Multi-factor authentication

What is Multi-factor authentication?

The University is implementing multi-factor authentication (MFA) for all Oxford Single Sign-On (SSO) users across the University. This means you will be asked to verify your account using a second factor, such as a code from an app on your phone, text message, or a phone call.

MFA is being rolled out to all SSO accounts from January 2021 by surname.

How does MFA work?

You can verify your account using any of the following methods:

  • Using the Microsoft authenticator app on your mobile phone
  • Receiving an SMS on your mobile phone
  • Requesting a phone call on a landline or mobile phone
  • Authy desktop authenticator app
  • Using a hardware token

There is more detail about how to set up each of these methods before your MFA deployment date on the How to prepare for MFA page on the Projects website.

If you already have MFA on your SSO account, there is guidance for setting up more authentication methods on the MFA: Help and guidance page.

If you have a new phone, there is a guide for setting up MFA on a new mobile phone.

Secondary accounts

We will be enabling MFA on secondary accounts from May 2021 - please see the Secondary accounts page for information about reviewing your secondary accounts and preparing for MFA.

Sign up for MFA ahead of the rollout

Find out how to prepare for MFA

Expand All

Downloadable guides and video tutorials for setting up and managing Multi-Factor Authentication on your SSO account are available on the MFA: Help and guidance page.

The MFA: Help and guidance page has short guides for setting up verification using several key methods, along with video guides to demonstrate how to set up multi-factor authentication methods in advance of being moved to MFA as well as after MFA has been enabled on your account. There are addtional guides on 'Keep Me Signed In' (KMSI) and setting up app passwords, as well as guidance materials from Microsoft for further information on multi-factor authentication.

Any device or platform that can do Modern Authentication is compatible with MFA: This means that they are able to prompt for a second factor after the correct password is entered.

Hardware keys function differently in that they replace the password rather than acting purely as a second factor. This means that your browser needs to prompt correctly for a hardware key rather than a password. On Windows 10 this generally works well with Edge, Chrome, Firefox and Opera. On both Linux and MacOS the functionality is variable, with many browsers not able to authenticate with hardware keys. Chrome seems to be the most likely to work.


•    MacOS Mojave 10.14 and later
•    iOS 11 and later
•    Evolution on Linux 
•    Android (8.0+ recommended) 
•    MacOS Safari 14 
•    Microsoft Office 
•    Office 2016 (enabled by default) 
•    Office for iPad and iPhone (iOS 12+) 
•    Office for iPad Pro (iOS 11+) 
•    Office for Android (Android KitKat 4.4+ and ARM or Intel x86 processor) 
•    Thunderbird 77.0b1 and later (Compatible versions of Thunderbird need to be configured) 


•    Android (Google) Mail
•    Gmail (web) 
•    Samsung Mail (some versions work, but there is no definitive list or way of checking. Most do not)
•    Office 2010 (service pack 2 version 14.0.7182.5000 or later supports app passwords) 
•    iOS <11.  iOS versions before 11.
•    Outlook for Mac 2011 (will work with app passwords)

During 2021 the Multi-factor authentication project will be migrating Single Sign-On accounts across to using multi-factor authentication. The project team have written a comprehensive guide to how to prepare for MFA.

A rollout timetable for Multi-Factor Authentication is available (Requires a Single Sign-On login)

In January 2021, rollout begins to enable Multi-factor authentication for all SSO accounts across Oxford University. The rollout will happen on a surname (A-Z) basis, so if your surname is Maynard-Smith you will have MFA enabled in the release group "Mawh-Mils" on Tuesday 23 February 2021.

There is a technical FAQ page for IT support staff on the Projects website.

ITSS are encouraged to join the ITSS Community Teams forum (MFA channel) where you can communicate with the MFA project team and also find recordings of recent ITSS MFA briefings together with full slide decks.

Full MFA rollout details for ITSS are available on the ITSS Wiki as well as a summary of information relevant to MFA section aimed at supporting users.

If you are accessing your Oxford SSO as well as other institutions (this includes those with a separate Said Business School account), then you may find you have issues within the same browser - you may find this question in the MFA FAQ useful:


There is an increased and growing cyber threat to Universities. The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. The pandemic has brought additional risks with increased working from home, accessing University information from a variety of devices.  

  • In the last 10 months, over 1600 of our colleagues have been presented with convincing fake Webauth pages. Quite understandably for busy people, they have then typed in their SSO and password giving access to their account, data sets and University services to a cyber-criminal
  • The University experienced a serious but contained Ransomware outbreak in January 2020 and that business unit has only recently completed its recovery. Weak authentication played a role in both the initial intrusion and spread of the malware
  • There is significant global interest in our Covid research. A successful cyber intrusion could disrupt clinical trials timetables if a regulator was concerned about the integrity of trials data. At worst, it could require trials to be repeated
  • MFA is a key action in the October 2020 Internal Audit report as a requirement for secure remote working

Therefore, it is vital for us to secure our accounts and systems, now more than ever. Multi-factor authentication is now common across many organisations. It will ‘double-lock’ our systems to protect Oxford’s unique information.

What is an app password?

An App Password is required in situations where you use apps or older devices that are incompatible with the multi-factor authentication method (see list for more information). The App Password proves to the system that you have multi-factor authentication set-up. When accessing an older application, such as Outlook 2013, you will be prompted for your multi-factor authentication details.

App Passwords can only be set up once your initial multi-factor authentication method has been set up, such as the authenticator app or a phone (refer to guides under ‘help and guidance’).

You must enter the App Password in place of your Single Sign-On password for the application or device you have created it for.

You can create up to 40 App Passwords. Each App Password is unique to an application.

Once this is done you will no longer be prompted for MFA for that specific application.

How do I enable an app password?

To enable App password for a personal or generic/secondary email account please use the App Password Enablement – Multi-Factor Authentication (MFA) service request.

For more information please visit the IT Help page, read the guide ‘Setting up App Passwords’ or watch the short video.

Get support

Local IT support provide your first line of on-the-spot help



Common requests and fault reports can be logged using self-service





The central Service Desk is available 24x7 on +44 1865 6 12345


If you do not have an SSO account you can use this form to contact the Service Desk