How to prepare for MFA

Setting up MFA in advance

Setting up multi-factor authentication in advance of your deployment date

To set up your multi-factor authentication methods you need to visit the Microsoft MyAccount page. These steps must be completed regardless of which authentication method you choose.

We strongly recommend that you set up more than one method and select methods that don’t rely on the same device, for example the authenticator app and a landline number.

Once you have set up a method you will be required to authenticate with it each time you visit the Microsoft MyAccount page.
 

Please note that the app password option is not available until after your account has been enabled with MFA.

Accessing the Microsoft MyAccount Page

 

  1. Go to mysignins.microsoft.com/security-info
  2. If you have never signed in before you will see the Microsoft Sign In page. The page asks for your email address but you must enter your Oxford Single Sign-On username. Your username will need to be entered as follows: abcd1234@OX.AC.UK (where abcd1234 is your existing SSO username)

  3. If you have signed in before you will see a list of previously used SSO accounts. Click on your account or, if required, click Use Another Account (if you choose Use Another Account, you will then need to enter your SSO username as described in step 2).
  4. The Oxford Single Sign-On password page appears. Enter your Single Sign-On password
  5. The Security info page will display. There will be a message saying ‘No items to display’

At this stage you need to decide which method of multi-factor authentication you want to set up. Your choices are:

  • Authenticator App (Microsoft or alternative)
  • Phone
  • Authy
  • Alternative Phone
  • App Password (once MFA has been enabled)
  • Security key
  • Office Phone

You can set up more than one method

Click on the corresponding header below to learn how to set up your preferred method. There are also videos available to demonstrate how to set up multi-factor authentication methods.

    Expand All

    The Microsoft Authenticator App is one version of an Authenticator App that can be used for multi-factor authentication. It is the default choice for an authenticator app when setting up multi-factor authentication at the University. Follow the steps below to discover how to set it up (once installed do NOT delete the app):

    1. Ensure that the Microsoft Authenticator App is installed on a device of your choice (get this from your app store)
    2. Return to your computer. At the top of the Security info page click +Add Method
    3. In the drop-down menu select Authenticator App
    4. Click Add
    5. The Microsoft Authenticator box will appear. Click Next
    6. Return to the device where the authenticator app is installed. Allow notifications if prompted. Click the + symbol in the top right corner
    7. In the Add Account screen click Work or School
    8. Return to your computer, click Next
    9. A QR code will display on your computer screen. Use the camera in the app to scan the QR code.
    10. On the computer click Next
    11. A notification will be sent to the app. Click Approve on your device. (You may be required to unlock your phone or tablet to authorise the app)
    12. Return to the computer. A notification approved message will display. Click Next
    13. A green confirmation message will appear in the top corner of the screen confirming that the app has been set up. Microsoft Authenticator will appear in the list as a registered method

    When multi-factor authentication is enabled for you, this will be the process by which you verify your identity.

    It is not a mandatory requirement for the Microsoft Authenticator App to be used and alternative authenticator apps can be used for multi-factor authentication. Follow the steps below to discover how to set one up:

    1. Ensure that your chosen Authenticator App is installed on a device of your choice (get this from your app store)
    2. Return to your computer. At the top of the Security info page click +Add Method
    3. In the drop-down menu, select Authenticator App
    4. Click Add
    5. The Microsoft Authenticator box will appear. Towards the bottom of the box, click I want to use a different authenticator app
    6. Return to the device where the authenticator app is installed. Complete the process to add a new account
    7. Return to your computer, click Next
    8. A QR code will display on your computer screen. Use the camera in the app to scan the QR code
    9. Complete the account set-up
    10. Complete the test of your multi-factor authentication method (code or notification)
    11. A green confirmation message will appear in the top corner of the screen confirming that the app has been set 

    When multi-factor authentication is enabled for you, this will be the process by which you verify your identity.

