Multi-factor authentication (MFA)

MFA requires additional verification to be provided in addition to your SSO username and password, such as confirmation of a temporary code sent to your phone.

To set up and configure Multi-Factor Authentication go to the MFA setup and management page. You should add multiple authentication methods so you do not rely on the same device, phone or internet connection.

The University of Oxford has a particularly high profile in teaching and research and we are under continuous cyber attack.  MFA was introduced to double lock our accounts and systems.

Expand All

The additional verification required for MFA can be provided by a number of methods.  Setup details for each method are available on the MFA setup and management page.


Method Description Requirements Usage
Microsoft Authenticator The default authenticator app suggested when setting up MFA. Mobile device Prompts for authorisation (requires internet) or provides a one-time password.
Alternative authenticator Authenticator apps such as Google Authenticator or Duo Security. Mobile device Provides a one-time password.
Authy An authenticator app available for computers and mobile devices.

Windows, macOS, Linux, Android or iOS device

Telephone when setting up

Provides a one-time password.
Phone call An automated call made to a registered phone number. Telephone able to receive calls Prompts for authorisation.
Text message An automated text sent to a registered phone number. Device able to receive text messages Provides a one-time password.

Security key /

Hardware token

A device that you plug into your computer.

Security key

An existing MFA method during setup

Plug in the security key.


Microsoft Authenticator

Microsoft Authenticator is an app for mobile devices that can receive MFA authorisation notifications or provide one-time passwords.

Internet access is required to receive authorisation notifications.

Alternative Authenticator

If you already use an authenticator app then you may not need another.  A number of alternative authorisation apps are available, such as Google Authenticator and Duo Security, which can create one-time passwords for authorisation.

Authenticator apps should not require internet access or phone connectivity.


Authy is an alternative authenticator app available for most computers and mobile devices.

Having Authy installed on the computers you use should ensure that you can access your account even if your other devices are not available.

A phone connection is required for the initial set up, but it is not needed again after this.

Phone call

Mobile phones or landlines can receive an automated phone call to prompt for the press of a specified key for authorisation.

Text message

Devices able to receive text messages can receive an automated text containing a one-time password.

Security key

A security key, or hardware token, is a physical device that you plug into your computer.  Once set up, no other devices or connections are needed for authentication.

Please first contact your local IT support team for advice about purchasing and whether a security key is compatible with your devices as not all web browsers support security keys.  The security key must support FIDO2.

Security keys are supported by your local IT support team.

Older operating systems and applications may not prompt for a second factor, so may not be compatible with MFA.


The following are not supported before the version shown, or not at all.

  • Android 8
  • iOS 11
  • macOS 10.14
  • Safari 14 (macOS)
  • Office for iPad Pro (iOS 11)
  • Office for iPad and iPhone (iOS 12)
  • Thunderbird 78
  • Evolution 3.27.91
  • Office 2013 (must be enabled for this version)
  • Samsung Mail (does not work in most cases)
  • Android Mail (does not work)
  • Gmail (does not work)

Security keys

Security keys function slightly differently as the browser must be able to prompt for it.  Most popular browsers can be used with Windows computers, for other devices the Chrome browser is likely to work but others may not.

MFA exemptions can be requested due to exceptional circumstances, such as accessibility issues.

Please first discuss all available MFA options with your local IT support team.  The circumstances for exemptions are limited and regularly reviewed as they reduce the security of an account, which could lead to severe consequences for the University through data loss, system impairment and reputational damage.

Exemptions are requested using the Exemption from Multi-Factor Authentication (MFA) service request and must be authorised by someone such as your manager, supervisor, tutor or administrator.

Get support

If you cannot find the solution you need here then we have other ways to get IT support