Multi-Factor Authentication FAQs for Staff and Students

Further information about multi-factor authentication for staff and students

Expand All

Why is MFA being introduced?

There is an increased and growing cyber threat to Universities; authentication weaknesses have contributed to incidents that have severely affected other institutions recently.  The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. At the same time, the pandemic has brought additional risks. This is partly because people are working from home using a number of devices to connect to their work accounts. Therefore, it is vital for us to secure our systems, now more than ever. Multi-factor authentication will ‘double-lock’ our systems to protect Oxford’s unique information.

Is MFA mandatory?

Yes, multi-factor authentication will be mandatory on all SSO accounts. This is one of the best ways we can achieve a reduction in cyber attacks and security breaches at the University.

A very small number of colleagues may not be able to use this functionality due to exceptional circumstances, such as an accessibility issue, which means none of the second factor methods are feasible. In these exceptional circumstances, individuals can request an exemption by logging a service desk request with the IT Service Desk.

Why is MFA being rolled out by surname?

We have chosen to rollout multi-factor authentication across the University by surname because:

  • It will distribute the workload required from the IT Support Desk
  • This is a simpler way to create batches of users than identifying someone by, for example,  their department or college, where people can have multiple affiliations
  • It will save confusion if people can easily identify which migration group they fall in, based on the first letter of their surname, rather than department or college affiliation

Any new member of staff or student who joins the University during the A-Z deployment will automatically have MFA enabled.

What second factor authentication options are availble?

You can receive your second factor authentication code using the following methods:

  1. Using the Microsoft authenticator app on your mobile phone in one of two modes:
    • Push notifications, where you request the authentication on the device you are logging into, and the app pops up with “yes” or “no” to accept the authentication
    • Time-based One-time Password (TOTP), where you generate a code using the authenticator app and manually enter it on the device you are logging into when prompted
  2. Receiving an SMS on your mobile phone, with a code that you enter on the device you are logging into
  3. Requesting a phone call on a landline or mobile phone, which automatically reads out the code to you, which you then enter manually on the device you are logging into (all phone numbers in all countries will work for this method)
  4. Using a hardware token, which your department or college can purchase for you. For information on hardware tokens and recommended suppliers see FAQs below

From a security perspective, Infosec strongly recommend use of the strongest available method for second factor authentication. Push notifications are recommended as the most secure option and you are advised to make this your primary authentication method. Where possible it is recommended that SMS and phone call are only used where other methods are not available.

NOTE: QR code will become available when MFA is enabled for you or you can add your authenticator by going to the Microsoft My Sign-ins page.

How often will I be required to enter a code?

How often you are required to authenticate will depend on individual circumstances such as what device you are logging in from, your physical location and what applications you are using. If MFA detects a change in any of these it will request authentication, this is to ensure it is you are who you say you are.

Will we be allowed to setup/use multiple services/devices (in case one service is unavailable)?

Yes, it's recommended that you register multiple verification methods. When one method isn't available, you can choose to authenticate with another method.

Click here for further guidance.

How do I set up more than one authentication method at the time of registering?

  1. Go to the Microsoft Account page 
  2. Click Security Info 
  3. On the security info page click +Add Method 

 

 

      4.  Select the method, e.g. Security Key

What if I am in a building with no WIFI, how will I receive my second factor code?

When setting up multi factor authentication you should select the option on the mobile app that generates a one-time passcode, and requires no mobile data or Wi-Fi connectivity.

The Microsoft Authenticator app is available for Android and iOS

What will the recommendation be for users working from home with no smart phone, or with no mobile signal?

You can choose to receive your code via a landline number, if you have one, and if you have a smart phone but no mobile signal, you can authenticate over WiFi.

If you have no landline, smart phone or signal available, then you will require a hardware token.

Is it possible to have the same phone number associated with multiple accounts, e.g. for staff who have access to project accounts as well as their personal account?

Yes - it is possible to setup the same phone number for different accounts (it also works for mobile numbers), but it doesn't give any indication as to which account you are trying to sign into when it calls.

If a landline has forwarding set up on it for example, Chorus desktop landline to a mobile number, will the telephone authentication work?

Ensure you've got unconditional forwarding set (not forward on no reply) then the call will forward immediately with no delay. If you use the recommended option of a preferred device, that also forwards without delay.

  1. click 'call me on the second factor page'
  2. phone rings
  3. pick up the phone
  4. automated message "Thank you for using the Microsoft’s sign-in verification system. Please press the hash key to finish your verification." (you don't actually have to listen to this whole message)
  5. press hash key
  6. login completes / incoming call hangs up.

You will have around 30 seconds to press the hash key from the time that you pick up the incoming call (or around 15 seconds to press hash if you choose to listen to the whole message). 

Has the webauth.ox.ac.uk screen changed? 

Yes, the Oxford web-based SSO sign-in page has beeen replaced with an Oxford-branded Microsoft sign-in page.  Your password will remain the same, however, your username may need be entered as  abcd1234@OX.AC.UK (where abcd1234 is your existing SSO username)

Why doesn't the 'Forgot my password' link work?

Passwords are handled locally, not by Microsoft, so this link will not work. However, if you forget your password, you can still use the "Change your password" link below.

Has the account management page changed?