    A mobile device that is capable of receiving text messages can be used for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
    6. Check that the button next to ‘Text me a code’ is selected
    7. Click Next
    8. A text message will be sent to the number you have chosen. Enter the six digit code on the screen
    9. A notification window will display informing you that the phone was registered successfully
    10. Click Done
    11. Phone will appear in the list as a registered method

    A mobile device that is capable of receiving phone calls can be used for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
    6. Click the radio button next to ‘Call me’
    7. Click Next
    8. The number that you have set up will be called by Microsoft. Answer the call
    9. The call will contain an automated message. Press the # key when instructed
    10. A notification window will display informing you that the phone was registered successfully
    11. Click Done
    12. Alternative Phone will appear in the list as a registered method

    These steps will show you how to set up the Authy desktop app. Authy is a free application which provides a secure way to protect your online accounts. There is no requirement for an administrative password to authorise the installation and it will not be found in the Oxford Applications installer either.

    Authy is compatible with every operating system.

    1. Use the link to download Authy
    2. Scroll to the bottom to you can see the desktop box
    3. If you are on a Windows machine and are unsure if it is 32bit or 64bit, search your computer for the control panel. When in the control panel click System and Security, then click System. The system type will be detailed on that page
    4. Click Download
    5. Choose a place on your PC to save the download file. It may take a few minutes to download
    6. Once the download is complete, open the application
    7. Click Run
    8. In the Twilio Authy Account Setup screen select the country that your phone is registered in or enter the plus code if you know it.
    9. Enter your telephone number
    10. In the email field, enter a contact email address which can be used to contact you should you ever lose access to your Twilio Authy account. This does not have to be your Oxford email address
    11. Click Next
    12. Choose whether to verify by SMS or Phone Call.
    13. If you choose SMS, you will receive a text message with a 6-digit pin which you need to enter in the box on the screen. If you choose Phone Call, you will receive an automated phone call. At the same time, a 2-digit pin will appear on the screen. Enter the pin on the phone’s keypad.
    14. The Authy account screen will populate.
    15. Go to the Microsoft Security Info page
    16. You may be required to enter your SSO information and complete your MFA process
    17. Click Add Method
    18. Choose Authenticator App in the drop-down menu
    19. Click Add
    20. The Microsoft Authenticator dialogue box appears. Click I want to use a different authenticator app
    21. Click Next
    22. Because you are adding a desktop application you cannot scan the QR code. Click Can’t scan image
    23. Enter the Secret key code into the Authy App Account page
    24. Click Add Account
    25. In the Authy App, enter an Account Name (e.g. Nexus365)
    26. Select a logo to go with your account
    27. Leave the Token length as 6-digit
    28. Click Save
    29. The Authy app screen will show your chosen logo, account name and a 6-digit code which changes every 30 seconds
    30. Go back to the Microsoft Sign-Ins screen and click Next
    31. Enter the 6-digit code
    32. Click Next
    33. Authenticator App will now appear in the list of registered methods.
    34. If you have more than one multi-factor authentication method and you want to use the Authy app, you must select it as your default sign-in method. 
    35. Go to the Microsoft Security Info page
    36. At the top of the screen is the default sign-in method
    37. Click Change
    38. In the Change default method screen, use the drop-down menu to select Authenticator App or hardware token – code
    39. Click Confirm
    40. A green confirmation message will appear on the screen informing you that your default sign-in method has been changed

     PDF guide of how to install Authy

    These steps will show you how to set up the Authy mobile app (It can also be installed on your desktop or laptop). Authy is a free application which provides a secure way to protect your online accounts.

