Multi-factor authentication

What is Multi-factor authentication?

The University has implemented multi-factor authentication (MFA) for all Oxford Single Sign-On (SSO) users across the University. This means you will be asked to verify your Oxford Single Sign-On (SSO) account using a second factor, such as a code from an app on your phone, text message, or a phone call.

You will have MFA enabled on your account when it is created. If for any reason you do not have MFA enabled and an authorised exemption is not in place please request MFA via IT Self-Service.

What verification methods can I use?

You can verify your account using any of the following methods:

We encourage everyone to set up more than one method, preferably methods that don't both rely on the same device. For example, you might set up the Authenticator app as your default method, and then set up a landline as your second method.

If you don’t want to use your mobile for MFA, you can use a landline, a hardware token or the Authy app on your computer.

For more tips, please see Making the most of multi-factor authentication (MFA) - top ten tips.

If you are not sure which method to use, we have a page which lists the pros and cons of each authentication method.

Please see MFA: how often should I get prompted? to find out the expected frequency for MFA. If you think you are getting prompted too often, please speak to your local IT support or call the central Service Desk on +44 1865 6 12345.

Help with MFA

There is guidance for setting up and managing MFA on your account on the MFA: Help and guidance page, which includes guides, videos and links to the Microsoft website:

Expand All

Any device or platform that can do Modern Authentication is compatible with MFA. This means that they are able to prompt for a second factor after the correct password is entered.


  • MacOS Mojave 10.14 and later
  • iOS 11 and later
  • Evolution on Linux
  • Android (8.0+ recommended)
  • MacOS Safari 14
  • Microsoft Office
  • Office 2016 (enabled by default)
  • Office for iPad and iPhone (iOS 12+)
  • Office for iPad Pro (iOS 11+)
  • Office for Android (Android KitKat 4.4+ and ARM or Intel x86 processor)
  • Thunderbird 77.0b1 and later (compatible versions of Thunderbird need to be configured)


  • Android (Google) Mail
  • Gmail (web)
  • Samsung Mail (some versions work, but there is no definitive list or way of checking. Most do not)
  • Office 2010 (service pack 2 version 14.0.7182.5000 or later supports app passwords)
  • iOS versions before 11
  • Outlook for Mac 2011 (will work with app passwords)

Hardware keys

Hardware keys function differently in that they replace the password rather than acting purely as a second factor. This means that your browser needs to prompt correctly for a hardware key rather than a password. On Windows 10 this generally works well with Edge, Chrome, Firefox and Opera. On both Linux and MacOS the functionality is variable, with many browsers not able to authenticate with hardware keys. Chrome seems to be the most likely to work.

What is an app password?

An App Password is required in situations where you use apps or older devices that are incompatible with the multi-factor authentication method. The App Password proves to the system that you have multi-factor authentication set-up.

For more information about App Passwords, including how to request them for your account and how to set them up, please see the Create an App password for Nexus365 page.

A very small number of users may not be able to use multi-factor authentication due to exceptional circumstances, such as accessibility issues. In these exceptional circumstances, individuals can request an exemption.

If you think you require an exemption please speak to your local IT support in the first instance to discuss all the options available for multi-factor authentication.

To request an exemption from MFA please complete a IT Self-Service request.

This request must be authorised by someone, such as your manager, supervisor, tutor or administrator, before it can be processed.

Hacked accounts can have severe consequences for the University, through data loss, system impairment and reputational damage, so we will be limiting the circumstances in which people are allowed exemptions and they will be regularly reviewed.

ITSS are encouraged to join the ITSS Community Teams forum (MFA channel).

Full MFA rollout details for ITSS are available on the ITSS Wiki as well as a summary of information relevant to MFA section aimed at supporting users.

  • Some retirees had MFA applied to their SSO accounts as part of the MFA project 
  • If you don't have MFA but would like to increase the security on your account, please speak to your local IT or central IT Service Desk
  • If you are having any difficulties managing MFA on your account, please contact your local IT or central IT Service Desk

There is an increased and growing cyber threat to Universities. The University of Oxford has a particularly high profile in teaching and research and we are under continuous cyberattack. The pandemic has brought additional risks with increased working from home, accessing University information from a variety of devices.  

  • In the last 10 months, over 1600 of our colleagues have been presented with convincing fake Webauth pages. Quite understandably for busy people, they have then typed in their SSO and password giving access to their account, data sets and University services to a cyber-criminal
  • The University experienced a serious but contained Ransomware outbreak in January 2020 and that business unit has only recently completed its recovery. Weak authentication played a role in both the initial intrusion and spread of the malware
  • MFA is a key action in the October 2020 Internal Audit report as a requirement for secure remote working

Therefore, it is vital for us to secure our accounts and systems, now more than ever. Multi-factor authentication is now common across many organisations. It will ‘double-lock’ our systems to protect Oxford’s unique information.

Get support

Local IT support provides your first line of on-the-spot help



Common requests and fault reports can be logged using self-service





The Central IT Service Desk is available 24x7 on +44 1865 6 12345

If you do not have access to your Single Sign-On, you can use this form to contact the Service Desk