How to prepare for MFA

Setting up MFA in advance

Setting up multi-factor authentication in advance of your deployment date

To set up your multi-factor authentication methods you need to visit the Microsoft MyAccount page. These steps must be completed regardless of which authentication method you choose.

We strongly recommend that you set up more than one method and select methods that don’t rely on the same device, for example the authenticator app and a landline number.

Once you have set up a method you will be required to authenticate with it each time you visit the Microsoft MyAccount page.

Please note that the app password option is not available until after your account has been enabled with MFA.

Accessing the Microsoft MyAccount Page

  1. Go to mysignins.microsoft.com/security-info
  2. If you have never signed in before you will see the Microsoft Sign In page. The page asks for your email address but you must enter your Oxford Single Sign-On username. Your username will need to be entered as follows: abcd1234@OX.AC.UK (where abcd1234 is your existing SSO username)

  3. If you have signed in before you will see a list of previously used SSO accounts. Click on your account or, if required, click Use Another Account (if you choose Use Another Account, you will then need to enter your SSO username as described in step 2)
  4. If you are currently logged in but want to login with a different account, you first need to sign out from the "my account" drop down in the top right corner of the page
  5. The Oxford Single Sign-On password page appears. Enter your Single Sign-On password
  6. The Security info page will display. There will be a message saying ‘No items to display’

At this stage you need to decide which method of multi-factor authentication you want to set up. Your choices are:

  • Authenticator App (Microsoft or alternative)
  • Phone
  • Authy
  • Alternative Phone
  • App Password (once MFA has been enabled)
  • Security key
  • Office Phone

You can set up more than one method, in fact we encourage to set up at least two methods.

Click on the corresponding header below to learn how to set up your preferred method. There are videos available on the MFA: Help and guidance page and on the Microsoft website to demonstrate how to set up the various multi-factor authentication methods. We have also made a list of pros and cons of each authentication method.

    Expand All

    The Microsoft Authenticator App is one version of an Authenticator App that can be used for multi-factor authentication. It is the default choice for an authenticator app when setting up multi-factor authentication at the University. Follow the steps below to discover how to set it up (once installed do NOT delete the app):

    1. Ensure that the Microsoft Authenticator App is installed on a device of your choice (get this from your app store)
    2. Return to your computer. At the top of the Security info page click +Add Method
    3. In the drop-down menu select Authenticator App
    4. Click Add
    5. The Microsoft Authenticator box will appear. Click Next
    6. Return to the device where the authenticator app is installed. Allow notifications if prompted. Click the + symbol in the top right corner
    7. In the Add Account screen click Work or School
    8. Return to your computer, click Next
    9. A QR code will display on your computer screen. Use the camera in the app to scan the QR code.
    10. On the computer click Next
    11. A notification will be sent to the app. Click Approve on your device. (You may be required to unlock your phone or tablet to authorise the app)
    12. Return to the computer. A notification approved message will display. Click Next
    13. A green confirmation message will appear in the top corner of the screen confirming that the app has been set up. Microsoft Authenticator will appear in the list as a registered method

    When multi-factor authentication is enabled for you, this will be the process by which you verify your identity.

    It is not a mandatory requirement for the Microsoft Authenticator App to be used and alternative authenticator apps can be used for multi-factor authentication. Follow the steps below to discover how to set one up:

    1. Ensure that your chosen Authenticator App is installed on a device of your choice (get this from your app store)
    2. Return to your computer. At the top of the Security info page click +Add Method
    3. In the drop-down menu, select Authenticator App
    4. Click Add
    5. The Microsoft Authenticator box will appear. Towards the bottom of the box, click I want to use a different authenticator app
    6. Return to the device where the authenticator app is installed. Complete the process to add a new account
    7. Return to your computer, click Next
    8. A QR code will display on your computer screen. Use the camera in the app to scan the QR code
    9. Complete the account set-up
    10. Complete the test of your multi-factor authentication method (code or notification)
    11. A green confirmation message will appear in the top corner of the screen confirming that the app has been set 

    When multi-factor authentication is enabled for you, this will be the process by which you verify your identity.