    1. Go to the App Store/Play Store on your mobile device.
    2. Search for Authy
    3. Install the application.
    4. Open Authy on your device
    5. You need to enter a telephone number for verification purposes. Tap the Code area and search for the Country to which the phone number you want to enter is registered (+44 for United Kingdom).
    6. When you have found the Country, tap it to select it.
    7. Tap the Cellphone number area and enter the telephone number
    8. In the email field, enter a contact email address which can be used to contact you should you ever lose access to your Twilio Authy Account. This does not have to be your Oxford email address
    9. Click OK
    10. The Account Verification screen will display. Choose whether to verify by SMS or Phone Call.
    11.  If you choose SMS, you will receive a text message with a 6-digit pin which you need to enter in the box on the screen
    12. If you choose Phone Call, you will receive an automated phone call. The automated voice will read out a 4-digit code, up to three times. End the phone call and enter the pin on the screen.
    13. The Authy account screen will populate.
    14. Go to the Microsoft Security Info page
    15. You may be required to enter your SSO information and complete your MFA process
    16. Click Add Method
    17. Choose Authenticator App in the drop-down menu
    18. Click Add
    19. The Microsoft Authenticator dialogue box appears. Click I want to use a different authenticator app
    20. Click Next
    21. On your mobile device click Scan QR Code
    22. Use your mobile device to scan the QR code. You may have to give permission for the app to access your camera
    23. In the Authy app, the Secure Backups page will display in the app. Enter a password so that Authy can back up your account
    24. Tap Edit logo if you want to change the logo for the account
    25. Enter an Account Name (e.g. Nexus365)
    26. Click Save
    27. The Authy app screen will show your chosen logo, account name and a 6-digit code which changes every 30 seconds.
    28. Go back to the Microsoft Sign-Ins screen and click Next
    29. Enter the 6-digit code
    30. Click Next
    31. Authenticator App will now appear in the list of registered methods.
    32. If you have more than one multi-factor authentication method and you want to use the Authy app, you must select it as your default sign-in method. 
    33. Go to the Microsoft Security Info page
    34. At the top of the screen is the default sign-in method
    35. Click Change
    36. In the Change default method screen, use the drop-down menu to select Authenticator App or hardware token – code
    37. Click Confirm
    38. A green confirmation message will appear on the screen informing you that your default sign-in method has been changed.

    Note: Every installation of Authy on a desktop, laptop or mobile device will need to be set up as a separate authenticator in the Microsoft Security Info page.

    An alternative device that is capable of receiving phone calls, such as a landline telephone number, can be used for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
    6. The radio button next to ‘Call me’ is already selected
    7. Click Next
    8. The number that you have set up will be called by Microsoft. Answer the call
    9. The call will contain an automated message. Press the # key when instructed
    10. A notification window will display informing you that the phone was registered successfully
    11. Click Done
    12. Alternative Phone will appear in the list as a registered method

    An App Password is required in situations where you use apps or older devices that are incompatible with the multi-factor authentication method. An app password is a special password which you generate via your Security info page and thus proves to the system that you have multi-factor authentication set-up. When accessing an older application, such as Outlook 2013, you need to use an app password in place of your Single Sign-On password.

    You can create up to 40 app passwords. Each app password is unique to an application.

    Once you have entered an app password into an application you will no longer be prompted for MFA for that specific application.

     

    The ability to create App Passwords is not enabled by default, so you must request that App Password to be enabled via the Service Desk, using the Self-Service catalogue.

     

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select select App Password
    3. Click Add
    4. Enter a name that helps differentiate this App Password from any others you might have
    5. Click Next
    6. The App Password will be created
    7. Copy the password and keep it in a safe place
    8. Click Done
    9. App Password will appear in the list as a registered method

    A hardware token is a dedicated device used to authenticate in a password-less flow, i.e., once set up it can be used (with a pin) instead of 1 (username and password) +2 factor code.

    Once multi-factor authentication is enabled on your account you must initially set-up one of the multi-factor authentication methods (Microsoft Authenticator App, phone or SMS). Information on how to set-up a multi-factor authentication method can be found in the Help and guidance page on the IT Help website.

    The University will support the use of FIDO2 Hardware tokens. Departments, colleges or individuals will need to purchase and fund their preferred type of FIDO2 token themselves. Visit the project FAQs  for more information on how purchase or obtain a hardware token.

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Security Key
    3. Click Add
    4. Choose USB device
    5. Click Next
    6. Plug the security key into your computer
    7. Enter the security key PIN into the box. Make sure it is a PIN that you remember
    8. Confirm the security key
    9. Enter a name for your security key
    10. Click Next
    11. The system will confirm that the hardware token is set up appropriately 
    12. Click Done
    13. The security key will appear in the list as a registered method

    A hardware token is a dedicated device used to authenticate in a password-less flow, i.e., once set up it can be used (with a pin) instead of 1 (username and password) +2 factor code.

    Once multi-factor authentication is enabled on your account you must initially set-up one of the multi-factor authentication methods (Microsoft Authenticator App, phone or SMS). Information on how to set-up a multi-factor authentication method can be found in the Help and guidance page on the IT Help website.

