Multi-factor authentication (MFA)

MFA stands for Multi-Factor Authentication. It is a security mechanism that increases the level of protection for user accounts by requiring identity verification through multiple independent methods.

MFA is commonly encountered when signing in to online banking services. You may also come across the term 2FA (Two-Factor Authentication), which refers to a specific form of MFA that uses two different types of authentication factors.

How does MFA work?

Multi-factor authentication adds an extra layer of verification in addition to entering a password, helping confirm the user’s identity. This second factor can take various forms—for example, a one-time code sent to your mobile phone, verification via a security key, or biometric authentication (such as a fingerprint).

MFA typically combines the following types of authentication factors:

• Something you know – e.g., a password or PIN

• Something you have – a physical device such as a mobile phone or a hardware token (e.g., a USB FIDO2 key)

• Something you are – biometric data such as a fingerprint or facial recognition

Multi-Factor Authentication (MFA) is a powerful security measure that significantly enhances the protection of user accounts, sensitive data, and access to university systems. Its primary goal is to minimize the risk of unauthorized access—even in cases where login credentials have been compromised.

Unlike traditional login methods that rely solely on a password, MFA requires an additional layer of verification—such as a code sent to a mobile device, biometric authentication, or the use of a security key. This ensures that even if an attacker obtains your password, they still cannot access your data without the second factor.

For users, MFA has minimal impact on daily routines. The verification process is typically fast and intuitive, allowing for a seamless transition from authentication to regular use—while delivering a substantial improvement in security.

 

• Mandatory starting in Q4 2025 (the exact date will be announced)

• As part of the MFA rollout at CTU, users will be given a 30-day grace period to register their second authentication factor. After this period, MFA registration will be enforced, and logging into CTU’s information systems will not be possible without it.

• Applies to all users of CTU information systems

• Also applies to guests using Office 365 services

• Re-authentication will be required every 7 days

 

How Often and by What Methods Does Multi-Factor Authentication (MFA) Occur?
Device is joined to Entra ID / Intune*	Device is registered in the CTU system	Device is not registered in the CTU system
SSO: Optimized for minimal MFA prompts	SSO: Frequent MFA prompts	SSO: Very frequent MFA prompts
Windows Hello / Touch ID Microsoft Authenticator App USB FIDO2 Security Key TOTP	Windows Hello Microsoft Authenticator App USB FIDO2 Security Key TOTP	Microsoft Authenticator App USB FIDO2 Security Key TOTP

 

Available starting July 1, 2025. Only university-owned devices will be eligible for Intune enrollment, and enrollment must be performed exclusively by a delegated administrator—that is, an IT staff member of the respective faculty or department.

More detailed information on how login and SSO work depending on device type and registration method can be found here.

Multi-Factor Authentication (MFA) is not yet mandatory across CTU; however, it can be enabled individually:

• MFA Test Mode: MFA can be enabled voluntarily, but its use is not enforced—users may continue logging in with just their username and password. Those who enable MFA gain the option to log in without a password when accessing CTU’s Information System (IS) services and applications. If needed, users can still choose an alternative login method that doesn’t require the second authentication factor. However, this mode carries a risk: if login credentials are compromised, an attacker could misuse the account without needing the second factor.

• MFA Secure Mode: Mandatory MFA can be activated by requesting the automatically approved role: B-00000-KB-UZIVATEL-IS-MFA-VYZADOVANO. In this mode, access to CTU’s IS systems and applications is only possible after successful identity verification using a second factor (e.g., a mobile app or security key). Without MFA, access is denied. This mode significantly strengthens account security and protects personal and sensitive university data from unauthorized access.
  
  Note: MFA enforcement will take effect across the entire IS within 60 minutes after the role is assigned. The role can only be removed by submitting a request via the HelpDesk/ServiceDesk.

If a user is required to use MFA for a specific service (e.g., K4), all other services will default to Mode 1 – MFA Test Mode.

We strongly recommend enabling MFA in advance to enhance the protection of personal information and secure access to university data.

Based on experience with Multi-Factor Authentication (MFA) at CTU, we recommend the following methods to ensure maximum convenience and efficiency when using MFA.

I use MS Windows:

 

1. We recommend using a mobile phone with the Microsoft Authenticator app (guide).

2. In the Microsoft Authenticator app, enable the passwordless sign-in feature, which allows for more convenient and secure access without entering a password (guide).

3. On a Windows PC, we recommend enabling Windows Hello, e.g., via fingerprint, facial recognition, or PIN (guide).

4. For work or school computers, we recommend enrolling the device in Microsoft Intune, which enables device management and increases security (available from July 1, 2025). For personal devices, we recommend registering the device for MFA management (guide).