    A mobile device that is capable of receiving text messages can be used for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
    6. Check that the button next to ‘Text me a code’ is selected
    7. Click Next
    8. A text message will be sent to the number you have chosen. Enter the six digit code on the screen
    9. A notification window will display informing you that the phone was registered successfully
    10. Click Done
    11. Phone will appear in the list as a registered method

    A mobile device that is capable of receiving phone calls can be used for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
    6. Click the radio button next to ‘Call me’
    7. Click Next
    8. The number that you have set up will be called by Microsoft. Answer the call
    9. The call will contain an automated message. Press the # key when instructed (note: the voice may say "pound" or "hash" but always press the #)
    10. A notification window will display informing you that the phone was registered successfully
    11. Click Done
    12. Alternative Phone will appear in the list as a registered method

    These steps will show you how to set up the Authy desktop app. Authy is a free application which provides a secure way to protect your online accounts. There is no requirement for an administrative password to authorise the installation and it will not be found in the Oxford Applications installer either.

    Authy is compatible with every operating system.

    1. Use the link to download Authy
    2. Scroll to the bottom to you can see the desktop box
    3. If you are on a Windows machine and are unsure if it is 32bit or 64bit, search your computer for the control panel. When in the control panel click System and Security, then click System. The system type will be detailed on that page
    4. Click Download
    5. Choose a place on your PC to save the download file. It may take a few minutes to download
    6. Once the download is complete, open the application
    7. Click Run
    8. In the Twilio Authy Account Setup screen select the country that your phone is registered in or enter the plus code if you know it.
    9. Enter your telephone number
    10. In the email field, enter a contact email address which can be used to contact you should you ever lose access to your Twilio Authy account. This does not have to be your Oxford email address
    11. Click Next
    12. Choose whether to verify by SMS or Phone Call.
    13. If you choose SMS, you will receive a text message with a 6-digit pin which you need to enter in the box on the screen. If you choose Phone Call, you will receive an automated phone call. At the same time, a 2-digit pin will appear on the screen. Enter the pin on the phone’s keypad.
    14. The Authy account screen will populate.
    15. Go to the Microsoft Security Info page
    16. You may be required to enter your SSO information and complete your MFA process
    17. Click Add Method
    18. Choose Authenticator App in the drop-down menu
    19. Click Add
    20. The Microsoft Authenticator dialogue box appears. Click I want to use a different authenticator app
    21. Click Next
    22. Because you are adding a desktop application you cannot scan the QR code. Click Can’t scan image
    23. Enter the Secret key code into the Authy App Account page
    24. Click Add Account
    25. In the Authy App, enter an Account Name (e.g. Nexus365)
    26. Select a logo to go with your account
    27. Leave the Token length as 6-digit
    28. Click Save
    29. The Authy app screen will show your chosen logo, account name and a 6-digit code which changes every 30 seconds
    30. Go back to the Microsoft Sign-Ins screen and click Next
    31. Enter the 6-digit code
    32. Click Next
    33. Authenticator App will now appear in the list of registered methods.
    34. If you have more than one multi-factor authentication method and you want to use the Authy app, you must select it as your default sign-in method. 
    35. Go to the Microsoft Security Info page
    36. At the top of the screen is the default sign-in method
    37. Click Change
    38. In the Change default method screen, use the drop-down menu to select Authenticator App or hardware token – code
    39. Click Confirm
    40. A green confirmation message will appear on the screen informing you that your default sign-in method has been changed

     PDF guide of how to install Authy

    These steps will show you how to set up the Authy mobile app (It can also be installed on your desktop or laptop). Authy is a free application which provides a secure way to protect your online accounts.