    The University will support the use of FIDO2 Hardware tokens. Departments, colleges or individuals will need to purchase and fund their preferred type of FIDO2 token themselves. Visit the project FAQs for more information on how purchase or obtain a hardware token.

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Security Key
    3. Click Add
    4. Choose NFC device
    5. Click Next
    6. Touch the NFC token to confirm that you are using it
    7. Confirm the security key
    8. Enter a name for your security key
    9. Click Next
    10. The system will confirm that the security key is set up appropriately
    11. The security key will appear on your security info page

    Your office phone can be used as a device for multi-factor authentication. Follow the steps below to discover how to set it up:

    1. At the top of the Security info page click +Add Method
    2. In the drop-down menu, select Phone
    3. Click Add
    4. In the country drop-down menu select the country where the phone is registered
    5. In the phone number field, enter the telephone number
      Note: Your Chorus telephone number may already be populated on the screen
    6. The radio button next to ‘Call me’ is already selected
    7. Click Next
    8. The number that you have set up will be called by Microsoft. Answer the call
    9. The call will contain an automated message. Press the # key when instructed
    10. A notification window will display informing you that the phone was registered successfully
    11. Click Done
    12. Alternative Phone will appear in the list as a registered method
    What can I expect?

    What can I expect when MFA is deployed on my Oxford SSO account?

    MFA will deployed on your SSO account by 6am on your go live day.

    Once MFA has been applied to your SSO account, any applications that you are currently logged into, including Azure-based services such as Outlook, OWA, Teams, OneDrive, Office, SharePoint Online and Dynamics365, will begin to prompt for multi-factor authentication. Therefore we recommend you close these applications prior to your MFA being enabled to ensure a smooth experience.

    There is NO requirement to shut down your machine prior to MFA being deployed (especially if you are using a remote desktop).

    We strongly advise that you setup authentication methods prior to MFA being deployed on your account and if possible select two methods that don’t rely on the same device, for example a mobile app and a landline. 

    When do I get prompted for MFA?

    MFA prompts should be expected at the start of each session. Over time, with repeated use of the same devices from the same locations, these prompts may decrease in frequency. Some systems may prompt for MFA more often than others, and unusual account activity may also increase the frequency of MFA prompts. Simply changing or staying on the same IP address is not enough to either trigger or suppress MFA prompts on their own.

    Session Timeouts

    Browsers

    Browser based sessions will timeout after several days. This timeout applies to browser based access to Azure login based services (e.g. Outlook, OWA, Teams, OneDrive, Office, SharePoint Online, Dynamics365, Teams Web Client), and Shibboleth protected resources. The sessions are not persistent, on completely closing the browser a new login will have to be performed.

    Notes:

    • If a valid login is performed in a browser for one service, no further login should be required until the session expires/sessions are revoked/browser is closed (sessions are shared in tabs).

    • If you use several different browser sessions (chrome, Firefox, edge etc.) you will be prompted to authenticate after timeout for each browser session

    Note: In addition to the above some services may require you to refresh your login, these rules are imposed by the individual services, for example Outlook Web Access, after 8 hours of inactivity

    Apps

    Applications, unlike browser based applications have a 90 day rolling token. Examples of applications are:

    • Outlook (Windows, Android, Mac/iOS)
    • Mac Mail
    • Office applications
    • Teams on Windows (NB: not web version)
    • OneDrive client for Windows
    • Flow app for Mobile Devices

    Note: Teams on Linux behaves like a browser application – as such, session times act in line with the browser session of several days

    Early enablement, delay and exemption

    How do I request early enablement, a delay or an exemption?

    To reduce any disruption to you, it is really important that you check your MFA deployment date against existing commitments in your diary:

    • Are you traveling for work? 
    • Do you have exams? 
    • Deadlines to meet? 
    • Are you working on highly confidential research or materials and would like your account protected sooner?

    Early enablement

    If you would like to have MFA deployed on your account prior to your current deployment date, please complete a Service Request. MFA will be enabled on the requested account each weekday after 5pm. These requests may take up to two days to process. You will receive an email when your Service Request has been actioned. A typical request timeline is shown below:

    • Monday 3pm - Service Request received by the Service Desk
    • Tuesday 11:30am - Service Request processed by Service Desk. Requestor receives email informing them that their request has been fulfilled
    • Tuesday after 5pm -  MFA is enabled on the requested account

    Please be aware that if your Service Request is processed by the Service Desk post 4pm you may be enabled on the next weekday evening.

