MFA: Hardware tokens

What is a Hardware token?

A hardware token or security key is a dedicated physical device that you plug into your computer or laptop that is used to authenticate your account. Once set up, it does not require any other devices, mobile data or internet connection for you to login to your account.

Yubico security key

Yubico security key

Expand All

Hardware keys function differently to the other MFA methods in that they replace the password rather than acting purely as a second factor. This means that your browser needs to prompt correctly for a hardware key rather than a password.

If you think you would like a hardware token for the purposes of multi-factor authentication, please speak to your local IT support in the first instance. They can advise on which type of token will be most suitable and can help with purchasing.

The central authentication servers are configured to allow the use of FIDO2 Hardware tokens (an internet standard for authentication).

Support for using tokens will be provided by your local IT Departments.

Hardware tokens should be purchased through your normal route for purchasing IT equipment

It is possible to reuse an existing hardware token once you have one.

Yubico is one suggested hardware token that you can purchase - these are the recommended suppliers:

  1. Purchase from Amazon - either set up an Amazon Business Account or purchase directly
    • Cost around £20 - £30
  2. Purchase from Insight
    • Costs between £15 and £50, depending on product, 10 unit minimum purchase

Product Description:

 

GTiN 13:

 

Yubico Product Code:

Info
Security Key by Yubico 5060408461600  255 Protocols: U2F, FIDO2
Interfaces: USB-A

Security Key by Yubico (NFC)

 

5060408461952

 

256  

Protocols: U2F, FIDO2
Interfaces: USB-A, NFC

YubiKey 5 NFC

5060408461426

237

Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3
Interfaces: USB-A, NFC

YubiKey 5C NFC

5060408462331

335

Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3
Interfaces: USB-C, NFC

YubiKey 5Ci

506040846196

291

Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3
Interfaces: USB-C, Lightning

Note: the user experience may vary slightly depending on the make, model and browser so this guide should be used in conjunction with the manufacturer’s instructions.

  1. Go to My Sign-Ins
  2. On the security info page click + Add Method
     
    On the security info page click + Add Method

    On the security info page click + Add Method

  3. In the drop-down menu click Security Key
     
    In the drop-down menu click Security Key

    In the drop-down menu click Security Key

  4. Click Add (Note: At this step the system may sometimes prompt you to login again)
  5. Select USB device
     
    Select USB device

    Select USB device

  6. A message will appear asking you to have your security key ready. Click Next
     
    Have your key ready

    Have your key ready

  7. The following message may be displayed: "Your PC will redirect you to a new window to finish setup"
     
    Your PC will redirect you to a new window to finish setup

    Your PC will redirect you to a new window to finish setup

  8. Click OK at the Security key setup
     
    Security key setup

    Security key setup

  9. Click OK to continue
     
    Continue setup

    Continue setup

  10. Insert your security key into the USB port
     
    Insert your security key into the USB port

    Insert your security key into the USB port

  11. Now choose a new security key PIN. Make sure you enter a PIN which you will remember. The PIN should be between 4 and 8 digits long. If you have setup the key previously, enter your existing PIN
     
    Create a PIN for this security key

    Create a PIN for this security key

    or
     

    Enter your existing PIN

    Enter your existing PIN

  12. Click OK
  13. You will be prompted to tap the security key for verification purposes
     
    Touch your security key

    Touch your security key

  14. You may sometimes be prompted to enter your SSO password for additional verification. Type your password in and click Sign-In. If not, go to step 16
    Enter your password

    Enter your password

  15. You will be prompted to authenticate using your existing default method of authentication.
    Please authenticate to continue
  16. Enter a name for your key and click Next
    Name your security key. This will help distinguish it from other keys.

    Name your security key. This will help distinguish it from other keys.

  17. The system will confirm that the hardware token is set-up. Click Done
    You're all set!

    You're all set!

  18. The hardware token will appear on your security info page
     
    The hardware token will appear on your security info page

    The hardware token will appear on your security info page

Setting up a hardware token can only be done after another multi-factor authentication method has been set-up. This means that the hardware token is not your default sign-in method. 
This section will guide you through the process of how to make the hardware token your default sign-in method when logging for the first time using a hardware token.

  1. Insert your hardware token into the USB port
  2. Select the account, which you would like to sign-in to, and go to step 3
    If the account is not listed, click Use another account and choose, Sign-in options and Sign in with a security key then go to step 4
     
    Select the account you want to login with

    Select the account you want to login with

  3. The Oxford Single Sign-On page will display. Click Sign in with a security key
     
    Click Sign in with a security key

    Click Sign in with a security key

  4. Enter your security key PIN and click OK
     
    Please enter your ssecurity key PIN

    Please enter your ssecurity key PIN

  5. You will be prompted to tap the security key for verification purposes
     
    Touch your security key

    Touch your security key

  6. The login process is complete, and the hardware token is now the default sign-in method
    For future sign-ins you will be prompted for the pin to unlock the hardware token, rather you’re your password.

The IT Service Desk doesn’t have the capability to reset the credentials for a hardware token. This must be done by the user. To reset your hardware token, follow the steps outlined in the steps on the manufacturer’s website.

Get support


Local IT support provide your first line of on-the-spot help

FIND MY LOCAL IT TEAM

 

Common requests and fault reports can be logged using self-service

   USE IT SELF-SERVICE      

   LOG A SUPPORT CALL     

VIEW MY SUPPORT CALLS  

 

The central Service Desk is available 24x7 on +44 1865 6 12345

 

If you do not have an SSO account you can use this form to contact the Service Desk