    1. Go to the App Store/Play Store on your mobile device.
    2. Search for Authy
    3. Install the application.
    4. Open Authy on your device
    5. You need to enter a telephone number for verification purposes. Tap the Code area and search for the Country to which the phone number you want to enter is registered (+44 for United Kingdom).
    6. When you have found the Country, tap it to select it.
    7. Tap the Cellphone number area and enter the telephone number
    8. In the email field, enter a contact email address which can be used to contact you should you ever lose access to your Twilio Authy Account. This does not have to be your Oxford email address
    9. Click OK
    10. The Account Verification screen will display. Choose whether to verify by SMS or Phone Call.
    11.  If you choose SMS, you will receive a text message with a 6-digit pin which you need to enter in the box on the screen
    12. If you choose Phone Call, you will receive an automated phone call. The automated voice will read out a 4-digit code, up to three times. End the phone call and enter the pin on the screen.
    13. The Authy account screen will populate.
    14. Go to the Microsoft Security Info page
    15. You may be required to enter your SSO information and complete your MFA process
    16. Click Add Method
    17. Choose Authenticator App in the drop-down menu
    18. Click Add
    19. The Microsoft Authenticator dialogue box appears. Click I want to use a different authenticator app
    20. Click Next
    21. On your mobile device click Scan QR Code
    22. Use your mobile device to scan the QR code. You may have to give permission for the app to access your camera
    23. In the Authy app, the Secure Backups page will display in the app. Enter a password so that Authy can back up your account
    24. Tap Edit logo if you want to change the logo for the account
    25. Enter an Account Name (e.g. Nexus365)
    26. Click Save
    27. The Authy app screen will show your chosen logo, account name and a 6-digit code which changes every 30 seconds.
    28. Go back to the Microsoft Sign-Ins screen and click Next
    29. Enter the 6-digit code
    30. Click Next
    31. Authenticator App will now appear in the list of registered methods.
    32. If you have more than one multi-factor authentication method and you want to use the Authy app, you must select it as your default sign-in method. 
    33. Go to the Microsoft Security Info page
    34. At the top of the screen is the default sign-in method
    35. Click Change
    36. In the Change default method screen, use the drop-down menu to select Authenticator App or hardware token – code
    37. Click Confirm
    38. A green confirmation message will appear on the screen informing you that your default sign-in method has been changed.

    Note: Every installation of Authy on a desktop, laptop or mobile device will need to be set up as a separate authenticator in the Microsoft Security Info page.

    An alternative device that is capable of receiving phone calls, such as a landline telephone number, can be used for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
    6. The radio button next to ‘Call me’ is already selected
    7. Click Next
    8. The number that you have set up will be called by Microsoft. Answer the call
    9. The call will contain an automated message. Press the # key when instructed (note: the voice may say "pound" or "hash" but always press the #)
    10. A notification window will display informing you that the phone was registered successfully
    11. Click Done
    12. Alternative Phone will appear in the list as a registered method

    An App Password is required in situations where you use apps or older devices that are incompatible with the multi-factor authentication method. An app password is a special password which you generate via your Security info page and thus proves to the system that you have multi-factor authentication set-up. When accessing an older application, such as Outlook 2013, you need to use an app password in place of your Single Sign-On password.

    You can create up to 40 app passwords. Each app password should be unique to an application or device for greater security. Please ensure when creating app passwords you follow University guidelines for creating strong passwords and don’t reuse passwords across multiple applications/devices.

    Once you have entered an app password into an application you will no longer be prompted for MFA for that specific application.

    The ability to create App Passwords is not enabled by default, so you must request that App Password to be enabled via the Service Desk, using the Self-Service catalogue.

     

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select select App Password
    3. Click Add
    4. Enter a name that helps differentiate this App Password from any others you might have
    5. Click Next
    6. The App Password will be created
    7. Copy the password and keep it in a safe place
    8. Click Done
    9. App Password will appear in the list as a registered method

    A hardware token is a dedicated device used to authenticate in a password-less flow, i.e., once set up it can be used (with a pin) instead of 1 (username and password) +2 factor code.

