Skip to main
University-wide Navigation

If it’s been a while since you last logged in to your bank account or another online account, in addition to entering your password, you might be prompted to enter code. This extra step is known as multi-factor authentication (MFA) — a procedure that requires at least two forms of verification used to protect online accounts.  

Multi-factor authentication is a quick and simple way to add an extra layer of protection to confidential data. This additional step acts like an extra lock designed to protect accounts from hackers or a cybersecurity weakness. In some cases, MFA might require biometric verification like a fingerprint or facial scan.  

Make sure to activate MFA for all online accounts. Most options for MFA include receiving a text, phone call or email. The simplest way to enable multifactor authentication is to set up a face scan or fingerprint scan. Not only is this the quickest option, but it’s also more secure. In the event of a lost or stolen phone, no one can access your information.  

This small step can make a significant difference when it comes to protecting your online accounts. In addition to protecting against security weaknesses or compromised login information, enabling MFA also helps protect online accounts from phishing attempts. A phishing attempt is an email that tries to obtain confidential information like credit card numbers, usernames or passwords.  

For University of Kentucky accounts, the most secure option for MFA is to download the Duo app. The MFA app either sends a push notification to your phone or generates a code for you to input when logging to UK technology resources (e.g., Canvas, myUK, Microsoft365 products).  

It is important, however, to be aware that hackers may still try to take advantage of MFA to steal your information. One common attack happens when a hacker attempts to get you to share your unique passcode generated with an MFA app. This can be done by impersonating IT support and claiming the code is needed to keep an account active.  

 It is also important to beware of unauthorized multi-factor authentication push notifications. For example, if you receive a text message asking you to verify an account login, but you have not attempted to login to any of your online accounts, deny access.  

UK Information Technology Services (UK ITS) Cybersecurity Analyst Jackie Campbell said hackers use this tactic aimed at gaining access to your online accounts.  

“When the criminal already has your login information, they only need you to approve an MFA request,” Campbell said. “They begin sending request after request, sometimes over 24 hours until, out of annoyance or desperation, you approve. This is called 'MFA Fatigue' or 'MFA push spam'.” 

Campbell says if you receive an MFA notification you did not request, change your password. This will lock out anyone with access to your account. Despite this risk, using multi-factor authentication acts as a warning system, even when account login information has been compromised. If MFA is not enabled, a user wouldn’t receive a prompt, unauthorized or not.  

Another benefit of using multi-factor authentication, it may help your company maintain compliance with certain cybersecurity requirements.  

Overall, multi-factor authentication not only keeps your accounts secure, but it can provide you with peace of mind that you control the extra layer of cybersecurity for your online accounts.   

For keeping your UK data and systems safe, UK ITS recommends utilizing push notifications via the Duo app for MFA. This method offers more cybersecurity protections than SMS texts. For more information on how to enroll your smartphone with the Duo app, see How do I enroll my smartphone in Duo Mobile multi-factor authentication? 

For more information about cybersecurity efforts at UK and awareness activities happening during the month of October, visit or follow UK ITS on social media by visiting