Managing multi-factor authentication (MFA) on your account
Everyone with an Oxford Single Sign-On (SSO) has MFA on their account - here's advice for managing it
[Links updated September 2022]
Why do we need multi-factor authentication (MFA)?
Cyber-criminals can use someone’s account to access confidential or valuable data at the University, once they have access. A key defence we have against these sorts of attack is multi-factor authentication, which helps to secure our accounts and data, by introducing a 'double lock' mechanism.
Since MFA was introduced at Oxford University, there has been a significant decrease in the number of incidents: the year before we introduced MFA there were over 450 compromised accounts in one month, whereas during the same period in the second year, there were only 22.
Those who wish to do us harm have not gone away, but with good coverage of MFA we have made their job harder.
What is MFA?
Multi-factor authentication is a second layer of security on your Oxford University Single Sign-On (SSO) account asking you to verify your account using a second factor, such as a code from an app on your phone, a text message, or a phone call.
What MFA options do I have?
There are several options for authenticating with a second factor and which you choose is up to you.
For smart phones, you can:
- Install the Microsoft Authenticator app, which can be used either with notifications or one-time passcodes - the app also works on tablets
- Receive a text message with a code
- Receive an automated phonecall
For office phones, you can receive an automated phonecall
For laptops or desktops, you can install the Authy app or buy a hardware token through your normal route for purchasing IT equipment
Our top tips below will help you get the most from MFA on your account.
MFA top tips
- Always enter your username as 'abcd1234@OX.AC.UK', where abcd1234 is your SSO username, don’t use your email address
- Set up a second authentication method that doesn’t use the same device as your first (in case you lose or change your mobile phone)
- If you don’t want to use your mobile, you can use a landline, a hardware token or the Authy app on your computer, but note that setting up a hardware token requires another method first and Authy requires a phone for initial setup
- If you don’t good have Wi-Fi or mobile signal, try using one-time passcodes on the Authenticator app or a hardware token, which should be purchased through your normal route for purchasing IT equipment
- If you get a new phone, do not wipe your old phone until you have set up MFA on the new one
- If you lose your phone, you will need to use an alternative method in order to set up MFA on a new one - If your phone is your only device for authenticating, then you will need an MFA reset, which your local IT support staff can do for you
- MFA doesn’t work on some older devices or email clients - you can check compatibility - in this case, you might need to use an app password instead
Where can I find help?
Guidance for setting up and managing MFA on your devices is available on the IT Help website.
If you get stuck, speak to your local IT support in the first instance - they can reset your account if needed. Otherwise, get in touch with the central IT Service Desk.