MFA: Hardware tokens

Information about purchasing and setting up hardware tokens for multi-factor authentication (MFA) on your Oxford Single-Sign On (SSO) account

What is a hardware token?

A hardware token or security key is a dedicated physical device that you plug into your computer or laptop that is used to authenticate your account. Once set up, it does not require any other devices, mobile data or internet connection for you to login to your account.

  • A hardware token must be purchased before it can be used to authenticate your account
  • You need to set up another authentication method before you can set up a Hardware token, so you will need a phone at initial set up
  • After setting up a hardware token this will become your new first factor log in. There will be no requirement to enter an SSO password, as this will be replaced by the hardware token
  • Support for using tokens will be provided by your local IT Departments
Yubico security key

Yubico security key

Expand All

Hardware tokens function differently to the other MFA methods in that they replace the password rather than acting purely as a second factor. This means that you need to use a compatible browser in order to be prompted to sign in with your hardware token instead of your password. 

  • On Windows 10 this generally works well with Edge, Chrome, Firefox and Opera
  • On both Linux and MacOS the functionality is variable, with many browsers not able to authenticate with hardware keys. Chrome and Edge work the most consistently

If you think you would like a hardware token for the purposes of multi-factor authentication, please speak to your local IT support in the first instance. They can advise on which type of token will be most suitable and can help with purchasing.

The central authentication servers are configured to allow the use of FIDO2 Hardware tokens (an internet standard for authentication) with the exception of SoloKeys.

Support for using tokens will be provided by your local IT Departments.

Hardware tokens should be purchased through your normal route for purchasing IT equipment

It is possible to reuse an existing hardware token once you have one.

Yubico is one suggested hardware token that you can purchase - these are the recommended suppliers:

  1. Purchase from Amazon - either set up an Amazon Business Account or purchase directly
    • Cost around £20 - £30
  2. Purchase from Insight
    • Costs between £15 and £50, depending on product, 10 unit minimum purchase

Product Description:

 

GTiN 13:

 

Yubico Product Code:

 Info
Security Key by Yubico 5060408461600  255 Protocols: U2F, FIDO2
Interfaces: USB-A

Security Key by Yubico (NFC)

 

5060408461952

 

256  

 Protocols: U2F, FIDO2
Interfaces: USB-A, NFC

YubiKey 5 NFC

5060408461426

237

 Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3
Interfaces: USB-A, NFC

YubiKey 5C NFC

5060408462331

335

 Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3
Interfaces: USB-C, NFC

YubiKey 5Ci

506040846196

291

 Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3
Interfaces: USB-C, Lightning

Note: the user experience may vary slightly depending on the make, model and browser so this guide should be used in conjunction with the manufacturer’s instructions.

  1. Go to My Sign-Ins
  2. On the security info page click + Add Method
     
    On the security info page click + Add Method

    On the security info page click + Add Method

  3. In the drop-down menu click Security Key
     
    In the drop-down menu click Security Key

    In the drop-down menu click Security Key

  4. Click Add (Note: At this step the system may sometimes prompt you to login again)
  5. Select USB device
     
    Select USB device

    Select USB device

  6. A message will appear asking you to have your security key ready. Click Next
     
    Have your key ready

    Have your key ready

  7. The following message may be displayed: "Your PC will redirect you to a new window to finish setup"
     
    Your PC will redirect you to a new window to finish setup

    Your PC will redirect you to a new window to finish setup

  8. Click OK at the Security key setup
     
    Security key setup

    Security key setup

  9. Click OK to continue
     
    Continue setup

    Continue setup

  10. Insert your security key into the USB port
     
    Insert your security key into the USB port

    Insert your security key into the USB port

  11. Now choose a new security key PIN. Make sure you enter a PIN which you will remember. The PIN should be between 4 and 8 digits long. If you have setup the key previously, enter your existing PIN
     
    Create a PIN for this security key

    Create a PIN for this security key

    or
     

    Enter your existing PIN

    Enter your existing PIN

  12. Click OK
  13. You will be prompted to tap the security key for verification purposes
     
    Touch your security key

    Touch your security key

  14. You may sometimes be prompted to enter your SSO password for additional verification. Type your password in and click Sign-In. If not, go to step 16
    Enter your password

    Enter your password

  15. You will be prompted to authenticate using your existing default method of authentication.
    Please authenticate to continue
  16. Enter a name for your key and click Next
    Name your security key. This will help distinguish it from other keys.

    Name your security key. This will help distinguish it from other keys.

  17. The system will confirm that the hardware token is set-up. Click Done
    You're all set!

    You're all set!

  18. The hardware token will appear on your security info page
     
    The hardware token will appear on your security info page

    The hardware token will appear on your security info page

To set up a hardware token in Linux you may need your browser to present itself as running OSX (Apple’s operating software). The best way to do this is through Chrome:

  • Install the Chrome Extension “User Agent Switcher” (offered by Google)
  • Once installed, go to the options for the extension and add a new user agent under Chrome

The fields are:

  • New User-agent name: YubiKey (or whatever you want) New User-Agent
  • String: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198
  • Safari/537.36
  • Group: leave empty
  • Append? : Replace
  • Indicator Flag: OSX

Once done, switch the agent to OSX, then follow the instructions in the above section for setting up hardware tokens for MFA.

Setting up a hardware token can only be done after another multi-factor authentication method has been set-up. This means that the hardware token is not automatically set as your default sign-in method.

This section will guide you through the process of how to make a hardware token your default sign-in method when logging in for the first time.

  1. Insert your hardware token into the USB port
  2. Select the account, which you would like to sign-in to, and go to step 3
    If the account is not listed, click Use another account and choose, Sign-in options and Sign in with a security key then go to step 4
     
    Select the account you want to login with

    Select the account you want to login with

  3. The Oxford Single Sign-On page will display. Click Sign in with a security key
     
    Click Sign in with a security key

    Click Sign in with a security key

  4. Enter your security key PIN and click OK
     
    Please enter your ssecurity key PIN

    Please enter your ssecurity key PIN

  5. You will be prompted to tap the security key for verification purposes
     
    Touch your security key

    Touch your security key

  6. The login process is complete, and the hardware token is now the default sign-in method.
    For future sign-ins you will be prompted for the pin to unlock the hardware token, rather than your password.

The IT Service Desk doesn’t have the capability to reset the credentials for a hardware token. This must be done by the user. To reset your hardware token, follow the steps outlined in the steps on the manufacturer’s website.

Related links

Get support

Local IT support provide your first line of on-the-spot help

FIND MY LOCAL IT TEAM

 

Common requests and fault reports can be logged using self-service

   USE IT SELF-SERVICE      

   LOG A SUPPORT CALL     

VIEW MY SUPPORT CALLS  

 

The central Service Desk is available 24x7 on +44 1865 6 12345

 

If you do not have an SSO account you can use this form to contact the Service Desk