For students

The traditional combination of a username and a password is vulnerable to data breaches as password thefts are becoming more and more advanced. People have the tendency to use repeating and simple passwords. This increases the possibility of a data breach or data leak from a service. After a data leak the password can be tested in other services, for example in e-mail services.

Using multi-factor authentication is one of the most effective ways in preventing misuse of usernames and passwords. At the same time the implementing of multi-factor authentication makes detecting possible misuse attempts easier. This way, administrators can react to data breach attempts even before they occur. In other words, multi-factor authentication makes your account safer and less vulnerable to attacks.

We recommend that you implement multi-factor authentication in your personal services and social media platforms as well (e.g., TikTok, Facebook, Instagram, LinkedIn and Google services). You can find instructions on how to implement multi-factor authentication on each service provider’s website.

You can find instructions on how to implement strong authentication for different services on the service providers’ websites.

When multi-factor authentication is on, you don’t have to change your password during your studies if you don’t wish to do so.

OSAO uses Multi-Factor Authentication (MFA) in all of its electronic services.

Multi-Factor Authentication or MFA increases the data security of devices and services and protects users from credential abuse. When Multi-Factor Authentication is used, signing in is done with both a mobile device and a password. A sign-in approval is sent to the mobile device for a secure sign-in.

Multi-Factor Authentication is a data-secure way to sign in to different services. Sometimes terms such as Two-Factor Authentication or 2FA are also used when discussing Multi-Factor Authentication.

When Multi-Factor Authentication is used, signing in requires both a mobile device and a password. An authentication request is sent to the mobile device for a secure sign-in. This means that even if the user’s username or password ended up in the wrong hands, signing in is not possible without a sign-in approval done with the mobile device.

When you are connected to OSAO’s network (when you are on OSAO’s premises) signing in happens as before. In this instance Multi-Factor Authentication is not required and you will not receive a sign-in approval on your mobile device.

1. Download the Microsoft Authenticator app on your mobile device from Google Play Store (Android devices) or App Store (Apple devices). You can also use another similar app, but this instruction is only applicable to the Microsoft Authenticator app.
2. Open the Microsoft Authenticator app on your mobile device and press the Accept button, if the app asks for permission to collect diagnostic information.
3. Select Add work or school account and Scan a QR code. Allow the app the permission to use camera if it asked. If you have used the app previously and the Add work or school account button is not visible, you can add your OSAO account in the following way:
   1. Press the + button on the top-right corner.
   2. Select Work or school account.
   3. Select Scan a QR code.
4. Put your mobile device aside for a while and open an internet browser on your computer or laptop (e.g., Edge, Chrome or Firefox) and go to https://aka.ms/setupsecurityinfo
   
5. Sign in to the service using your OSAO e-mail address and password.In the More information required window select Next.Photo 1.
   
6. Select Next.
   Photo 2.
   
7. Select Next on your Microsoft Authenticator computer or laptop browser window.Photo 3.
   
8. Take your mobile device and scan the QR code from your computer or laptop browser window (do not scan the QR code from this instruction). When your mobile device tells you that the Account was added successfully and your e-mail address is shown in the Authenticator app, go back to your computer or laptop and select Next in the Microsoft Authenticator browser window.Photo 4.
9. Add the number showing on your internet browser window to the Authenticator app on your mobile device and select the Yes button (photo 5 and 6).If your mobile device asks again to Approve sign-in, enter your mobile device passcode, draw your pattern password or give your fingerprint (this depends on the password settings of your mobile device).Photo 5.Photo 6.
10. When “Notification approved” message appears, continue by selecting the Next button.Photo 7.
11. Select Done button.Photo 8.
12. We recommend adding a phone number to the Authenticator app just in case, even though it is not required. If an instance happens where the Authenticator app is frozen and you are unable to receive a sign-in request to your mobile device, you can sign-in with your phone number.
13. Go to the Security info tab on the https://aka.ms/setupsecurityinfo website.Photo 9.
14. Select Add sign-in method on the Security info tab.Photo 10.
15. Select a sign-in method from the drop-down menu Phone and select Add.Photo 11.
16. Select Finland’s country code (+358) and add the number of the mobile device that Microsoft Authenticator is installed and configured on (leave out the first zero of the phone number, (e.g., 040 141 5500 -> 40 141 5500) and select Next.Photo 12.
17. You receive a 6-number confirmation code to the phone number you have given. Insert the code to the Enter code box. After this, select Next.Photo 13.
18. If you want to, you can change your default sign-in method by selecting the Change button on the Security info tab.Photo 14.
19. We recommend using the App based authentication notification and Confirm button as your default sign-in method.Photo 15.
20. After completing these steps, MFA has been implemented. In the future when you sign in to OSAO’s Microsoft 365 services outside of OSAO’s network, you must accept sign-in on your mobile device after inserting your username and password.

