Multi-Factor Authentication Project

Multi-Factor Authentication Information for Staff and Students

What is Multi-factor authentication?

The University is implementing multi-factor authentication (MFA) for all Oxford Single Sign-On (SSO) users across the University. This means you will be asked to verify your account using a second factor, such as a code from an app on your phone, text message, or a phone call.

MFA has been rolled out to all SSO accounts from January 2021 by surname.

What's already happened?

On 10 November, the existing Webauth login page, where you sign in with your SSO, was replaced with an Oxford-branded Microsoft login page.

You will also be required to follow the University password policy, when you are next prompted to change your password, which we hope will also improve security for SSO account users.

How does MFA work?

You can verify your account using any of the following methods:

  • Using the Microsoft authenticator app on your mobile phone
  • Receiving an SMS on your mobile phone
  • Requesting a phone call on a landline or mobile phone
  • Authy desktop authenticator app
  • Using a hardware token

There is more detail about how to set up each of these methods before your MFA deployment date on the How to prepare for MFA page.

If you already have MFA on your SSO account, there is guidance for setting up more authentication methods on the MFA: Help and guidance page on the IT Help website.

If you have a new phone, there is a guide for setting up MFA on a new mobile phone.

Secondary accounts

We will be enabling MFA on secondary accounts from May 2021 - please see the Secondary accounts page for information about reviewing your secondary accounts and preparing for MFA.

MFA Pages

Expand All

There is an increased and growing cyber threat to Universities. The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. The pandemic has brought additional risks with increased working from home, accessing University information from a variety of devices.

  • In the last 10 months, over 1600 of our colleagues have been presented with convincing fake Webauth pages, quite understandably for busy people, have then typed in their SSO and password giving access to their account, data sets and University services to a cyber-criminal
  • The University experienced a serious but contained Ransomware outbreak in January 2020 and that business unit has only recently completed its recovery. Weak authentication played a role in both the initial intrusion and spread of the malware.
  • There is significant global interest in our Covid research. A successful cyber intrusion could disrupt clinical trials timetables if a regulator was concerned about the integrity of trials data. At worst, it could require trials to be repeated.
  • MFA is a key action in the October 2020 Internal Audit report as a requirement for secure remote working

Therefore, it is vital for us to secure our accounts and systems, now more than ever. Multi-factor authentication is now common across many organisations. It will ‘double-lock’ our systems to protect Oxford’s unique information.

What is an app password?

An App Password is required in situations where you use apps or older devices that are incompatible with the multi-factor authentication method (see list for more information). The App Password proves to the system that you have multi-factor authentication set-up. When accessing an older application, such as Outlook 2013, you will be prompted for your multi-factor authentication details.

App Passwords can only be set up once your initial multi-factor authentication method has been set up, such as the authenticator app or a phone (refer to guides under ‘help and guidance’).

You must enter the App Password in place of your Single Sign-On password for the application or device you have created it for.

You can create up to 40 App Passwords. Each App Password is unique to an application.

Once this is done you will no longer be prompted for MFA for that specific application.

How do I enable an app password?

To enable App password for a personal or generic/secondary email account please use the App Password Enablement – Multi-Factor Authentication (MFA) service request.

For more information please visit the IT Help page, read the guide ‘Setting up App Passwords’ or watch the short video (available soon).

There are technical FAQs for IT support staff.

We also encourage ITSS to join the ITSS Community Teams forum (MFA channel) where you can communicate with the MFA project team and also find recordings of recent ITSS MFA briefings together with full slide decks.

Full MFA rollout details for ITSS are available on the ITSS Wiki as well as a summary of information relevant to MFA section aimed at supporting users.

Contact & further information

If you have any general questions regarding the implementation of multi-factor authentication please email the project team mfaproject@it.ox.ac.uk

For any IT support with multi-factor authentication, please talk to your local IT support in the first instance, if you are unable to resolve your issue, contact the IT Service Desk 01865 (6)12345