What can I expect when MFA is deployed on my Oxford SSO account?
MFA will deployed on your SSO account by 6am on your go live day.
Once MFA has been applied to your SSO account, any applications that you are currently logged into, including Azure-based services such as Outlook, OWA, Teams, OneDrive, Office, SharePoint Online and Dynamics365, will begin to prompt for multi-factor authentication. Therefore we recommend you close these applications prior to your MFA being enabled to ensure a smooth experience.
There is NO requirement to shut down your machine prior to MFA being deployed (especially if you are using a remote desktop).
We strongly advise that you setup authentication methods prior to MFA being deployed on your account and if possible select two methods that don’t rely on the same device, for example a mobile app and a landline.
When do I get prompted for MFA?
MFA prompts should be expected at the start of each session. Over time, with repeated use of the same devices from the same locations, these prompts may decrease in frequency. Some systems may prompt for MFA more often than others, and unusual account activity may also increase the frequency of MFA prompts. Simply changing or staying on the same IP address is not enough to either trigger or suppress MFA prompts on their own.
MFA prompts should be expected when you first log into a service or app that requires your SSO login. However, how often you are asked to verify with MFA will vary depending on what service you are using and whether you are using a browser or an app.
Browser based sessions will timeout, depending on which service you are accessing:
- Azure login based services, which include Outlook, Outlook Web Access (OWA), Teams, OneDrive, Office, SharePoint Online, Dynamics365, Teams Web Client, should persist for seven days, which means you should only be asked to verify with MFA every seven days
- Shibboleth protected resources, such as CoSy, TeamSeer or Clarity, should persist for 11 hours, which means you will asked to verify with MFA every 11 hours
If you close your browser, you will be asked to verify again with MFA
If you login in a browser for one service, you shouldn't need to verify with MFA for other services in the same browser (including on other tabs) until the session expires or the browser is closed
If you use several different browsers, such as Chrome, Firefox or Edge, you will be prompted to authenticate after timeout for each browser session
In addition to the above some services may require you to refresh your login more frequently and these rules are imposed by the individual services. For example Outlook Web Access (OWA) logs you out after 8 hours of inactivity
Applications, unlike browsers, have a 90 day rolling token, which means that you should not be asked to verify with MFA if you use an app more frequently than every 90 days. Any changes that cause you to login again, such as a software update, will trigger MFA verification.
Examples of such applications are:
- Outlook (Windows, Android, Mac/iOS)
- Mac Mail
- Office applications
- Teams on Windows (NB: not web version)
- OneDrive client for Windows
- Flow app for Mobile Devices
Note: Teams on Linux behaves like a browser application and, as such, session times act in line with the browser session of seven days.
What devices and platforms are compatible with MFA?
Up to date details of which devices and platforms are compatible with MFA are available on the main MFA page on the IT Help website.