Setting up multifactor authentication
Note this when installing and using multifactor authentication
Setting up TUNI multifactor authentication with a smartphone
Setting up TUNI multifactor authentication if you don't have a smartphone
Create a Temporary Access Pass to access the security information page
Passwordless authentication
The electronic services of the university community require multifactor authentication.
Multifactor authentication (MFA) involves an additional authentication on your mobile phone or USB security key when logging in to cloud services. MFA adds an extra layer of security to your account when you log in to the TUNI electronic services, especially if your password has ended up in the wrong hands.
The use of MFA is free of charge and only requires a smartphone that is connected to the internet and can be equipped with the Microsoft Authenticator app that is available for download on Android and Apple phones.
The authenticator app is recommended due to its ease of use.
You can install the Microsoft Authenticator app on multiple phones and use it when logging into to other personal services, such as Google services.
Read more Use of mobile phones (for staff)
If you don't have a smartphone, you can use a USB security key (e.g. Yubikey Security Key U2F FIDO2 NFC, available at most electronics stores). TUNI staff can order a USB security key directly to their home address using the IT-Small accessories order form of the helpdesk.tuni.fi service channel.
Note this when installing and using multifactor authentication
- A VPN connection is no longer required to enable multifactor authentication. It is enough to do it from Finland.
- But if you are not in Finland, the TUNI personnel´s work computer must have TUNI VPN connected on. When using your own personal device, you need to install eduVPN on your computer and turn it on. Read the instructions on how to get a VPN connection on your personal computer (Windows, Linux tai macOS).
- Students and visitors (including those with the same access rights as staff) do not need a VPN connection to enable multifactor authentication.
- If you get a new phone, you have to enable the multifactor authentication on your new phone. Only after this, remove the old phone from the authentication service at https://aka.ms/mfasetup by clicking delete.
- If you have not already installed the Google or Apple account on your phone, you may install it with your own account or with a newly created account on your mobile phone.
- All email applications (eg Samsung phones’ own e-mail applications) do not support the multifactor authentication method yet, which is why the University cannot approve the use of TUNI email and calendar with such an application for security reasons. So, remember to enable Outlook for Android on your phone in order to manage your TUNI email and calendar. A list of supported email applications and installation instructions
- When using something other than your personal device, be sure to answer "No" to the question in the Stay signed in window, so that no one else can log in with your user account to your information and the TUNI electronic services you have used.
- At this stage, multifactor authentication does not yet affect the services' own local accounts.
- Multifactor authentication is not used in:
- Linux SSH and remote desktop servers (SSH server for staff uses different multi factor authentication method)
- TUNI eduVPN logins
- the systems used in the electronic exam (Exam, Plussa, Älyoppi-Moodle).
Setting up TUNI multifactor authentication with a smartphone
The setting up of MFA involves two phases. You will need an Android/Apple smartphone and a computer equipped with a browser, such as Edge or Google Chrome.
- 1
Install the Microsoft Authenticator app on your phone from the app store
After installation, open the Authenticator app and follow the instructions.
- 2
Connect your TUNI account and the phone authenticator application
Open the address: https://aka.ms/mfasetup and follow the instructions
Install the Microsoft Authenticator app on your phone
- Download and install the Microsoft Authenticator app on your phone from the app store.
- Open the Microsoft Authenticator app after downloading.
- The first time you log in, allow the collection of anonymised data when prompted to do so. You can turn off data collection later.
- If prompted, select Allow to allow notifications.
- Select Add a new account, Work- or school account
- Select Scan QR code.
- Allow the authenticator app access to your camera to take a picture of the QR code in the next phase.
- The app waits for a QR code to add your TUNI account to the Microsoft Authenticator app on your phone.
Put your phone aside for a moment and go to phase 2.
NOTE! If the authentication application indicates that it is locked and asks you to enter the lock code, then use the same code that you use to unlock your phone screen/display.
Add your TUNI account to the Microsoft Authenticator app
- Go to the web address https://aka.ms/mfasetup
- Log in with your TUNI email address and password.
- When your web browser asks whether the login will be saved, you can select No.
- The browser displays a notification about the definition of additional details, select Next.
- The browser displays information about the use of the Microsoft Authenticator app.
- Click Next, and a QR code appears on screen.
- Take your phone and scan the provided QR code with the QR code reader of the Microsoft Authenticator app. If the authenticator application asks for a lock code, this is the lock code of the phone display.
- After the Microsoft Authenticator app has scanned the QR code, click Next on the browser window.
- The app will send a notification to your phone as a test which you shall Approve.
- In your browser window, click Next.
- Then click Done.
