Multi-Factor Authentication for IT Support Staff

On 10 November, the existing Webauth login page, where you sign in with your SSO, was replaced with an Oxford-branded Microsoft login page.

You will also be required to follow the University password policy, when you are next prompted to change your password, which we hope will also improve security for SSO account users.

A second step will be added to all SSO accounts, deployed alphabetically by surname from January 2021. You will be required to enter a code to authenticate your account.

You can receive this code using any of the following methods:

  • Using the Microsoft authenticator app on your mobile phone in one of two modes:
  • Push notifications, where you request the authentication on the device you are logging into, and the app pops up with “yes” or “no” to accept the authentication
  • Time-based One-time Password (TOTP), where you generate a code using the authenticator app and manually enter it on the device you are logging into when prompted (no WI-FI required)
  • Receiving an SMS on your mobile phone, with a code that you enter on the device you are logging into
  • Requesting a phone call on a landline or mobile phone, which automatically reads out the code to you, which you then enter manually on the device you are logging into (all phone numbers in all countries will work for this method)
  • Using a hardware token, which your department or college can purchase.

    A hardware token is a dedicated physical device held by an authorised user and is used, in addition to a password, to grant access to computer resources

    Once multi-factor authentication is enabled on your account, you must initially set-up one other multi-factor authentication methods (Authenticator App, phone call or SMS) prior to adding a hardware token.

    The University will support the use of FIDO2 Hardware tokens, please talk to your local IT Support for more information.


Expand All

There is an increased and growing cyber threat to Universities. The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. The pandemic has brought additional risks with increased working from home, accessing University information from a variety of devices.  

  • In the last 10 months, over 1600 of our colleagues have been presented with convincing fake Webauth pages,  quite understandably for busy people, have then typed in their SSO and password giving access to their account, data sets and University services to a cyber-criminal
  • The University experienced a serious but contained Ransomware outbreak in January 2020 and that business unit has only recently completed its recovery.  Weak authentication played a role in both the initial intrusion and spread of the malware. 
  • There is significant global interest in our Covid research.  A successful cyber intrusion could disrupt clinical trials timetables if a regulator was concerned about the integrity of trials data.  At worst, it could require trials to be repeated.
  • MFA is a key action in the October 2020 Internal Audit report as a requirement for secure remote working

Therefore, it is vital for us to secure our accounts and systems, now more than ever. Multi-factor authentication is now common across many organisations. It will ‘double-lock’ our systems to protect Oxford’s unique information. 

Contact & further information

If you have any general questions regarding the implementation of multi-factor authentication please email the project team

For any IT support with multi-factor authentication, please contact the IT Service Desk 01865 (6)12345