Multi-factor authentication (MFA)

The abbreviation MFA comes from the English term Multi-Factor Authentication, which in Czech means multi-factor verification or multi-factor authentication. It is a security mechanism that increases the level of user account protection by requiring identity verification using multiple independent methods.

We commonly encounter MFA, for example, when logging into internet banking. You may also encounter the term 2FA (two-factor verification or two-factor authentication), which designates a specific case of multi-factor verification using two different authentication elements.

How does MFA work?

Multi-factor verification adds another verification step to regular password entry, which serves to confirm the user’s identity. This second factor can take various forms – for example, a one-time code sent to a mobile phone, verification using a security key, or biometric verification (e.g., fingerprint).

MFA is typically based on a combination of the following types of credentials:

• Something you know – for example, a password or PIN code
• Something you have – a physical device, such as a mobile phone, hardware token – USB FIDO2 key
• Something you are – biometric data, such as fingerprint or facial recognition

Multi-factor authentication (MFA) represents an effective security measure that significantly strengthens the protection of user accounts, sensitive data and access to university systems. Its goal is to minimize the risk of unauthorized access, even if login credentials are compromised.

Unlike traditional login, which relies only on password knowledge, MFA requires an additional verification element – for example, a code sent to a mobile device, biometric verification, or use of a security key. Thanks to this, the account is protected even if an attacker gains access to the password – without the second factor, they cannot access sensitive information.

Based on experience with using multi-factor authentication (MFA) in the CTU environment, we recommend users utilize the following methods, which ensure maximum convenience and efficiency during verification.

I use MS Windows:

1. We recommend using a mobile phone with the MS Authenticator application (guide)
2. Activate the passwordless login feature in the MS Authenticator application, which enables more convenient and secure access without entering a password (guide)
3. On computers with Windows operating system, we recommend enabling Windows Hello login, for example through fingerprint, facial recognition or PIN code (guide)
4. We recommend connecting work or school computers to Microsoft Intune service, thereby ensuring device management and higher level of security. For personal devices, we recommend registering the device for MFA management (guide)
5. In the web browser you use, enable single sign-on for Windows:
   • Edge – must have synchronized account (procedure)
   • Firefox – supports SSO after activation in settings (procedure)
   • Chrome – Microsoft Single Sign On extension is available (link)

I use MacOS:

1. We recommend using a mobile phone with the MS Authenticator application (guide)
2. Activate the passwordless login feature in the MS Authenticator application, which enables more convenient and secure access without entering a password (guide)
3. We recommend connecting work or school computers to Microsoft Intune service, thereby ensuring device management and higher level of security. Personal devices cannot be connected to Intune!
4. Then on the macOS computer, activate the Touch ID login option.

I use Linux:

1. We recommend using a mobile phone with the MS Authenticator application (guide)
2. Activate the passwordless login feature in the MS Authenticator application, which enables more convenient and secure access without entering a password (guide)
3. Set up a backup MFA method (USB Fido2 key) (guide)

For trouble-free and secure use of MFA, we recommend registering at least two second factors. This prevents complications in case of loss or unavailability of one of them. For example, if you lose access to your mobile phone, you can still verify yourself using biometrics or a physical security token (USB FIDO2 key).

It is a mobile application that enhances the security of your accounts by serving for multi-factor authentication (MFA) – either by approving login via “approve/deny” notification on the phone, or by generating time-limited codes, thereby replacing or supplementing passwords and also enabling passwordless login using fingerprint, facial recognition or PIN.

• Push Notifications: Instead of entering codes, simply confirm login by tapping “Approve” in the application, which is faster and more secure.
• Time-based codes (TOTP): Generates six-digit codes that change every 30-60 seconds for an additional layer of security when notifications are not available.
• Passwordless login: Allows login without entering a password, only using biometrics (fingerprint, face) or device PIN.
• Passkey: Option to use passkey authentication.
• Support for various accounts: Can add personal Microsoft accounts (Outlook.com, OneDrive), work and school accounts.

What will you need?

• Mobile phone, (iOS 16+, Android 8+)

Installation and Configuration of the Application Using Computer and Phone

1. On your phone, install the Microsoft Authenticator application (iOS 16+, Android 8+):
   • Android: Google Play Store
   • iPhone: App Store
2. On your computer, open the website https://mysignins.microsoft.com/security-info.
   1. Log in using your university account in the format username@cvut.cz and password.
   2. Click +Add method, choose Microsoft Authenticator and continue until a QR code appears on the screen, which you scan on your phone.
3. On your phone, launch the Microsoft Authenticator application.
4. Select the + (plus) icon in the top right corner.
5. Choose the option Work or school account, scan QR code and using your phone’s camera scan the QR code displayed on the computer screen.
6. After successful scanning, the account is automatically added to the application.
7. On the computer, complete the wizard for adding the application, which will prompt you to verify.
8. If everything is set up correctly, a confirmation of successful addition of the Microsoft Authenticator application will appear on the computer.