    Before you can set up a hardware token on your account, you must first set up another method of authentication.

    The University will support the use of FIDO2 Hardware tokens. Departments, colleges or individuals will need to purchase and fund their preferred type of FIDO2 token themselves. Visit the project FAQs  for more information on how purchase or obtain a hardware token.

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Security Key
    3. Click Add
    4. Choose USB device
    5. Click Next
    6. Plug the security key into your computer
    7. Enter the security key PIN into the box. Make sure it is a PIN that you remember
    8. Confirm the security key
    9. Enter a name for your security key
    10. Click Next
    11. The system will confirm that the hardware token is set up appropriately 
    12. Click Done
    13. The security key will appear in the list as a registered method

    A hardware token is a dedicated device used to authenticate in a password-less flow, i.e., once set up it can be used (with a pin) instead of 1 (username and password) +2 factor code.

    Before you can set up a hardware token on your account, you must first set up another method of authentication.

    The University will support the use of FIDO2 Hardware tokens. Departments, colleges or individuals will need to purchase and fund their preferred type of FIDO2 token themselves. Visit the project FAQs for more information on how purchase or obtain a hardware token.

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Security Key
    3. Click Add
    4. Choose NFC device
    5. Click Next
    6. Touch the NFC token to confirm that you are using it
    7. Confirm the security key
    8. Enter a name for your security key
    9. Click Next
    10. The system will confirm that the security key is set up appropriately
    11. The security key will appear on your security info page

    Your office phone can be used as a device for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
      Note: Your Chorus telephone number may already be populated on the screen
    6. The radio button next to ‘Call me’ is already selected
    7. Click Next
    8. The number that you have set up will be called by Microsoft. Answer the call
    9. The call will contain an automated message. Press the # key when instructed (note: the voice may say "pound" or "hash" but always press the #)
    10. A notification window will display informing you that the phone was registered successfully
    11. Click Done
    12. Alternative Phone will appear in the list as a registered method
    What can I expect?

    What can I expect when MFA is deployed on my Oxford SSO account?

    MFA will deployed on your SSO account by 6am on your go live day.

    Once MFA has been applied to your SSO account, any applications that you are currently logged into, including Azure-based services such as Outlook, OWA, Teams, OneDrive, Office, SharePoint Online and Dynamics365, will begin to prompt for multi-factor authentication. Therefore we recommend you close these applications prior to your MFA being enabled to ensure a smooth experience.

    There is NO requirement to shut down your machine prior to MFA being deployed (especially if you are using a remote desktop).

    We strongly advise that you setup authentication methods prior to MFA being deployed on your account and if possible select two methods that don’t rely on the same device, for example a mobile app and a landline. 

    When do I get prompted for MFA?

    MFA prompts should be expected at the start of each session. Over time, with repeated use of the same devices from the same locations, these prompts may decrease in frequency. Some systems may prompt for MFA more often than others, and unusual account activity may also increase the frequency of MFA prompts. Simply changing or staying on the same IP address is not enough to either trigger or suppress MFA prompts on their own.

    MFA prompts should be expected when you first log into a service or app that requires your SSO login. However, how often you are asked to verify with MFA will vary depending on what service you are using and whether you are using a browser or an app.

