Multi Factor Authentication Requirements
The purpose of this document is to help you proceed through the required Multi-Factor Authentication (MFA) process in place to secure Crediton Milling against threats related to lost email address and password combinations.
Official documentation is here : https://support.microsoft.com/en-us/office/set-up-your-microsoft-365-sign-in-for-multi-factor-authentication-ace1d096-61e5-449b-a875-58eb3d74de14 but for something more close to home, the following information should help you get things set up.
You will need :
- Your email address and password - normally the same password as your CMC computer
- An authentication app on your smartphone - see below for recommended ones
- (Optional) a laptop or PC with internet connection. This will make it easier to proceed through the set up for the first time.
There are many Time-based One Time Password (TOTP) Authentication apps available on
your mobile device's "App Store". The one you pick is up to you. You may already have one
installed, if you do and you're happy with it, please continue to use it.
The recommended apps we advise are as below:
For Apple iPhone:
For Android devices i.e. Samsung, LG, etc.:
Microsoft, who run the online services for CMC, do recommend their own app - Microsoft Authenticator
which does work, however much confusion is raised with this app as it seemingly forces you
to log in to it which is impossible to do without having the app set up first. If you choose to use Microsoft Authenticator, click the
+ symbol in the top right to scan the QR code, do not use the "Add Account" button.
"Logging in" to the app
The apps mentioned above, with the exception of Aegis and 2FA Authenticator, will ask you to log in. You don't need to, skip past this step for now.
The only reason you need to "log in" to the app is to synchronise your authentication tokens so, in the event you lose or replace your phone, installing the app on the replacement should synchronise all your tokens back to you so they don't need to be reset.
It is important to be able to restore your tokens in these cases, but this is of more importance for any personal MFA tokens (Google, Facebook, Amazon, etc.) as CMC business ones can be reset centrally. Many personal accounts tokens cannot be reset, so failure to keep track of them could cause you to lose access to your account completely.
New Phones / Uninstalled Apps
If you have a replacement phone and/or you've uninstalled the authenticator app and need to set it back up again. Please let us know either by email or logging a request on our new (2023) request logging system here.
Once you have your app installed (you don't need to log in to it remember!) we can begin setting it up.
The easiest way to do this is to use a PC or laptop to try to access your account which will then walk you through the process.
- On the PC or laptop, open a web browser and go to https://outlook.office.com.
- Log in with your CMC email address and password.
- You should then be shown the "More information required" screen. Click "Next".
- If you are logged straight into your emails, you may already have MFA set up. Go to https://aka.ms/MFASetup to view and change your MFA details.
- If you have chosen not to use Microsoft Authenticator, on the next screen click the "I want to set up a different authenticator app" link.
- You should now be shown a QR code. On your mobile device MFA app, scan the QR code to set it up in that app. You should then be shown a confirmation, then a 6 digit code.
- Enter the 6 digit code into the webpage on the computer (you may need to click "Next" first) and everything should then complete.
- These codes regenerate every 30 seconds, they are not a one time thing. Make sure you're entering the right code.
- You're ready to go!
You will need to keep this app on your phone as whenever you log in to a new device (laptop, PC, new phone, etc.) you will need to enter a code generated by the app each time you log in somewhere new.
Why do we have this?
The reason is simple. If someone were to learn your email address and password
combination either by a phishing email, using a password list or just a good guess,
they could gain access to your account, and anything related to that account (where
do your "forgotten password" emails go to for your other accounts?).
By having this process in place, it means even if someone does get your password correct, it's highly unliklely they could accurately guess a code that becomes invalid every 30 seconds.
By having these codes, we effectively eliminate the risk 99.9% of phishing based threats.
Of course, if you suspect your account may have been compromised, the absolute very first thing you should do is change your password.
Still having trouble?
If you still have trouble, please log a request in our logging system and we will do our best to get you back working as soon as possible.