Multi-Factor Authentication (MFA): USB Security Key Enrollment for Microsoft 365

Intended Population:

Students and Employees

Purpose:

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to a resource such as a web application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack.

This article describes the enrollment of a physical USB security key for use as a verification method. Instructions for setting up other verification methods are described in the article for MFA enrollment for Microsoft 365: https://support.msjc.edu/support/solutions/articles/20000040321

Requirements:

You must have already completed the initial MFA enrollment for your Microsoft 365 account
Available USB-A port on your computer
USB security key.
1. Employees can request one using the Multi-Factor Authentication (MFA): USB Security Key request.
2. Students and other non-employee users may purchase a FIDO2 compatible hardware token.

USB Security Key

NOTE: You MUST physically have the USB security key with you when logging in because part of the login process requires that you touch the flashing light on the key to complete authentication. If you do not have the key with you, you will need to have configured a backup MFA method in order to login.

NOTE: After login, you may remove the USB security key from the USB port of your computer. It is only required during login.

Procedure:

Enrollment for Microsoft 365

In a web browser on your computer, navigate to https://office.com and log in
After successfully logging in, click on your account avatar in the upper right of the window, and click "View account"
In the My Account screen, click on "Security Info" in the left navigation menu
In the Security Info screen, click on "Add sign-in method"
Select "Security key" from the drop-down menu, click "Add", and then click "USB device"
Have your USB security key ready and then click "Next"
You may be prompted to "choose where to save this passkey." Select "Security key" and click "Next"
You will then be presented with a couple of Windows Security notifications. Click "OK" in each window until you are presented with a prompt to enter your USB security key into the USB port.
After inserting your USB security key, if the key is new and does not have a PIN configured, you will be prompted to create a PIN. The PIN must be at least 4 characters. Click "OK" to continue.
The USB security key will begin to flash, and you will be prompted to touch the security key. Touch the round area with the flashing light when prompted. You will be prompted twice. The first time to set the PIN, and the second time is to enroll the security key. Click "OK" to continue
In the Security Key window, type a name of your choice for your security key. This name will be used to distinguish it from other security keys that you may enroll. After naming the key, click "Next" and then click "Done"

You have successfully configured your USB security key for use with Office 365

Set the default MFA method for Office 365 login

In the Security Info screen (as shown in Step 4 above) Click "Change" next to "Default sign-in method"
Use the drop-down menu to select the which of the configured authentication methods you would like to use as your default. The USB security key, however, cannot be set here as the default method, but it can be selected during login.
Click "Confirm"

Use your USB Security Key to login

At login, you may use your USB security key instead of your password by selecting "I can't use my <default sign-in method>right now". This will allow you to select an alternate method that you have already configured.
Select "Use a security key" and follow the prompts to continue logging in.

Enrollment of the USB security key is complete.