    Browsers

    Browser based sessions will timeout, depending on which service you are accessing:

    • Azure login based services, which include Outlook, Outlook Web Access (OWA), Teams, OneDrive, Office, SharePoint Online, Dynamics365, Teams Web Client, should persist for seven days, which means you should only be asked to verify with MFA every seven days
    • Shibboleth protected resources, such as CoSy, TeamSeer or Clarity, should persist for 11 hours, which means you will asked to verify with MFA every 11 hours

    Notes:

    • If you close your browser, you will be asked to verify again with MFA

    • If you login in a browser for one service, you shouldn't need to verify with MFA for other services in the same browser (including on other tabs) until the session expires or the browser is closed 

    • If you use several different browsers, such as Chrome, Firefox or Edge, you will be prompted to authenticate after timeout for each browser session

    • In addition to the above some services may require you to refresh your login more frequently and these rules are imposed by the individual services. For example Outlook Web Access (OWA) logs you out after 8 hours of inactivity

    Apps

    Applications, unlike browsers, have a 90 day rolling token, which means that you should not be asked to verify with MFA if you use an app more frequently than every 90 days. Any changes that cause you to login again, such as a software update, will trigger MFA verification.

    Examples of such applications are:

    • Outlook (Windows, Android, Mac/iOS)
    • Mac Mail
    • Office applications
    • Teams on Windows (NB: not web version)
    • OneDrive client for Windows
    • Flow app for Mobile Devices

    Note: Teams on Linux behaves like a browser application and, as such, session times act in line with the browser session of seven days.

    What devices and platforms are compatible with MFA?

    Up to date details of which devices and platforms are compatible with MFA are available on the main MFA page on the IT Help website.

    Early enablement, delay and exemption

    How do I request early enablement, a delay or an exemption?

    To reduce any disruption to you, it is really important that you check your MFA deployment date against existing commitments in your diary:

    • Are you traveling for work? 
    • Do you have exams? 
    • Deadlines to meet? 
    • Are you working on highly confidential research or materials and would like your account protected sooner?

    Early enablement

    If you would like to have MFA deployed on your account prior to your current deployment date, please complete a Service Request. MFA will be enabled on the requested account each weekday after 5pm. These requests may take up to two days to process. You will receive an email when your Service Request has been actioned. A typical request timeline is shown below:

    • Monday 3pm - Service Request received by the Service Desk
    • Tuesday 11:30am - Service Request processed by Service Desk. Requestor receives email informing them that their request has been fulfilled
    • Tuesday after 5pm -  MFA is enabled on the requested account

    Please be aware that if your Service Request is processed by the Service Desk post 4pm you may be enabled on the next weekday evening.

    Delay

    If you need to delay multi-factor authentication being deployed on your account for exceptional circumstances, you will need to complete a Service Desk request (this can be completed on your behalf).

    You can only delay MFA until the end of the deployment schedule, currently March 2021.

    Exemption

    A very small number of users may not be able to use multi-factor authentication due to exceptional circumstances, such as accessibility issues. In these exceptional circumstances, individuals can request an exemption.

    If you think you require an exemption please speak to your local IT support in the first instance to discuss all the options available for multi-factor authentication.

    To request an exemption from MFA please complete a service desk request.

    This request must be authorised by a Head of Department (HoD), or equivalent before it can be processed.

    Troubleshooting

    Known troubleshooting issues

    The following behaviour would be unexpected once MFA has been deployed on your account;

    • Continuous frequent re-prompting for login credentials in the same session (unless a logout is being forced by a service you have active) 
    • "Looping" in the MFA prompt (attempt shutting/retrying login to the service; clearing cookies in the browser as a fix)
    • "Sorry we’re having trouble with verifying your account" messages when trying to sign in with MFA – for example;
    1. When the default method of additional verification has been removed from the list of methods. Ensure you have a second method available at all times, use an alternative method as offered, and then change the default method in the MFA setup screen to a method that is valid.
    2. Or if you have multiple Microsoft accounts set up.

    If you encounter any of these issues  and the advised fixes don't resolve the issue, please contact the IT Service Desk 01865 (6)12345

    Contact & further information

    If you have any general questions regarding the implementation of multi-factor authentication please email the project team mfaproject@it.ox.ac.uk

    For any IT support with multi-factor authentication, please talk to your local IT support in the first instance, if you are unable to resolve your issue, contact the IT Service Desk 01865 (6)12345