5. In your browser, enable Windows Single Sign-On (SSO):

   • Edge – Requires a synchronized account (instructions)

   • Firefox – Supports SSO after activation in settings (instructions)

   • Chrome – Microsoft Single Sign-On extension is available (link)

I use macOS:

 

1. We recommend using a mobile phone with the Microsoft Authenticator app (guide).

2. In the Microsoft Authenticator app, enable the passwordless sign-in feature, which allows for more convenient and secure access (passwordless) without entering a password (guide).

3. For work or school computers, we recommend enrolling the device in Microsoft Intune, which enables device management and increases security (available from July 1, 2025).  Note: Personal macOS devices cannot be enrolled in Intune!

4. On your Mac, enable sign-in using Touch ID.

I use Linux:

 

1. We recommend using a mobile phone with the Microsoft Authenticator app (guide).

2. In the Microsoft Authenticator app, enable the passwordless sign-in feature, which allows for more convenient and secure access without entering a password (guide).

3. Set up a backup MFA method (e.g., a USB FIDO2 security key) (guide).

For smooth and secure use of MFA, we recommend registering at least two second-factor methods. This helps prevent complications in case one method becomes unavailable or is lost. For example, if you lose access to your phone, you can still authenticate using biometrics or a physical security token (such as a USB FIDO2 key).

Installation and Configuration Using a Mobile Phone (Option 1)

1.  Install the Microsoft Authenticator app on your phone (iOS 16+, Android 8+):
   • Android: Google Play Store
   • iPhone: App Store
2. Open the app and select Add work or school account (or tap the + icon in the top right corner).
3. Choose Sign in.
4. Select Work or school account and sign in with your username and password. If prompted, complete MFA verification.
5. Tap Continue and finish the setup using the guide on your new phone.
6. Test the sign-in.

Installation and Configuration Using a Computer and Phone (Option 2)

1. Install the Microsoft Authenticator app on your phone (iOS 16+, Android 8+):
   • Android: Google Play Store
   • iPhone: App Store
2. On your computer, go to https://mysignins.microsoft.com/security-info.
   
         1. Sign in using your university account in the format username@cvut.cz and your password.
   
         2. Click on +Add method, select Microsoft Authenticator, and continue until a QR code appears on the screen. Scan this code with your phone.
3. On your phone, open the Microsoft Authenticator app.
4. Then tap the + (plus) icon in the top right corner.
5. Select Work or school account, choose Scan a QR code, and use your phone’s camera to scan the QR code displayed on your computer screen.
6. Once the QR code is scanned, the account will be added automatically.
7. On your computer, complete the wizard, which will prompt you to verify the setup.
8. If everything is set up correctly, you will see a confirmation message stating the Microsoft Authenticator app was added successfully.

Older versions of Android and iOS may not support all features or setup options available on newer devices. Setup steps may vary slightly in some cases.

• Detailed guide
• Microsoft guide

Windows Hello for Business provides a secure and convenient way to sign in without a traditional password. Instead, it uses biometrics (such as fingerprint or facial recognition) or a PIN, offering both speed and security.

This method is designed with both user comfort and high-level security in mind. Credentials are encrypted and stored locally on the device, never transmitted to servers, significantly enhancing privacy. Activation is required on each device separately.

Requirements:

• Windows 11
• Sign-in to a work/school account (Entra ID)
• An active MFA method (e.g., Microsoft Authenticator)
• TPM 2.0 chip (how to check your version)

How to set up Windows Hello for Business:

1. Open Settings: Start → Settings → Accounts → Sign-in options
2. Choose your sign-in method:
   • Facial recognition
   • Fingerprint
   • PIN
3. Set up a PIN (mandatory): Enter and confirm your PIN. For better security, you can include letters and symbols.
4. Optional biometric setup:
   • Facial recognition
   • Fingerprint

• Detailed guide
• Microsoft guide

You can also use a USB FIDO2 security key for passwordless sign-in.

Requirements:

• USB FIDO2 security key (e.g., YubiKey)
• Computer with a USB port and a supported browser (latest versions of Edge, Chrome, Firefox, Safari)
• An active MFA method (e.g., Microsoft Authenticator)

Registering the Security Key:

1. Sign in to your profile at https://mysignins.microsoft.com/security-info.
2. Click + Add method, select Security key, then choose USB or NFC.
3. Insert the USB FIDO2 key into the USB port and follow the on-screen instructions.
4. Set up a touch or PIN verification and name your USB key.
5. Upon successful registration, the key will appear in your list of sign-in methods.

Signing in with a USB FIDO2 key:

1. On the sign-in screen, choose Other sign-in options and select Security key.
2. Insert your USB FIDO2 key and complete the verification.

• Detailed guide

If you’ve purchased a new phone and want to use Microsoft Authenticator for work or school sign-ins, follow the same setup steps as usual. However, you will also need to approve the setup on the new phone using the old phone.

