There are two types of Multi-factor authentication (MFA); ‘Standard MFA’ which is the default at Oxford and suitable for most accounts, and ‘App Password MFA’ which is available on request.
What is an App password?
An App password is a long, randomly generated password that you provide only once instead of your regular password when signing in to an app or device that doesn't support MFA. You therefore only need to request ‘App Password MFA’ if you will be using an app or device that does not support MFA. If you have MFA enabled and an app isn't prompting you to enter a security code when you sign in, you may be able to sign in with an App password instead.
You can check whether you have ‘Standard MFA’ or ‘App Password MFA’ via the My Sign-ins page https://mysignins.microsoft.com/security-info. If you do not see the App Password option in your list of methods on, you have Standard MFA.
How to request an App password
To request App password MFA for a personal or generic/secondary email account that does not yet have MFA applied please use the App Password Enablement – Multi-Factor Authentication (MFA) service request.
If you already have Standard MFA enabled on a personal or generic/secondary account and need App Password MFA, please complete a request for a Switch Current Type – Multi-Factor Authentication (MFA).
Instructions on how to create an App password
Each app password should be unique to an application or device for greater security. Please ensure when creating app passwords you follow University guidelines for creating strong passwords and don’t reuse passwords across multiple applications.
Here are the instructions on how to create an App password for Nexus365.
- At the top of the Security info page click +Add Method
- In the drop-down menu, select App Password
- Click Add
- Enter a name that helps differentiate this App Password from any others you might have
- Click Next
- The App Password will be created
- Copy the password and keep it in a safe place
- Click Done
- App Password will appear in the list as a registered method
A video is also available to demonstrate how to set up an app password.
Things to know about App passwords
• You should create a separate App password for each device that requires one.
• The same App password can be used for multiple applications on the same device.
• Once an App password is created, there is no way to go back and get the value. You must create a new App password and delete the old one.
• If an account becomes compromised, it is a standard operating procedure to clear all App passwords.
• Never install an App password on a device you do not have complete control over.
If exposed, App passwords are dangerous as they bypass the account password and MFA. Keep them in a safe place until you have them safely configured on the device.