Yes the account management pages have also been replaced with an Oxford branded page.

 

Will this change how often people need to change passwords?

No, the password policy is changing, but not password changing frequency, which remains annual, although this may be increased in the future if the risk profile changes.

I access another institutions resources with a Microsoft Account and am having issues within the same browser

Options available to you are;

  1. Establish a second browser profile in your preferred browser and operate Oxford University Microsoft authentications in that browser instance (window) – running two browser profiles concurrently (e.g. this Chrome window is my other institution tenancy /services (for example @sbs.ox.ac.uk), and that Chrome window is for my Oxford University tenancy/services (abcd1234@OX.AC.UK))
     
  1. Use separate browsers and run them concurrently in order to establish separation in tenancy/service authentication (e.g. other institution tenancy /services authentications in Firefox, and Oxford University Microsoft authentications in Chrome)
     
  2. Use a single browser and incognito / private / in-private browser sessions on an ad-hoc basis to access Oxford University resources (this doesn’t preserve history / cookies)
     
  3. Continue to use a single browser and log in and out of each tenancy/service as and when necessary.

 

What are hardware tokens?

After initial set-up with an authentication method such as phone, SMS or app, it will be possible to use a hardware token in exceptional circumstances. A hardware token is a dedicated physical device held by an authorised user and used in addition to a password, to grant access to computer resources.

The University will support the use of FIDO2 Hardware tokens. Departments, colleges or individuals will need to purchase and fund their preferred type of FIDO2 token themselves and it is possible to reuse an existing hardware token once you have one.

Where do I go for support with my hardware token?

Please contact your IT Manager for help and guidance with hardware tokens. Support for the hardware token itself will be with your local IT Support. If you lose your hardware token the Central IT Service Desk can revert your account back to before the second factor was enabled. Your password remains the same but you will be prompted to set up MFA as you did the first time.

What is an App password?

After MFA (Multi-Factor Authentication) has been enabled on your account you may run into issues if you use apps or older devices that are incompatible. Exemption will not be granted in these circumstances. You must request App Password enablement.

An App password is a long, randomly generated password that you can create within your account for the express purposes of signing into an application that only supports basic authentication. Basic authentication is not compatible with MFA. 

Further information is available on App Passwords.

Enabling App Passwords 

The project team are collating a list of accounts that use basic authentication (which will require App password). These accounts may require an App Password on either a personal (primary) email account or a generic email accounts (sometimes referred to as secondary, group, shared or project accounts).  

Personal accounts requiring an App-Password will have this functionality enabled at the same time as the second factor change - see deployment timetable. These users will be notified by email. 

Generic accounts will have MFA and App Passwords enabled at the end of the deployment timetable in 2021. 

App Password service request 

From the 10 November owners of personal accounts that need to request App passwords to be enabled or any generic account that requires app password enabled sooner than 2021 will need to do so by completing a service desk request. 

Further information and guidance on how to create an app password is available from the IT Help  page. 

What is an exemption?

A very small number of users may not be able to use multi-factor authentication due to exceptional circumstances, such as accessibility issues. In these exceptional circumstances, individuals can request an exemption.

However, hacked accounts can have severe consequences for the University, both through data loss or system impairment, and through reputational damage, and so we will be limiting the circumstances in which people are allowed exemptions and they will be regularly reviewed. 

How do I request an exemption?

To request an exemption from MFA please complete a service desk request.

This request must be authorised by a Head of Department (HoD), or equivalent. All authorised exemptions will be regularly reviewed by The University of Oxford Computer Emergency Response Team (OxCERT) to confirm an ongoing requirement.

After MFA (Multi-Factor Authentication) has been enabled on your account you may run into issues if you use apps or older devices that are incompatible. Exemption will not be granted in these circumstances. You must request App Password enablement. Further information on App Password is available here https://help.it.ox.ac.uk/create-an-app-password-for-nexus365

 

Can I delay the implementation of multi-factor authentication?

If you need to delay multi-factor authentication for exceptional circumstances, you will need to complete a Service Desk request (this can be completed on your behalf).

You can only delay MFA until the end of the deployment schedule in March 2021.

What if I am on furlough, maternity, long term sick leave, long term leave etc?

Staff who are absent from work due to furlough, maternity leave, long term sick leave etc. can be exempt or delayed from the phased implementation. A Head of Department (or equivalent to) will need to complete the exemption request.

Can I request early deployment of MFA?

If you would like to have MFA deployed prior to the A-Z rollout please complete a Service Request. MFA will be enabled on the requested account each weekday after 5pm. These requests may take up to two days to process. You will receive an email when your Service Request has been actioned. A typical request timeline is shown below

  • Monday 3pm - Service Request received by the Service Desk
  • Tuesday 11:30am -  Service Request processed by Service Desk. Requestor receives email informing them that their request has been fulfilled
  • Tuesday after 5pm -  MFA is enabled on the requested account

 

Please be aware that if your SR is processed by the Service Desk post 4pm you may be enabled on the next weekday evening

Will the Service Desk support hours change to support MFA, for example at weekends or evenings?

The out of hours service will be taking calls evenings and weekends as usual, although they do not have the ability to reset passwords or look up any account details.  

For further support please visit the IT Help pages

For any issues with MFA please call the IT Service Desk 01865 (6)12345