Staying secure with multi-factor authentication
Why you should use multi-factor authentication and tips for using it
Multi-factor authentication (MFA) is a second layer of security on your Oxford University Single Sign-On (SSO) account. It is a way of verifying that you are you by using a second factor, such as a code from an app on your phone, a text message, or a phone call.
Why do we need MFA?
If they can access your account, cyber-criminals can use it to access confidential or valuable data at the University. A key defence against this type of attack is multi-factor authentication which helps to secure our accounts and data, by introducing a 'double lock' mechanism.
Since MFA was introduced at Oxford University, there has been a significant decrease in the number of incidents: the year before MFA was introduced there were over 450 compromised accounts in one month, but during the same month in the second year, there were only 22.
Those who wish to do us harm have not gone away, but with good coverage of MFA we have made their job harder.
MFA top tips
Always enter your username as abcd1234@OX.AC.UK, where abcd1234 is your SSO username. Do not use your email address.
Set up a second authentication method using a different device (in case you lose or change your mobile phone).
- If you get a new phone, do not wipe your old phone until you have set up MFA on the new one.
- If you don’t want to use your mobile phone, other methods of authentication are available.
- If you have poor Wi-Fi or mobile signal, try using one-time passcodes on the Authenticator app or your hardware token (if you have one).
- If you also use MFA at another organisation, or a secondary account at Oxford, please see our advice about Managing MFA on a secondary account.
- You can manage your authentication methods on your Microsoft Account page – please see our guide about MFA setup and management.
Guidance for setting up and managing MFA on your devices is available on the IT Help website.
If you get stuck, speak to your local IT support in the first instance - they can reset your account if needed. Otherwise, get in touch with the central IT Service Desk.