Multi-Factor Authentication FAQs for Staff and Students

Further information about multi-factor authentication for staff and students

Expand All

Will we be allowed to setup/use multiple services/devices (in case one service is unavailable)?

Yes, it's recommended that you register multiple verification methods. When one method isn't available, you can choose to authenticate with another method.

Click here for further guidance.

How do I set up more than one authentication method at the time of registering?

  1. Go to the Microsoft Account page 
  2. Click Security Info 
  3. On the security info page click +Add Method 

 

 

      4.  Select the method, e.g. Security Key

What if I am in a building with no WIFI, how will I receive my second factor code?

When setting up multi factor authentication you should select the option on the mobile app that generates a one-time passcode, and requires no mobile data or Wi-Fi connectivity.

The Microsoft Authenticator app is available for Android and iOS

What will the recommendation be for users working from home with no smart phone, or with no mobile signal?

You can choose to receive your code via a landline number, if you have one, and if you have a smart phone but no mobile signal, you can authenticate over WiFi.

If you have no landline, smart phone or signal available, then you will require a hardware token.

Is it possible to have the same phone number associated with multiple accounts, e.g. for staff who have access to project accounts as well as their personal account?

Yes - it is possible to setup the same phone number for different accounts (it also works for mobile numbers), but it doesn't give any indication as to which account you are trying to sign into when it calls.

If a landline has forwarding set up on it for example, Chorus desktop landline to a mobile number, will the telephone authentication work?

Ensure you've got unconditional forwarding set (not forward on no reply) then the call will forward immediately with no delay. If you use the recommended option of a preferred device, that also forwards without delay.

  1. click 'call me on the second factor page'
  2. phone rings
  3. pick up the phone
  4. automated message "Thank you for using the Microsoft’s sign-in verification system. Please press the hash key to finish your verification." (you don't actually have to listen to this whole message)
  5. press hash key
  6. login completes / incoming call hangs up.

You will have around 30 seconds to press the hash key from the time that you pick up the incoming call (or around 15 seconds to press hash if you choose to listen to the whole message). 

What about staff and students new to the University, will they have MFA?

Yes, from 15 December 2020 all new staff and students will have MFA already deployed on their account, therefore they do not need to be included in the surname A-Z deployemnt timetable.

What about secondary accounts, will they have MFA applied to them?

There are two types of Multi-Factor Authentication (MFA).  Most people will have Standard MFA applied to their account. Someone who is using an app or device that does not support MFA will need to use App passwords which are only available with App Password MFA (if you do not see the App Password option in your list of methods on the My Sign-ins page https://mysignins.microsoft.com/security-info, you have Standard MFA)

From 10th December 2020 new secondary accounts created automatically have Standard MFA applied to them.

Depending on how your secondary account is being used, Standard MFA may not be appropriate and an App password may be required. If you require App Password MFA please complete a request for Switch Current Type – Multi-Factor Authentication (MFA). For more information about App passwords see IT Help

Has the webauth.ox.ac.uk screen changed? 

Yes, the Oxford web-based SSO sign-in page has beeen replaced with an Oxford-branded Microsoft sign-in page.  Your password will remain the same, however, your username may need be entered as  abcd1234@OX.AC.UK (where abcd1234 is your existing SSO username)

Why doesn't the 'Forgot my password' link work?

Passwords are handled locally, not by Microsoft, so this link will not work. However, if you forget your password, please click on the 'Reset your Signle Sign-On password link'.

Has the account management page changed?

Yes the account management pages have also been replaced with an Oxford branded page.

 

I access another institution's resources with a Microsoft Account and am having issues within the same browser

Options available to you are:

  1. Establish a second browser profile in your preferred browser and operate Oxford University Microsoft authentications in that browser instance (window) – running two browser profiles concurrently (e.g. this Chrome window is my other institution tenancy /services (for example @sbs.ox.ac.uk), and that Chrome window is for my Oxford University tenancy/services (abcd1234@OX.AC.UK))
  2. Use separate browsers and run them concurrently in order to establish separation in tenancy/service authentication (e.g. other institution tenancy /services authentications in Firefox, and Oxford University Microsoft authentications in Chrome)
  3. Use a single browser and incognito / private / in-private browser sessions on an ad-hoc basis to access Oxford University resources (this doesn’t preserve history / cookies)
  4. Continue to use a single browser and log in and out of each tenancy/service as and when necessary.

 

What hardware token shall I use and how do I purchase one?

If you think you would like a hardware token for the purposes of multi-factor authentication, please speak to your local IT support in the first instance. They can advise on which type of token will be most suitable and can help with purchasing.

The University will support the use of FIDO2 Hardware tokens. Departments, colleges or individuals will need to purchase and fund their preferred type of FIDO2 token themselves and it is possible to reuse an existing hardware token once you have one. Support for hardware tokens will be provided by your local IT.

These are the recommended suppliers;

Purchase from Amazon;

  • Set up an Amazon Business Account or purchase directly
  • Cost £18.99

   

 

Purchase from Insight 

Product Description:

 

GTiN 13:

 

Yubico Product Code:

Price per Unit (MOQ 10 units)

Security Key by Yubico (NFC)

 

5060408461952

 

256  

£19.28 each

YubiKey 5 NFC

5060408461426

237

£32.71 each

YubiKey 5C NFC

5060408462331

335

£39.98 each

YubiKey 5Ci

506040846196

291

£50.87 each

 

Plus a £10 postage charge.

 

Registering hardware keys from Linux web browsers

 Microsoft needs to think the Linux Chrome browser is running under OSX i.e. an Apple.

  • Install the Chrome Extension "User Agent Switcher" (Offered by: google.com). 
  • Once installed, go to the options for the extension and add a new user agent under Chrome

The fields are:

  • New User-agent name: YubiKey (or whatever you want) New User-Agent
  • String: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_0)
  • AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198
  • Safari/537.36
  • Group: leave empty
  • Append? : Replace
  • Indicator Flag: OSX

Once done switch the agent to OSX, then follow the user guide
Registration now proceeds

Contact

If you have any questions regarding the implementation of multi-factor authentication please email the project team mfaproject@it.ox.ac.uk