MHCC email adds new security procedures: This fall be prepared to use two-factor authentication

All MHCC student Microsoft email accounts now require two-factor authentication. The change went into effect on Sept. 1, according to emails sent to students over the summer.

Students can add or change methods of multi-factor verification in the “Security Info” tab of their school Microsoft account and officials recommend that students set up the Microsoft Authenticator app as the preferred method of multi factor authentication accepted by the college – while students may also use a  two-factor authenticator app of their choice.

Another option listed for multi-factor authentication (MFA) was “hardware tokens,” which are also sometimes referred to as two-factor authentication chips. Blake Brown, who is part of the IT department at MHCC, explained that the “hardware token” option would “be reserved for special use cases where access to technology is not viable.” In such cases, Brown said, IT can issue those students a hardware token until they once again have access to another method of multi-factor authentication.

The rest of the MFA options are methods that use a phone number in some way that allows a person to receive a one-time code – in either a voice or text format, depending on the option chosen.

Unlike the previous experience some students may have had with using multi-factor authentication, email is not an approved method of two-factor authentication that will work to approve a normal login to a student’s email account. Brown noted that not including email as one of the options for multi-factor authentication was an intentional decision: “(E)mail accounts are frequently targeted in phishing attacks, and if compromised, an attacker could intercept one-time codes. This would defeat the purpose of MFA.”

As such, email will not be a method accepted to approve a login.

If a student wants to reset their password without help, they will need to use two methods of authentication to reset it. This is the only time an email may be used as a method of verification,  but the process will still require the use of another more secure method of verification to reset a password. 

By default, the email associated with a Mt. Hood student’s Saints account is the email they used when they initially applied for enrollment at MHCC, unless they act to change it.

If students decide to only add one additional method of multi-factor authentication besides email, taking steps to improve the security of their personal email could help make sure they can still reset their password if needed. These include making sure they still have access to the email listed in the “Security Info” tab, by turning on multi-factor authentication for their personal email, and making sure their passwords are strong and not similar to other passwords they use.

If students are unable to reset their password on their own or are unable to access their account, Brown says that students will need to contact Student Support to help them regain access to their account.