MFA: Multi-factor authentication

What is Multi-factor authentication?

The University is implementing multi-factor authentication (MFA) for all Oxford Single Sign-On (SSO) users across the University. This means you will be asked to verify your account using a second factor, such as a code from an app on your phone, text message, or a phone call.

MFA is being rolled out to all SSO accounts from January 2021 by surname.

How does MFA work?

You can verify your account using any of the following methods:

  • Using the Microsoft authenticator app on your mobile phone
  • Receiving an SMS on your mobile phone
  • Requesting a phone call on a landline or mobile phone
  • Authy desktop authenticator app
  • Using a hardware token

There is more detail about each of these methods on the How to prepare for MFA page on the Projects website.

Sign up for MFA ahead of the rollout

Find out how to prepare for MFA

Expand All

Downloadable guides and video tutorials for setting up and managing Multi-Factor Authentication on your SSO account are avaialble on the MFA: Help and guidance page.

The MFA: Help and guidance page has short guides for setting up verification using several key methods, along with video guides to demonstrate how to set up multi-factor authentication methods in advance of being moved to MFA as well as after go-live.  There are addtional guides on 'Keep Me Signed In' (KMSI) and setting up app passwords, as well as guidance materials from Microsoft for further information on multi-factor authentication.

Any device or platform that can do Modern Authentication is compatible with MFA:

  • Outlook (Windows (Outlook 2016 onwards), MacOS Mojave (version 10.14) or above, iOS, Android)
  • Thunderbird (all platforms from v77 onwards)
  • Windows Mail app (Windows only)
  • Mac Mail (>10.13 - your account may need removing and re-adding)
  • Gmail on Android
  • Evolution on Linux 

If you are using an old device or operating system you will find the deployment of MFA on your account more disruptive. We advise upgrading to a platform that is compatible with MFA

During 2021 the Multi-factor authentication project will be migrating Single Sign-On accounts across to using multi-factor authentication. The project team have written a comprehensive guide to how to prepare for MFA.

A rollout timetable for Multi-Factor Authentication is available (Requires a Single Sign-On login)

In January 2021, rollout begins to enable Multi-factor authentication for all SSO accounts across Oxford University. The rollout will happen on a surname (A-Z) basis, so if your surname is Maynard-Smith you will have MFA enabled in the release group "Mawh-Mils" on Tuesday 23 February 2021.

There is a technical FAQ page for IT support staff on the Projects website.

ITSS are encouraged to join the ITSS Community Teams forum (MFA channel) where you can communicate with the MFA project team and also find recordings of recent ITSS MFA briefings together with full slide decks.

Full MFA rollout details for ITSS are available on the ITSS Wiki as well as a summary of information relevant to MFA section aimed at supporting users.

There is an increased and growing cyber threat to Universities. The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. The pandemic has brought additional risks with increased working from home, accessing University information from a variety of devices.  

  • In the last 10 months, over 1600 of our colleagues have been presented with convincing fake Webauth pages. Quite understandably for busy people, they have then typed in their SSO and password giving access to their account, data sets and University services to a cyber-criminal
  • The University experienced a serious but contained Ransomware outbreak in January 2020 and that business unit has only recently completed its recovery. Weak authentication played a role in both the initial intrusion and spread of the malware
  • There is significant global interest in our Covid research. A successful cyber intrusion could disrupt clinical trials timetables if a regulator was concerned about the integrity of trials data. At worst, it could require trials to be repeated
  • MFA is a key action in the October 2020 Internal Audit report as a requirement for secure remote working

Therefore, it is vital for us to secure our accounts and systems, now more than ever. Multi-factor authentication is now common across many organisations. It will ‘double-lock’ our systems to protect Oxford’s unique information.

Get support

Local IT support provide your first line of on-the-spot help



Common requests and fault reports can be logged using self-service





The central Service Desk is available 24x7 on +44 1865 6 12345 (check central IT support arrangements over Christmas)


If you do not have an SSO account you can use this form to contact the Service Desk