Identity Account Self-Service Portal

Multi-Factor Authentication (MFA) refers to an additional layer of security that is added to the login process.

MFA relies on two forms of authentication: something you know and something you have. This means that even if your password is stolen, your account will remain secure because an attacker will not have the secondary authentication method.

Self-Service Password Reset (SSPR) Self-Service Password Reset (SSPR) is a new portal for account recovery if you forgot your password or it expires. To take advantage of Self-Service, it's important to have multiple methods registered. You can enroll your phone number (SMS/Voice) or personal email address in addition to the Authenticator app for SSPR.

You can enroll your authentication methods (also known as factors) simultaneously for both MFA and SSPR so they can be used as required and needed.

We are moving to Microsoft as it has some distinct advantages over our current system.

1. Allows you to register authentication methods of your choosing - today we populate this data based on the phone numbers provided to HR during onboarding. We know this information can change or may not be the method you want to use. With Microsoft you choose your methods.
2. Few links -  With our current portal there are many links; Forgot Password, Expired Password, Password Reset. When do I use each? With Microsoft, you use change password if you know your password and it hasn't expired yet (Recommended to change before it expires) and Forgot/Expired link for either of those situations.
3. Better experience – Have you ever tried to change your password, only to have the new password rejected with no reason given? Changing your password directly with Microsoft SSPR allows clear feedback on how to choose a better password.

Yes – our goal is to continue to provide our end users with self-service options. Please be mindful of any notices that your password will expire. While using Microsoft SSPR, it will be important for you to change your password BEFORE it expires.

It is recommended to change your password BEFORE it expires to limit interruption to your day.

The ideal process is to ensure you're logged off of all computers and applications before doing so to ensure nothing is holding on to your old password. This can cause your account to go into a "locked" state.

Use one of the methods below to reset your password

• For Mac users - use Self Service+ (see button at the top for instructions)
• Use the "Change Password" link at the top of this page or on your St. Jude computer

Log into your devices on the St. Jude network with your new password.

* If your device is currently off the St. Jude network you will need to log in with your old password, connect to VPN for your computer to sync the new password

Please use the Mac User button at the top of the screen to see instructions for resetting your password.

Passwords are becoming increasingly easy to compromise. They can be stolen, guessed, and hacked, and new technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts means information online is increasingly vulnerable.

In addition, some MFA methods are becoming more vulnerable, such as SMS messages. If an employee falls prey to a phishing email or scam, MFA methods like SMS can be compromised. Microsoft MFA has recommended MFA strengths to ensure we’re using methods that are less vulnerable to phishing. By moving to this solution, we want to ensure more than just a single click away from identity theft and devastating ransomware attacks.

Our new MFA solution is much smarter and more adaptive so the frequency will vary based on factors like your device health, location, and/or data security of the application you’re using.

You may need to re-authenticate with MFA on each device you use every 90 days. 

Personal devices may require re-authentication with MFA every 30 days for secured Microsoft apps (Outlook, Teams, Office apps, etc), or once a day in web browsers. 

We will be migrating in waves based on your location so we can ensure we have extra support there to help. To get prepared we recommend downloading the Microsoft Authenticator in advance.  Check out our MFA Modernization Hub Page for more detailed information.

You will be able to choose a primary authentication method when you register, which you can change or update at any time. IT recommends the use of the Microsoft Authenticator mobile app.

• Microsoft Authenticator: A push notification is sent to the authenticator app on your smartphone asking you to Authenticate your log in. Authenticator will also generate a verification code that updates every 30 seconds if you prefer that method.
•  Windows Hello for Business: Your computer is the authentication factor! Use face recognition, fingerprint, or PIN to verify your identity, and Windows will log in for you. Not available on Macs.
• USB Security key: Microsoft Authenticator and Windows Hello provide the best experience. For situations where neither of these are possible, a USB security key (Yubikey) can be used instead.

You will also be asked to set up a phone number or email to help you access your account if you forget your password. 

If you can’t access your authentication methods, contact the service desk at 901-595-2000 to get help.

You can make changes to your authentication settings by visiting Microsoft's Security Verification page at https://mysignins.microsoft.com/security-info.

Check out our MFA Modernization Hub page for more detailed information.

Yes, IT encourages the use of a personal device for MFA because it is something you likely always have with you.

If you forget your mobile device at home, please contact the ServiceDesk at 901-595-2000.

You can contact the ServiceDesk at 901-595-2000 or review the MFA Modernization Hub page for help documents. 

When not connected to Wi-Fi, The Microsoft Authenticator app uses a very small amount of data to send push notifications.

Standard text (SMS) message rates apply, for those who do not have a mobile plan with unlimited texts. Similarly, it will use minutes from your cellular plan (if applicable) to have Microsoft call you for verification. 