Older versions of Android and iOS operating systems may not support all features or offer the same Microsoft Authenticator application setup options as newer devices. In some cases, individual setup steps may also differ.

• Detailed guide
• Guide on Microsoft.com
• Frequently asked questions

Windows Hello for Business represents a secure and convenient login method that allows login without entering a traditional password. Instead, it uses biometric data (e.g., fingerprint or facial recognition) or PIN code, which ensures fast and secure login.

This method is designed with user comfort and high level of security in mind. Credentials are encrypted and stored locally directly in the device, never transferred to servers, which significantly increases privacy protection. Activation of Windows Hello for Business is required separately for each device.

What will you need?

• Windows 11
• Work/school account login (EntraID)
• You must have another MFA method activated (e.g., Microsoft Authenticator)
• If Microsoft Authenticator cannot be used, contact your faculty’s IT.
• TPM 2.0 chip (how do I check the version)

How to set up Windows Hello for Business:

1. Open Settings: Start → Settings → Accounts → Sign-in options
2. Select login method:
   • Facial recognition
   • Fingerprint
   • PIN code
3. Set up PIN (mandatory step): Enter and confirm your PIN. You can add letters and symbols to increase security.
4. Setting up biometric data (optional step):
   • Facial recognition
   • Fingerprint

• Detailed guide
• Guide on Microsoft.com
• Frequently asked questions

USB FIDO2 key is a small physical device (e.g., YubiKey, Token2) that serves for secure login without a password or as a second verification step.

Instead of copying codes, simply insert the key into a USB port (or tap via NFC) and confirm login with a touch or PIN. Login is fast, simple and very secure, because the key only works with specific websites and accounts and cannot be misused remotely.

USB Fido2 keys can also be used for passwordless login:

What will you need?

• USB Fido2 key (e.g., YubiKey, Token2)
• Computer with USB port and supported browser (latest versions: Edge, Chrome, Firefox, Safari)
• You must have another MFA method activated (e.g., Microsoft Authenticator)
• If Microsoft Authenticator cannot be used, contact your faculty’s IT.

Key registration:

1. Log into your profile at: https://mysignins.microsoft.com/security-info
2. Click +Add method, choose Security key and then USB or NFC.
3. Insert the USB Fido2 key into the USB port and follow the displayed instructions.
4. Set up touch verification or PIN and name your USB Fido2 key.
5. After successful registration, the key will appear in the list of sign-in methods.

Login using USB Fido2 key:

1. On the login screen, choose More sign-in options and select Security key.
2. Insert the USB Fido2 key into the USB port and confirm verification.

• Detailed guide
• Guide on Microsoft.com
• Frequently asked questions

Third-party application that displays one-time numeric codes during login, changing every 30 seconds (for example Google authenticator)

What will you need?

• Mobile phone or computer with TOTP application (e.g., Google Authenticator, Authy, FreeOTP, KeePassXC)

TOTP registration:

1. Log into your profile: https://mysignins.microsoft.com/security-info
2. Click + Add method / Add method
3. Choose Microsoft Authenticator application (this is the mandatory default step that the system requires)
4. Choose another TOTP application
5. After selecting Microsoft Authenticator, you will see the option „Use a different app” / Use a different authenticator app
6. Select this option
7. A QR code or secret key (secret / seed) will be displayed

Setting Up Third-Party Application

1. Open the selected TOTP application on your phone
2. Add new account:
   • Scan the QR code, or
   • Manually enter the secret key
3. The application will start generating time-based codes (OTP), usually every 30 seconds

Completing Registration

1. Enter into the web form the current code from the application to verify that everything works
2. After confirmation, the method will appear in your list of sign-in methods
3.  

• Frequently asked questions

If you have purchased a new phone and want to use Microsoft Authenticator on it for logging into your work or school account, follow the Microsoft Authenticator setup steps, but additionally you will need to verify the application on the new phone using the application on the old phone.

When replacing a device, do not delete or factory reset the old phone until MFA is successfully set up on the new phone!

When using the data transfer function between phones, the MFA configuration does not transfer! MFA must be set up manually again on the new phone!

What to do if I don’t have the old phone?

• If you no longer have the old phone, log in using a previously set up backup method at https://mysignins.microsoft.com/security-info.
• If you do not have any backup method available, contact IT support, who will help you restore access.