Why is MFA being introduced?
There is an increased and growing cyber threat to Universities; authentication weaknesses have contributed to incidents that have severely affected other institutions recently. The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. At the same time, the pandemic has brought additional risks. This is partly because people are working from home using a number of devices to connect to their work accounts. Therefore, it is vital for us to secure our systems, now more than ever. Multi-factor authentication will ‘double-lock’ our systems to protect Oxford’s unique information.
Is MFA mandatory?
Yes, multi-factor authentication will be mandatory on all SSO accounts. This is one of the best ways we can achieve a reduction in cyber attacks and security breaches at the University.
A very small number of colleagues may not be able to use this functionality due to exceptional circumstances, such as an accessibility issue, which means none of the second factor methods are feasible. In these exceptional circumstances, individuals can request an exemption by logging a service desk request with the IT Service Desk.
Why is MFA being rolled out by surname?
We have chosen to rollout multi-factor authentication across the University by surname because:
- It will distribute the workload required from the IT Support Desk
- This is a simpler way to create batches of users than identifying someone by, for example, their department or college, where people can have multiple affiliations
- It will save confusion if people can easily identify which migration group they fall in, based on the first letter of their surname, rather than department or college affiliation
Any new member of staff or student who joins the University during the A-Z deployment will automatically have MFA enabled.
What second factor authentication options are availble?
You can receive your second factor authentication code using the following methods:
- Using the Microsoft authenticator app on your mobile phone in one of two modes:
- Push notifications, where you request the authentication on the device you are logging into, and the app pops up with “yes” or “no” to accept the authentication
- Time-based One-time Password (TOTP), where you generate a code using the authenticator app and manually enter it on the device you are logging into when prompted
- Receiving an SMS on your mobile phone, with a code that you enter on the device you are logging into
- Requesting a phone call on a landline or mobile phone, which automatically reads out the code to you, which you then enter manually on the device you are logging into (all phone numbers in all countries will work for this method)
- Using a hardware token, which your department or college can purchase for you. For information on hardware tokens and recommended suppliers see FAQs below
From a security perspective, Infosec strongly recommend use of the strongest available method for second factor authentication. Push notifications are recommended as the most secure option and you are advised to make this your primary authentication method. Where possible it is recommended that SMS and phone call are only used where other methods are not available.
NOTE: QR code will become available when MFA is enabled for you or you can add your authenticator by going to the Microsoft My Sign-ins page.
How often will I be required to enter a code?
How often you are required to authenticate will depend on individual circumstances such as what device you are logging in from, your physical location and what applications you are using. If MFA detects a change in any of these it will request authentication, this is to ensure it is you are who you say you are.
Will we be allowed to setup/use multiple services/devices (in case one service is unavailable)?
Yes, it's recommended that you register multiple verification methods. When one method isn't available, you can choose to authenticate with another method.
Click here for further guidance.
How do I set up more than one authentication method at the time of registering?
- Go to the Microsoft Account page
- Click Security Info
- On the security info page click +Add Method
4. Select the method, e.g. Security Key
What if I am in a building with no WIFI, how will I receive my second factor code?
When setting up multi factor authentication you should select the option on the mobile app that generates a one-time passcode, and requires no mobile data or Wi-Fi connectivity.
The Microsoft Authenticator app is available for Android and iOS
What will the recommendation be for users working from home with no smart phone, or with no mobile signal?
You can choose to receive your code via a landline number, if you have one, and if you have a smart phone but no mobile signal, you can authenticate over WiFi.
If you have no landline, smart phone or signal available, then you will require a hardware token.
Is it possible to have the same phone number associated with multiple accounts, e.g. for staff who have access to project accounts as well as their personal account?
Yes - it is possible to setup the same phone number for different accounts (it also works for mobile numbers), but it doesn't give any indication as to which account you are trying to sign into when it calls.
If a landline has forwarding set up on it for example, Chorus desktop landline to a mobile number, will the telephone authentication work?
Ensure you've got unconditional forwarding set (not forward on no reply) then the call will forward immediately with no delay. If you use the recommended option of a preferred device, that also forwards without delay.
- click 'call me on the second factor page'
- phone rings
- pick up the phone
- automated message "Thank you for using the Microsoft’s sign-in verification system. Please press the hash key to finish your verification." (you don't actually have to listen to this whole message)
- press hash key
- login completes / incoming call hangs up.
You will have around 30 seconds to press the hash key from the time that you pick up the incoming call (or around 15 seconds to press hash if you choose to listen to the whole message).