For the best experience, we do recommend allowing the Microsoft Authenticator app to send push notifications on your smartphone. Without push notifications, you would need to open the Microsoft Authenticator app in advance of your login attempt in order to confirm your login. With notifications on, you can approve valid login attempts by simply tapping the notification on your device.

No, registering your device gives you a convenient way access to company services; it does not give the company access to your real-time location or device contents in any way. St. Jude has no management of the Microsoft Authenticator app. The only thing we can see is whether you’ve registered authenticator and if it’s your preferred MFA method.

You might see a 30-second timer counting down next to your active verification code. This timer is so that you never sign in using the same code twice. Unlike a password, we don't want you to remember this number. The idea is that only someone with access to your phone knows your code. It is an alternate form of MFA using Microsoft Authenticator.

You will need to deactivate your old device by visiting Microsoft's Security Verification page at https://mysignins.microsoft.com/security-info and enroll your new device. This is commonly encountered around holidays when many people receive new smartphones as gifts!

Yes! You can enroll up to 5 mobile devices with Microsoft Authenticator. We recommend that you enroll additional devices (St Jude provided iPhone, personal smartphone, personal iPad, etc) as backup methods in case your main device is not accessible.

TAP is a one-time-use password that can help you login to when no other authentication methods are available. This should only be used to help enroll a new authentication method, or for situations where MFA is required and your authentication methods are not available. Contact the service desk at 901-595-2000 for help with requesting a TAP.

We strongly recommend using Microsoft Authenticator for the best experience. Please speak with IT or the service desk to help address any concerns you may have.

If you cannot use Microsoft Authenticator, your manager will need to approve usage of a USB security key (Yubikey). Please contact the service desk at 901-595-2000 for the current request form.

Passkeys are like a password that is securely stored on your device, which requires you to verify your identity before it can be used. Verifying your identity leverages the devices capability to support “something you are” (FaceID, fingerprint), “something you know” (PIN), along with the device itself (“something you have”) to satisfy MFA without typing your password!

We support these passkeys:

• Microsoft Authenticator passkey on any mobile device
• Windows Hello for Business on a St Jude provided computer
• Yubikey USB security keys

Logging in with your passkey can look different depending on your device and application. Generally you will:

• Choose ‘Sign in options’ or ‘Sign in another way’ at the login screen (no need to type your username!)
• Choose ‘Face, fingerprint, PIN, or security key’
• Choose your passkey
• Verify your identity on your device with your FaceID, fingerprint, or PIN

Passkey is an optional advanced way to use Microsoft Authenticator. In short, your device is your password!

Passkey in Microsoft Authenticator works best for logins on the mobile device where Microsoft Authenticator is installed. You can use the passkey for logins on other devices as long as Bluetooth is enabled for both your mobile device, and the device you are trying to login to.

To set up this feature, simply tap ‘Create a passkey’ in Microsoft Authenticator and follow any prompts to re-authenticate. If you enrolled Microsoft Authenticator directly on your mobile device (without scanning a QR code), you are already set up for passkey!

To use passkey when logging in, see the instructions in the question ‘What is passkey?’ above.

Passwordless sign-in is an optional way to use Microsoft Authenticator that allows you to skip typing your password.  This is very similar to passkey but differs in that:

• No Bluetooth connection is required to login on to a separate device
• You can’t skip typing in your username like you can with passkey
• It does not count as a phishing-resistant authentication method for applications that have this requirement

To set up this feature, simply tap ‘Set up Passwordless sign-in requests’ in Microsoft Authenticator and follow any prompts to re-authenticate.

To use this feature:

• Type in your username at any Microsoft login prompt.
• When prompted for your password, choose ‘Sign in another way’
• Choose ‘Approve a request on my Microsoft Authenticator app’
• On your mobile device, tap the Authenticator push notification and type in the two digits that appear on the login screen, just like you would when using Microsoft Authenticator for MFA

If you enrolled Microsoft Authenticator directly on your device (without scanning a QR code), you are already set up for passwordless sign-in!

Windows Hello for Business is a passkey securely stored on your device. See the question ‘What is a passkey’ above for more general information about passkeys.

Windows Hello for Business can only be used on St Jude provided Windows computers assigned to you (shared workstations may not enable this feature). If you set up a FaceID, fingerprint or a PIN when you first received your device, you can use Windows Hello for Business for MFA.

To use this feature for MFA:

• Choose ‘Sign in options’ or ‘Sign in another way’ at the login screen (no need to type your username!)
• Choose ‘Face, fingerprint, PIN, or security key’

‘Sign In with Passkey’ prompt will pop up. Ensure you can see your username in this window. You may have to click ‘Choose a different passkey’ and select the option that looks like this:

• Verify your identity on your device with your FaceID, fingerprint, or PIN