Frequently Asked Questions MFA

General

What should I do if I lose my phone or key fob?
If you do not have access to your phone, you can use another registered method (e.g., a security key or Windows Hello). If you have lost all authentication methods, contact your faculty’s IT support.

What should I do if I no longer have my old phone?

• If you no longer have your old phone, sign in using a previously configured backup method on the page https://aka.ms/MySecurityInfo.
• If you do not have any backup method available, contact your faculty’s IT support, who will help you restore access.

What should I do if I cannot sign in?
If you cannot sign in, try a backup authentication method such as Windows Hello, Microsoft Authenticator, or another method. If you do not have any additional method, contact your faculty’s IT support.

Can I use MFA on multiple devices?
Yes, for example, you can install the Microsoft Authenticator app on multiple phones. However, each device must be added manually in your account security settings. Maximum number of added devices is 5.

What should I do if I am already logged in with an account that is registered in another tenant and I cannot sign in to CTU?

Sign in using an anonymous/private browser window. Instructions for opening a private window are below:

Google Chrome

• Click ⋮ (three dots in the top right)
• Select New Incognito Window

Mozilla Firefox

• Click ☰ (three lines in the top right)
• Select New Private Window

Microsoft Edge

• Click ⋯ (three dots in the top right)
• Select New InPrivate Window

Safari (Mac)

In the top menu bar, click File

Select New Private Window

Does MFA work without an internet connection?
Yes, if you use the Microsoft Authenticator app, you can use offline-generated codes (TOTP).

How often will I need to authenticate with MFA on the same device?
Every 7 days

I am unable to register the required authentication method
If an error message “Unexpected error while processing the request…” appears, we recommend performing the registration from an anonymous (private) browser window. If the problem persists, please contact your faculty’s IT support. To speed up the resolution, please provide details of the steps you took, the name and version of the web browser used, and the name and version of the operating system.

Do I have to register my private phone in the ČVUT university system?
Registering a private phone in the ČVUT university system is not mandatory, but it is recommended because it reduces the number of MFA authentication prompts within Office 365 products.

What are the benefits of registering a work or school account on Windows?
Registering a work or school account on Windows allows you easier access to applications and services related to your account. It also enables data synchronization across multiple devices and ensures a higher level of security through multi-factor authentication (MFA).

If my MFA authentication expires on a mobile device, will I still receive emails and other notifications?
Yes, if you use recommended clients such as MS Outlook for email or MS Teams for communication, all notifications will still be delivered and you will not miss calls in MS Teams. However, to read messages, you will need to complete a new authentication.

I do not have a phone, or I have a phone on which MS Authenticator or another TOTP app cannot be installed. What should I do?
In such a case, you can use authentication via Windows Hello. Alternatively, a FIDO2 USB security key can be used—please contact your local IT administrator in this case. If these options cannot be used, you can use a TOTP application on another device (e.g., a computer) or a browser extension with TOTP support.

How should I proceed if I lose the second factor?
If you lose one of your authentication methods (for example, a phone, security key, or another MFA method), follow these steps:

• Use a backup authentication method: If you have a backup authentication method configured, such as another phone with Microsoft Authenticator, a security key, or Windows Hello, use it to sign in to your account.
• Remove the lost method: Once you sign in using a backup method, we recommend immediately removing the lost authentication factor from your account to ensure that an unauthorized method cannot be used to access your account.
• Add a new authentication method: After removing the lost method, add a new authentication method so your account remains protected by multi-factor authentication (MFA). You can add, for example, a new phone, a security key, or another available method.
• If you do not have any backup authentication method and cannot sign in, contact your faculty’s IT support, who will help you restore access to your account and make the necessary changes to your security settings.

Will the approval of leave requests via Obelisk in the AEDO system (one-time code sent by email + PIN) change after MFA is introduced?
Yes, the one-time verification code that you previously received by email and that served as a substitute for the second authentication factor will be removed from the system. This method will be replaced by standard two-factor authentication, which will increase the security of your login credentials. After successful identity verification using the second factor, single sign-on (SSO) will work across individual applications. This means that when switching between applications, you will no longer need to re-enter your login credentials or the email code—only the PIN will be required.

What are the options for multi-factor authentication (MFA) if I do not have a smartphone?