How to use Multi-Factor Authentication (MFA)?

After you have inserted the sign-in methods in your Microsoft 365 account and multi-factor authentication has been activated on your username, you will receive a confirmation request in the method you have selected (Authenticator app, text message or phone call). More information about different MFA sign-in methods can be found below.

Confirmation requests only concern sign-ins where you are using OSAO’s Microsoft 365 username and the device you are using is outside of OSAO’s network.

You can decrease the number of confirmation requests on your device by ticking the “Don’t ask again for 30 days” box.

In the sign-in window you can use a spare method to sign in if the default method is unavailable.

In this case when you sign in select “I can’t use the Microsoft Authenticator app right now” (photo below) and select another sign-in method. This is why it is important that your security information has at least two functioning sign-in methods.

The most common MFA sign-in methods

The Authenticator app

We strongly recommend using the Authenticator app as your default sign-in method. When you sign in using this method, you enter the 2-number code that you see in the sign-in window into the Authenticator app.

Text message sign-in

The authenticator service sends a 6-number code by text message to the phone number chosen during implementation. Insert the code to the window shown on desktop or mobile device and select Next.

Phone call

A Microsoft robot will call from a number beginning with +1 to the phone number chosen during implementation and asks to accept the sign-in by pressing the hash sign (#) button on your mobile device.

Changing the default authentication method

Change the authentication method on this website https://aka.ms/setupsecurityinfo

You can change the default method by selecting the “Change” button in the “Default sign-in method” section (photo below).

The application might be locked. Before you are able to accept additional identification you have to insert your mobile device passcode in order to accept the sign-in in the application.

You can remove the application lock in the Authenticator app’s settings. Here’s what to do:

1. Open the app.
2. Open the three-dot menu (in Android mobile devices on the right upper corner of the app) or in an Apple mobile device in the “hamburger menu” (on the left upper corner of the app).
3. Select Settings.
4. Press the slider button “App lock”.

• An unknown authentication request must never be accepted! It is possible that an outsider has accessed your username and password. By accepting the request, you give access to the attacker to sign in to your account.
• Make sure that any device you are using is not trying to sign in to a service (e.g., the e-mail application on your mobile device).

Contact OSAO’s Helpdesk at helpdesk@osao.fi, 040 141 5500, if you suspect that the authentication request did not come from your device.

Some of the third-party services used at OSAO have been linked to the Microsoft 365 sign-in. This is why the same requirements apply to these services in regards to multi-factor authentication. Services like this include e.g., Pinja and Wilma.

Yes. Using MFA is also required on mobile applications, and it is required when signing in outside of OSAO’s network.

We recommend using the Microsoft Outlook application on mobile devices and the Outlook for Web application on desktop (https://outlook.office.com).

Multi-factor authentication requires that the e-mail application supports to OAuth2-sign-in (also called Modern Authentication). This is supported by many other e-mail applications in various degrees. E-mail works on the following applications:

• Thunderbird (desktop application)
• Android Gmail
• iOS Mail / Calendar / (iOS/iPadOS 11 or newer versions)
• Mac Mail (desk top application / Mac Mail 10.14 version or newer versions)

Please note that in many instances the e-mail account has to be removed and re-installed so that it switches to using the new sign-in method (does not include the Outlook application).

If possible, we recommend setting a secondary authentication method (text message or phone call to a different phone/device) when implementing MFA. This way a secondary authentication method can be used when changing mobile devices. If a secondary authentication method has not been defined or it is also linked to your old mobile device, please contact OSAO’s Helpdesk at helpdesk@osao.fi, 040 141 5500.

First, implement multi-factor authentication on your new mobile device. See the MFA implementation instructions from above.

Remove your old mobile device from the identification service with the Delete button, but only after you have re-implemented MFA on your new device.

If your mobile device is broken you can change your sign-in method by using a secondary authentication method, or remove your SIM card to another mobile device where you can receive text messages required for text message authentication. If this is not possible, contact OSAO’s Helpdesk at helpdesk@osao.fi, 040 141 5500.

Yes, you can register several different mobile devices to be used with MFA.