Multi-Factor Authentication Project

On 10 November, the existing Webauth login page, where you sign in with your SSO, was replaced with an Oxford-branded Microsoft login page.

You will also be required to follow the University password policy, when you are next prompted to change your password, which we hope will also improve security for SSO account users.

A second step will be added to all SSO accounts, deployed alphabetically by surname from January 2021. You will be required to enter a code to authenticate your account.

You can receive this code using any of the following methods:

  • Using the Microsoft authenticator app on your mobile phone in one of two modes:
  • Push notifications, where you request the authentication on the device you are logging into, and the app pops up with “yes” or “no” to accept the authentication
  • Time-based One-time Password (TOTP), where you generate a code using the authenticator app and manually enter it on the device you are logging into when prompted (no WIFI required)
  • Receiving an SMS on your mobile phone, with a code that you enter on the device you are logging into
  • Requesting a phone call on a landline or mobile phone, which automatically reads out the code to you, which you then enter manually on the device you are logging into (all phone numbers in all countries will work for this method)
  • Using a hardware token, which your department or college can purchase.

    A hardware token is a dedicated physical device held by an authorised user and is used, in addition to a password, to grant access to computer resources

    Once multi-factor authentication is enabled on your account, you must initially set-up one other multi-factor authentication methods (Authenticator App, phone call or SMS) prior to adding a hardware token.

    The University will support the use of FIDO2 Hardware tokens, please talk to your local IT Support for more information.


For guidance on how to set up each authentication method, please refer to the help and guidance section.

Expand All

There is an increased and growing cyber threat to Universities. The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. The pandemic has brought additional risks with increased working from home, accessing University information from a variety of devices.  

  • In the last 10 months, over 1600 of our colleagues have been presented with convincing fake Webauth pages,  quite understandably for busy people, have then typed in their SSO and password giving access to their account, data sets and University services to a cyber-criminal
  • The University experienced a serious but contained Ransomware outbreak in January 2020 and that business unit has only recently completed its recovery.  Weak authentication played a role in both the initial intrusion and spread of the malware. 
  • There is significant global interest in our Covid research.  A successful cyber intrusion could disrupt clinical trials timetables if a regulator was concerned about the integrity of trials data.  At worst, it could require trials to be repeated.
  • MFA is a key action in the October 2020 Internal Audit report as a requirement for secure remote working


Therefore, it is vital for us to secure our accounts and systems, now more than ever. Multi-factor authentication is now common across many organisations. It will ‘double-lock’ our systems to protect Oxford’s unique information.  

In January 2021 MFA will start to be enabled on a surname (A-Z) basis (for example if your surname is Maynard-Smith you will have second factor enabled in deployment group M).

Each deployment group will receive countdown communications starting 4 weeks prior to your deployment date. These will contain your deployment date and details on how you can prepare, keep an eye out for these in your inbox.

The full deployment timetable is available here (you will require your SSO credentials to access this timetable)


What is an app password?

An App Password is required in situations where you use apps or older devices that are incompatible with the multi-factor authentication method (see list for more information). The App Password proves to the system that you have multi-factor authentication set-up. When accessing an older application, such as Outlook 2013, you will be prompted for your multi-factor authentication details.

App Passwords can only be set up once your initial multi-factor authentication method has been set up, such as the authenticator app or a phone (refer to guides under ‘help and guidance’).

You must enter the App Password in place of your Single Sign-On password for the application or device you have created it for.

You can create up to 40 App Passwords. Each App Password is unique to an application.

Once this is done you will no longer be prompted for MFA for that specific application.

How do I enable an app password?

To enable App password for a personal or generic/secondary email account please use the App Password Enablement – Multi-Factor Authentication (MFA) service request.

For more information please visit the IT Help page, read the guide ‘Setting up App Passwords’ or watch the short video (available soon).

See all the multi-factor authentication FAQs here.

Contact & further information

If you have any general questions regarding the implementation of multi-factor authentication please email the project team

For any IT support with multi-factor authentication, please talk to your local IT support in the first instance, if you are unable to resolve your issue, contact the IT Service Desk 01865 (6)12345