Even without a smartphone, you can use several secure multi-factor authentication (MFA) methods:

1. Windows Hello

• Works on Windows computers.
• Allows authentication using a PIN, fingerprint, or facial recognition.
• Biometric authentication is not mandatory—PIN-only can be used.
• Works offline; authentication is performed locally on the device.

2. Physical security key (e.g., USB FIDO2 key)

• Is an USB device that serves as an authentication factor.
• Does not require application installation or an internet connection.
• Very secure and easily portable solution.

3. TOTP codes via desktop applications or browser extensions

• There are browser add-ons or desktop applications that allow generating these codes (not recommended).

MS Authenticator

What is the minimum operating system version required by the MS Authenticator app?
iOS 17 and higher, Android 8 and higher

I have a smartphone on which MS Authenticator cannot be installed. What other options do I have?
As an MFA authentication method, you can also use third-party TOTP solutions such as Google Authenticator. Alternatively, a USB FIDO2 security key can be used, which can also be used for authentication on a phone. NFC can also be used if supported by both devices.

MS Authenticator sends a verification code, but it does not appear on the phone.
If Microsoft Authenticator sends a verification code but it does not appear on your phone, this may be caused by poor internet connectivity or notification settings issues.

• Refresh notifications by swiping down in the app
• Check in Android system settings that battery optimization is not enabled for the MS Authenticator app
• Wait approximately 5 minutes until the previous code expires
• Restart your phone
• Select sign-in using a password and then perform TOTP verification in MS Authenticator
• Contact your faculty’s IT support

MS Authenticator refuses to send a new verification code, stating that one has already been sent and another cannot be sent.
If Microsoft Authenticator refuses to send a new verification code because one has already been sent, you must wait until the previous code expires or check the application settings.

• Restart your phone
• Select sign-in using a password and perform verification using TOTP in MS Authenticator
• If the problem persists, contact your faculty’s IT support

I am unable to install MS Authenticator on my phone.
If you have trouble installing the Microsoft Authenticator app, make sure you have enough storage space and that your phone meets the app’s system requirements. MS Authenticator also requires that a screen lock be enabled on the mobile device.

I have a new phone, added my school account, but I still see an old account that cannot be removed (Android).
If you have a new phone and added your school account but still see an old account that cannot be removed, the issue may be related to account settings on your phone. Try removing the account in Android system settings or contact your faculty’s IT support.

After installing MS Authenticator on a new phone, notifications are still only being sent to the old phone.
This is because passwordless sign-in is enabled on the old phone and not enabled on the new phone. Enable the Passwordless service on the new phone or disable it on the old one.

USB FIDO2 Security Key

What should I do if I lose my USB FIDO2 security key?
Use a backup authentication method such as Windows Hello, Microsoft Authenticator, or another method. If you do not have any other method, contact your faculty’s IT support.

I am using Linux OS and during MFA setup I am unable to set a PIN for a new USB FIDO2 security key.
In this case, Linux OS behaves in a non-standard way and does not allow the user to set the initial PIN for the security key. The PIN can be set using the manufacturer’s application for the given key, which the user must install, or by setting the PIN on another computer that does not run Linux OS. In Windows and macOS operating systems, the PIN can be set without any issues.

I am using the Thunderbird client, but the option to authenticate using a USB FIDO2 security key is missing.
The Thunderbird email client unfortunately does not currently support sign-in using FIDO2 security keys (e.g., YubiKey or similar devices). This means that if you have multi-factor authentication (MFA) enabled, it is not possible to use a USB key to authenticate access to your account in Thunderbird. The reason is that Mozilla, which develops Thunderbird, is introducing modern security standards such as FIDO2 more slowly than other applications. Although this technology is widely supported in browsers (e.g., Firefox, Chrome), it is still missing in Thunderbird. Use another authentication method such as MS Authenticator or another TOTP.

Windows Hello

Does Windows Hello work without internet?
Yes for duration of 7 days, standard device unlocking using Windows Hello works offline—without an internet connection. After this period expires the device must be connected to the internet again in order for the Windows hello to function.