Important: Do not erase or reset your old phone until MFA has been successfully set up on the new device!

MFA settings are not transferred during phone-to-phone data transfer! You must configure MFA manually on the new phone.

What if I no longer have my old phone?

• Sign in using a previously set up backup method at https://mysignins.microsoft.com/security-info.
• If you don’t have any backup methods, contact your faculty’s IT support for assistance.

 

What should I do if I lose my phone?

If you don’t have access to your phone, use another registered method (e.g., security key or Windows Hello). If all methods are lost, contact your faculty’s IT support.

What if I no longer have my old phone?

• Sign in using a previously configured backup method at https://aka.ms/MySecurityInfo.
• If none is available, contact your faculty’s IT support.

I can’t sign in. What should I do?

Try using a backup verification method (e.g., Windows Hello, Microsoft Authenticator, etc.). If none are available, contact your IT support.

Can I use MFA on multiple devices?

Yes. You can install Microsoft Authenticator on multiple phones, but you must manually register each device.

Does MFA work without an internet connection?

Yes, if you use Microsoft Authenticator, you can use offline codes (TOTP).

How often will I need to authenticate with MFA on the same device?

Every 7 days.

I can’t register the selected authentication method.

If you see an error like “Unexpected error while processing the request…”, try registering from a private browser window. If the issue persists, contact IT support. Include steps you took, browser name and version, and your operating system.

Do I have to register my personal phone with CTU’s system?

Registration of a personal phone is not mandatory, but recommended to reduce the number of MFA prompts in Office 365 apps.

What are the benefits of registering a work/school account in Windows?

It allows access to related apps and services, data synchronization across devices, and stronger security via MFA.

Will I still receive emails and notifications if MFA expires on my phone?

Yes, notifications and calls (e.g., in MS Teams) will still arrive if you use recommended clients like MS Outlook or MS Teams. To read emails, you’ll need to reauthenticate.

What is the minimum operating system requirement for the Microsoft Authenticator app on mobile devices?

iOS 16 or later, Android 8 or later.

MS Authenticator sends a code, but it doesn’t appear on my phone.

• Check your internet connection and notification settings.
• Refresh notifications in the app (pull down gesture)
• Check battery optimization settings on Android
• Wait ~5 minutes for the previous code to expire
• Restart your phone
• Try password sign-in, then TOTP authentication
• Contact your IT support

MS Authenticator says it already sent a code and won’t send another.

Wait until the current code expires.

• Restart your phone
• Use password sign-in and authenticate using TOTP
• If issues persist, contact IT support

I can’t install MS Authenticator on my phone.

Check for available storage, and ensure your phone meets system requirements. The app also requires a screen lock to be enabled.

I got a new phone and added my school account, but I still see an old account I can’t remove (Android).

Try removing the old account in Android settings or contact IT support.

After installing MS Authenticator on a new phone, notifications still go to the old phone.

This happens if Passwordless is still enabled on the old phone. Either activate Passwordless on the new device or disable it on the old one.

What if I lose my USB FIDO2 key?

Use a backup method like Windows Hello or Microsoft Authenticator. If no other method is available, contact IT support.

I’m using the Thunderbird client, but the option to authenticate with a USB FIDO2 key is missing.

Unfortunately, the Thunderbird email client currently does not support signing in using FIDO2 security keys (e.g., YubiKey or similar devices). This means that if you have multi-factor authentication (MFA) enabled, it is not possible to use a USB key for account access in Thunderbird.

The reason is that Mozilla, which develops Thunderbird, is adopting modern security standards like FIDO2 more slowly than other applications. Although this technology is widely supported in browsers (e.g., Firefox, Chrome), it is still not available in Thunderbird.

Please use an alternative authentication method, such as MS Authenticator or another TOTP solution.

What to do if I lose my second factor?

• Use a backup method (e.g., a second phone, security key, Windows Hello)
• Remove the lost method from your account
• Add a new method to stay protected with MFA
• If you have no backup and cannot log in, contact your faculty’s IT support for assistance.

Does Windows Hello work offline?

Yes, unlocking your device with Windows Hello works even without an internet connection.

Will the approval of vacation requests via Obelisk in the AEDO system change after the introduction of MFA authorization (one-time email code + PIN)?
Yes, the one-time verification code that you have so far received by email, which served as a substitute for the second authentication factor, will be removed from the system. This method will be replaced by standard two-factor authentication, which will enhance the security of your login credentials. After successful identity verification using the second factor, single sign-on (SSO) will be enabled between applications. This means that when switching between applications, you will no longer need to re-enter your login details or the code from the email – only entering your PIN will be sufficient. This change will take effect in the AEDO/Obelisk applications as of November 1, 2025.