Multi-factor authentication

What is Multi-factor authentication?

The University is implementing multi-factor authentication (MFA) for all Oxford Single Sign-On (SSO) users across the University. This means you will be asked to verify your account using a second factor, such as a code from an app on your phone, text message, or a phone call.

MFA is being rolled out to all SSO accounts from January 2021 by surname.

How does MFA work?

You can verify your account using any of the following methods:

  • Using the Microsoft authenticator app on your mobile phone
  • Receiving an SMS on your mobile phone
  • Requesting a phone call on a landline or mobile phone
  • Authy desktop authenticator app
  • Using a hardware token

There is more detail about how to set up each of these methods before your MFA deployment date on the How to prepare for MFA page on the Projects website.

If you already have MFA on your SSO account, there is guidance for setting up more authentication methods on the MFA: Help and guidance page. 

Sign up for MFA ahead of the rollout

Find out how to prepare for MFA

Expand All

Downloadable guides and video tutorials for setting up and managing Multi-Factor Authentication on your SSO account are available on the MFA: Help and guidance page.

The MFA: Help and guidance page has short guides for setting up verification using several key methods, along with video guides to demonstrate how to set up multi-factor authentication methods in advance of being moved to MFA as well as after MFA has been enabled on your account. There are addtional guides on 'Keep Me Signed In' (KMSI) and setting up app passwords, as well as guidance materials from Microsoft for further information on multi-factor authentication.

Any device or platform that can do Modern Authentication is compatible with MFA:


•    MacOS Mojave 10.14 and later
•    iOS 11 and later
•    Evolution on Linux 
•    Android (8.0+ recommended) 
•    MacOS Safari 14 
•    Microsoft Office 
•    Office 2016 (enabled by default) 
•    Office for iPad and iPhone (iOS 12+) 
•    Office for iPad Pro (iOS 11+) 
•    Office for Android (Android KitKat 4.4+ and ARM or Intel x86 processor) 
•    Thunderbird 77.0b1 and later (Compatible versions of Thunderbird need to be configured) 


•    Android (Google) Mail
•    Gmail (web) 
•    Samsung Mail (some versions work, but there is no definitive list or way of checking. Most do not)
•    Office 2010 (service pack 2 version 14.0.7182.5000 or later supports app passwords) 
•    iOS 11 and earlier versions
•    Outlook for Mac 2011 (will work with app passwords)

During 2021 the Multi-factor authentication project will be migrating Single Sign-On accounts across to using multi-factor authentication. The project team have written a comprehensive guide to how to prepare for MFA.

A rollout timetable for Multi-Factor Authentication is available (Requires a Single Sign-On login)

In January 2021, rollout begins to enable Multi-factor authentication for all SSO accounts across Oxford University. The rollout will happen on a surname (A-Z) basis, so if your surname is Maynard-Smith you will have MFA enabled in the release group "Mawh-Mils" on Tuesday 23 February 2021.

There is a technical FAQ page for IT support staff on the Projects website.

ITSS are encouraged to join the ITSS Community Teams forum (MFA channel) where you can communicate with the MFA project team and also find recordings of recent ITSS MFA briefings together with full slide decks.

Full MFA rollout details for ITSS are available on the ITSS Wiki as well as a summary of information relevant to MFA section aimed at supporting users.

If you are accessing your Oxford SSO as well as other institutions (this includes those with a separate Said Business School account), then you may find you have issues within the same browser - you may find this question in the MFA FAQ useful:


There is an increased and growing cyber threat to Universities. The University of Oxford has a particularly high profile leading the world with COVID-19 research and we are under continuous cyberattack. The pandemic has brought additional risks with increased working from home, accessing University information from a variety of devices.  

  • In the last 10 months, over 1600 of our colleagues have been presented with convincing fake Webauth pages. Quite understandably for busy people, they have then typed in their SSO and password giving access to their account, data sets and University services to a cyber-criminal
  • The University experienced a serious but contained Ransomware outbreak in January 2020 and that business unit has only recently completed its recovery. Weak authentication played a role in both the initial intrusion and spread of the malware
  • There is significant global interest in our Covid research. A successful cyber intrusion could disrupt clinical trials timetables if a regulator was concerned about the integrity of trials data. At worst, it could require trials to be repeated
  • MFA is a key action in the October 2020 Internal Audit report as a requirement for secure remote working

Therefore, it is vital for us to secure our accounts and systems, now more than ever. Multi-factor authentication is now common across many organisations. It will ‘double-lock’ our systems to protect Oxford’s unique information.

Get support

Local IT support provide your first line of on-the-spot help



Common requests and fault reports can be logged using self-service





The central Service Desk is available 24x7 on +44 1865 6 12345


If you do not have an SSO account you can use this form to contact the Service Desk