 365 requires modern authentication connections to Office 365 email. Currently, Google only offers basic authentication for these types of set up, which is not a secure authentication.
Email clients using basic authentication will stop working
MFA (Duo) for Office 365 requires modern authentication connections to Office 365 email. As a result, old email clients which rely on basic authentication, will stop working with MFA (Duo) for Office 365 is enabled. Microsoft is retiring basic authentication in favor of modern authentication, which provides a more secure authentication method.
In some cases, users may be using a supported email client, but may need to adjust the configuration to support modern authentication. Review the Email Configuration Guides for a list of supported email clients and configuration instructions. If you are using a supported supported email client, you can verify your configuration to ensure that you are using the correct authentication method.
Learn more about Basic Authentication retirement.