Multi-Factor Authentication Project

Expand All

We are implementing multi-factor authentication (MFA) for all Single Sign-On (SSO) users across the University. This means you will be asked to verify your account using a second factor, such as a text message, code from an app on your phone or a phone call. How often you are required to authenticate will depend on individual circumstances such as what device you are logging in from, your physical location and what applications you are using.

SSO credentials, based only on a username and password, are vulnerable to phishing attacks which, when successful, give an attacker direct access to confidential or sensitive information.

The University has been at particularly high risk of cyber-attack during the pandemic because people are working from home using multiple devices to connect to work accounts and the University has become a target due to its high profile COVID-19 research.

Cyber-attacks have caused serious damage to other universities in the UK recently and early indications highlight that weak authentication played a role in the success of these attacks.

The key driver for this project is to reduce the number of confirmed security incidents by adding this extra layer of security to your logins.

Account compromises across the University risk the following:

  • Financial loss through cyber fraud
  • A personal data breach
  • Complex cyber-attacks
  • Damage or loss of research / clinical trials data
  • Reputational damage to the University
  • Infrastructure abuse damaging our ability to send and receive email

We are therefore fast-tracking the implementation of multi-factor authentication for all SSO users across the University – staff and students – to attempt to reduce the risks to the services that we rely on daily.

We understand that this new system will cause inconvenience to people, but we hope that this disruption can be weighed against the potential disruption caused by a successful cyber-attack against the University.

The project will be delivered in two stages:

Stage 1: Replacing the SSO login page

On 10 November, the current Webauth login page, where you sign in with your SSO, was replaced with an Oxford-branded Microsoft login page.

You will also be required to follow the University password policy, when you next are asked to change your password, which we hope will also improve security for SSO account users.

Stage 2: Second step authentication

A second step will be added for logging in with your SSO. You will need to enter a code, similarly to how you might already log in to secure services such as online banking.

You can receive this code using any of the following methods:

  • Using the Microsoft authenticator app on your mobile phone in one of two modes:
    • Push notifications, where you request the authentication on the device you are logging into, and the app pops up with “yes” or “no” to accept the authentication
    • Time-based One-time Password (TOTP), where you generate a code using the authenticator app and manually enter it on the device you are logging into when prompted
  • Receiving an SMS on your mobile phone, with a code that you enter on the device you are logging into
  • Requesting a phone call on a landline or mobile phone, which automatically reads out the code to you, which you then enter manually on the device you are logging into (all phone numbers in all countries will work for this method)
  • Using a hardware token, which your department or college can purchase

Once you receive the code, you enter this into the required field when prompted. Once the second factor is activated, the requirement to enter a code again will depend on individual circumstances such as devices, settings and location.

This has already been enabled for pilot groups and early adopters. The project team are now preparing for a University wide deployment.

Everyone at the University who has an SSO account experienced the first factor change at the same time on the 10 November 2020. Implementation of the second factor step was first enabled for a pilot group of users and early adopters on the 11 and 17 November 2020.

In January 2021 MFA will start to be enabled on a surname (A-Z) basis (for example if your surname is Maynard-Smith you will have second factor enabled in release group M). The timetable for these batches will be shown here once the dates have been determined.

If you would like to have MFA deployed prior to the A-Z rollout please complete a Service Request. MFA will be enabled on the requested account each weekday after 5pm. These requests may take up to two days to process. You will receive an email when your Service Request has been actioned. A typical request timeline is shown below

  • Monday 3pm -  Service Request received by the Service Desk
  • Tuesday 11:30am -  Service Request processed by Service Desk. Requestor receives email informing them that their request has been fulfilled
  • Tuesday after 5pm -  MFA is enabled on the requested account

Please be aware that if your SR is processed by the Service Desk post 4pm you may be enabled on the next weekday evening

The key outcomes for the project is;

  • A 95% uptake of staff and students (excluding exemptions) who have SSO accounts successfuly registered with MFA and logging in with a second factor.
  • Over the next 12 months everyone with an SSO account has successfully changed their password following the new password guidelines.
  • The University can record a reduction in the number of successful phishing and cyber attacks.



See all the multi-factor authentication FAQs here.

Contact & further information

If you have any questions regarding the implementation of multi-factor authentication please email the project team