Are my biometric data (e.g., fingerprint or face) secure when using Windows Hello?
Yes, biometric data are protected with a very high level of security when using Windows Hello:

• They are not stored in the cloud and are not transmitted over the internet.
• They are stored locally on your device in the so-called Trusted Platform Module (TPM), a special security chip on the motherboard.
• This is not storage of photos or fingerprints as images. Instead, biometric data are converted into a mathematical model (so-called biometric templates) that cannot be reverse-engineered.
• Neither Microsoft nor any other application has access to these data.

I’m unable to verify my identity using MFA via Windows Hello — what should I do?

If you cannot verify your identity with MFA using Windows Hello, you are likely using only the basic (non-MFA) variant — true multi-factor authentication requires Windows Hello for Business to be active. See the comparison and requirements below.

Windows Hello (basic)

• It is used only for convenient unlocking of a computer.
• Instead of a password, you use a PIN, fingerprint, or facial recognition.
• It is fast and practical, but it is not considered multi-factor authentication (MFA).

Requirements

HW:

• Computer with Windows 10/11
• TPM chip

SW:

• Windows 10 or 11
• Local account or Microsoft account
• No need to register the account in a university/work environment

Windows Hello for Business (university / work)

• It is used in a university or workplace environment.
• You sign in just as easily (PIN/fingerprint/face), but the device you use is also verified.
• This makes the sign-in more secure and compliant with MFA requirements.
• You often do not need to enter additional verification codes when accessing work applications.

HW:

• TPM 2.0

SW and environment:

• Computer with Windows 10/11 Pro/Enterprise/Education
• The account on the device is registered in the university/work environment

TOTP

Why is it important to have the correct date and time set on the device when using TOTP (Time-based One-Time Password)?
Correct date and time settings are crucial because TOTP generates one-time codes based on the exact time. If the device time is incorrect, the generated code will fail.

How does TOTP (Time-based One-Time Password) work?
It generates one-time codes every 30 seconds in applications such as Microsoft Authenticator or third-party apps.

What does TOTP (Time-based One-Time Password) mean?
It is a time-limited one-time password, usually valid for 30 seconds.

Can TOTP be used somewhere other than on a mobile device?
Yes, applications or browser extensions that function as TOTP can be used. They should be installed on a different device.

Why doesn’t CTU support TOTP applications more?
Although TOTP was defined and standardized in RFC 6238 (2011) and for many years was considered a widely used and functional MFA technology, its position has gradually weakened. From the perspective of the long-term evolution of security standards, it is clear that TOTP will increasingly be seen as outdated.

The reasons are mainly these:

• lower resilience to certain types of attacks (e.g., malware on user devices, phishing techniques targeting codes),
• less user comfort compared to modern methods,
• the weakness of having to securely store the shared secret key, while it cannot always be guaranteed that this key is handled securely in various mobile apps or browser extensions.

It is true that TOTP is significantly more secure than using a password alone; however, its actual effectiveness always depends on the trustworthiness of the application, the environment in which it runs, and user behavior. On a typical device where updates are neglected, installed applications are not vetted for security, and the user ignores basic security principles, the overall protection level of TOTP can be significantly reduced.

For these reasons, we emphasize that CTU users should transition to solutions that are not only more secure, but also resistant to future threats and at the same time simpler from the perspective of user experience. Therefore, we primarily support Microsoft Authenticator and other phishing-resistant methods as preferred solutions.

Why does CTU not support TOTP applications more strongly?

Although TOTP is defined and standardized in RFC 6238 (2011) and has long been considered a widely used and functional MFA technology, its position has been gradually weakening. From a long-term security standards perspective, it is clear that TOTP will increasingly be regarded as outdated.

The main reasons are:

• lower resistance to certain types of attacks (for example malware on user devices or phishing techniques targeting one-time codes),

• lower user comfort compared to modern authentication methods,

• a structural weakness in the need to securely store a shared secret key, while safe handling of this key cannot always be guaranteed across different mobile apps or browser extensions.

It is true that TOTP is significantly safer than using a password alone. However, its effectiveness always depends on the trustworthiness of the application, the environment in which it runs, and user behavior. On a typical device where updates are neglected, installed applications are not reviewed for security, and the user underestimates basic security practices, the overall protection level of TOTP can be substantially reduced.

For these reasons, CTU encourages users to move toward solutions that are not only more secure, but also more resistant to future threats and at the same time simpler from a usability standpoint. Therefore, the preferred methods are Microsoft Authenticator and other phishing-resistant authentication approaches.