    Delay

    If you need to delay multi-factor authentication being deployed on your account for exceptional circumstances, you will need to complete a Service Desk request (this can be completed on your behalf).

    You can only delay MFA until the end of the deployment schedule, currently March 2021.

    Exemption

    A very small number of users may not be able to use multi-factor authentication due to exceptional circumstances, such as accessibility issues. In these exceptional circumstances, individuals can request an exemption.

    To request an exemption from MFA please complete a service desk request.

    This request must be authorised by a Head of Department (HoD), or equivalent.

    MFA Compatibility

    What devices and platforms are compatible with MFA?

    Any device or platform that can do Modern Authentication is compatible with MFA:

    • Outlook (Win (Outlook 2016 onwards), Mac, iOS, Android)
    • Thunderbird (all platforms from v77 onwards
    • Windows Mail app (Windows only)
    • Mac Mail (>10.13 - your account may need removing and re-adding)
    • Gmail on Android
    • Evolution on Linux 

    Note; if you are using an old device or operating system you will find the deployment of MFA on your account more disruptive. We advise upgrading to a platform that is compatible with MFA

    If you require further help please contact your local IT support in the first instance.

    For students

    Essential information for students

    1. Read all the other information on this page
    2. Check your online exam timetable against the MFA timetable (SSO required). If you have any concerns regarding the date MFA is due to be deployed on your SSO account, we strongly advise you consider requesting early enablement of MFA and setting this up in advance
    3. Before attending an online exam, read the information under 'ONLINE EXAMS AND MFA' below
    4. Set up your authentication methods in advance, we strongly recommend you set up more than one  method. The recommended methods for you are: setting one method on your mobile device and setting up the Authy authentication app as this can be installed as a desktop application and requires no admin rights. See 'AUTHY AUTHENTICATOR APP' in the 'Setting up MFA in advance' on this page.

    Expand All

    Read all the information on this page.

    It is extremely important that you have set up your authentication methods in advance of any online exam. We strongly recommend you set up more than one method. The recommended methods are setting one method on your mobile device and setting up the Authy authentication app as this can be installed as a desktop application and requires no admin rights. See 'AUTHY AUTHENTICATOR APP' in the 'Setting up MFA in advance' on this page.

    Please ensure you bring your mobile device with you to an online exam in order to authenticate and log in.

    For closed-book examinations undertaken through a University-approved online exams platform (e.g. Weblearn or Inspera) and held at a University examination site, candidates are required to bring with them their personal mobile device (e.g. phone or tablet) for the specific use of logging into the exam platform using their Oxford SSO-multi-factor authentication app. Once logged in, candidates will need to switch off their mobile device and place this face down on or underneath their desk, as instructed by invigilators.

    For open-book examinations undertaken remotely through a University-approved online exams platform (e.g. Weblearn or Inspera), candidates may also be required to have with them their personal mobile device (e.g. phone or tablet) to log into the exam platform using their Oxford SSO-multi-factor authentication app.

    Troubleshooting

    Known troubleshooting issues

    The following behaviour would be unexpected once MFA has been deployed on your account;

    • Continuous frequent re-prompting for login credentials in the same session (unless a logout is being forced by a service you have active) 
    • "Looping" in the MFA prompt (attempt shutting/retrying login to the service; clearing cookies in the browser as a fix)
    • "Sorry we’re having trouble with verifying your account" messages when trying to sign in with MFA – for example;
    1. When the default method of additional verification has been removed from the list of methods. Ensure you have a second method available at all times, use an alternative method as offered, and then change the default method in the MFA setup screen to a method that is valid.
    2. Or if you have multiple Microsoft accounts set up.

    If you encounter any of these issues  and the advised fixes don't resolve the issue, please contact the IT Service Desk 01865 (6)12345

    Contact & further information

    If you have any general questions regarding the implementation of multi-factor authentication please email the project team mfaproject@it.ox.ac.uk

    For any IT support with multi-factor authentication, please talk to your local IT support in the first instance, if you are unable to resolve your issue, contact the IT Service Desk 01865 (6)12345