- Your TUNI account has now been added to the Microsoft Authenticator app on your phone.
You will initially receive frequent verification prompts when you log in to TUNI electronic services, but the number of prompts will decrease after you have logged in to the different services using MFA.
The next verification prompt will appear in about two months if you always use the same device or browser. If you use a different device or browser, you will be prompted to log in with a second verification. Using the app outside of Finland may also trigger a prompt.
Setting up TUNI multifactor authentication if you don't have a smartphone
If you don't have a smartphone, you can use the data security key used in the USB port of your computer. The USB security key is primarily intended for computer use, but also works to a limited extent on mobile devices. TUNI login works in browser use on iOS mobile devices, but Android mobile devices are not supported for now. More information about compatibility: Browser support of FIDO2 passwordless authentication | Microsoft Learn
The USB security key is connected to the computer's USB port. They are available with two different USB connections: USB-A or USB-C. Check your computer's USB connection options. TUNI staff can order a USB security key directly to their home address using the helpdesk.tuni.fi service channel's IT-Small accessories order form.
The multifactor authentication with the USB security key is implemented in two different steps. You need a phone, a USB security key and a computer with a browser installed, e.g. Edge or Google Chrome.
- 1
Create a Temporary Access Pass
First, you need to create a Temporary Access Pass to access the security information page
- 2
Setting up USB security key
USB security key activation instructions below
Create a Temporary Access Pass to access the security information page
- Go the the web address https://salasana.tuni.fi and select Start by authenticating to create a temporary access pass for you.
- Identify yourself by choosing an identification method on e-identification page.
- Finnish means of identification: online banking ID, mobile certificate, or Citizen Certificate card.
- If you do not have a Finnish means of identification: click Identification methods for foreigners at the bottom of the e-identification page. Choose an identification method you can use. Read more on e-identification methods.. If you don't have online banking credentials, contact it-helpdesk.
- Select Reset multi-factor authentication (MFA) by clicking Reset MFA.
- Click the Continue button under the Set a temporary access pass heading to create a temporary access pass.
- The temporary access pass appears on the screen in the box with the green background. The temporary access pass is only valid for a limited period of time. Complete the MFA settings immediately after setting the temporary access pass.
- Copy the code in the box with the green background and press Continue.
- The Continue button redirects you to the login screen. In the Sign in box, type your TUNI email address.
- Use the temporary access pass that you copied to log in.
- After logging in, you will be able to remove the non-functional authentication method and to set a new authentication method on the Security Info page.
Enabling the USB security key
The following installation instructions are based on the use of Yubico's Yubikey Security Key U2F FIDO2 NFC key. You can also use security keys from other manufacturers, but we do not offer support for their use.
1. Open the address: https://aka.ms/mfasetup in your computer browser
2. Log in using your TUNI email address password.
3. The computer's browser asks to save the login, you can choose No(No).
4. The browser will notify you about the configuration of additional information, select Next.
5. Next, the browser introduces the use of the Microsoft Authenticator application.
6. On the Security info page, click the + Add method button.
7. Select Security key from the drop-down menu and click the Add button
8. Select USB device as the type of USB security key (access key) you own.
9. You will be prompted to insert your security key into your USB port when you select next. So put the USB security key into your computer's USB port.
10. Click the Next button in the Security Key notification window on your computer.
11. You can close the QR code that appeared on your screen by selecting Use a different device
12. In the Create a passkey window that opens, select Windows Hello or external security key
13. Select Ok in the Security key setup window
14. Enter the security key PIN code of your choice
15. Security key: To set up a security key, you need to sign in with two-factor authentication -> Next
16. Do multifactor authentication
17. Select the USB device
18. The browser opens a new small window where you can set a PIN code for the USB road safety key. The PIN code must be at least four digits long. If you have already set a code for the data security key, enter the code you set previously as normal.
19. The USB security key light will flash. Press the flashing light.
20. Name the USB security key. After naming, the deployment of the USB security key is complete.
21. Click the OK button (Next).
22. Click the Done button in the browser.
23. Two-step authentication is now installed.
Using the USB security key
After activation, if you receive multifactor authentication approval requests, do not enter your TUNI email address when logging in, but select Sign-in options at the bottom of the login window and then Sign in with a Security Key. After that, enter the PIN and touch the USB security key. The key does not read fingerprints, only touch.
Passwordless authentication
Those who wish can use the passwordless authentication. After that, you can login to the TUNI electronic services without the TUNI password with strong authentication.
Passwordless authentication (pdf)
IT Helpdesk
0294 520 500
it-helpdesk [at] tuni.fi (it-helpdesk[at]tuni[dot]fi)
helpdesk.tuni.fi