MFA: Hardware tokens

What is a Hardware token?

A hardware token or security key is a dedicated physical device that you plug into your computer or laptop that is used to authenticate your account. Once set up, it does not require any other devices, mobile data or internet connection for you to login to your account.

A hardware token must be purchased before it can be used to authenticate your account
You need to set up another authentication method before you can set up a Hardware token, so you will need a phone at initial set up
After setting up a hardware token this will become your new first factor log in. There will be no requirement to enter an SSO password, as this will be replaced by the hardware token
Support for using tokens will be provided by your local IT Departments

Yubico security key

Expand All

Compatibility

Hardware keys function differently to the other MFA methods in that they replace the password rather than acting purely as a second factor. This means that your browser needs to prompt correctly for a hardware key rather than a password.

On Windows 10 this generally works well with Edge, Chrome, Firefox and Opera
On both Linux and MacOS the functionality is variable, with many browsers not able to authenticate with hardware keys. Chrome seems to be the most likely to work

How to purchase a Hardware Token

If you think you would like a hardware token for the purposes of multi-factor authentication, please speak to your local IT support in the first instance. They can advise on which type of token will be most suitable and can help with purchasing.

The central authentication servers are configured to allow the use of FIDO2 Hardware tokens (an internet standard for authentication).

Support for using tokens will be provided by your local IT Departments.

Hardware tokens should be purchased through your normal route for purchasing IT equipment

It is possible to reuse an existing hardware token once you have one.

Yubico is one suggested hardware token that you can purchase - these are the recommended suppliers:

Purchase from Amazon - either set up an Amazon Business Account or purchase directly
- Cost around £20 - £30
Purchase from Insight
- Costs between £15 and £50, depending on product, 10 unit minimum purchase

Product Description:	GTiN 13:	Yubico Product Code:	Info
Security Key by Yubico	5060408461600	255	Protocols: U2F, FIDO2 Interfaces: USB-A
Security Key by Yubico (NFC)	5060408461952	256	Protocols: U2F, FIDO2 Interfaces: USB-A, NFC
YubiKey 5 NFC	5060408461426	237	Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3 Interfaces: USB-A, NFC
YubiKey 5C NFC	5060408462331	335	Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3 Interfaces: USB-C, NFC
YubiKey 5Ci	506040846196	291	Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3 Interfaces: USB-C, Lightning

How to set up a Hardware token for MFA

Note: the user experience may vary slightly depending on the make, model and browser so this guide should be used in conjunction with the manufacturer’s instructions.

Go to My Sign-Ins
On the security info page click + Add Method

On the security info page click + Add Method
In the drop-down menu click Security Key

In the drop-down menu click Security Key
Click Add (Note: At this step the system may sometimes prompt you to login again)
Select USB device

Select USB device
A message will appear asking you to have your security key ready. Click Next

Have your key ready
The following message may be displayed: "Your PC will redirect you to a new window to finish setup"

Your PC will redirect you to a new window to finish setup
Click OK at the Security key setup

Security key setup
Click OK to continue

Continue setup
Insert your security key into the USB port

Insert your security key into the USB port
Now choose a new security key PIN. Make sure you enter a PIN which you will remember. The PIN should be between 4 and 8 digits long. If you have setup the key previously, enter your existing PIN

Create a PIN for this security key

or

Enter your existing PIN
Click OK
You will be prompted to tap the security key for verification purposes

Touch your security key
You may sometimes be prompted to enter your SSO password for additional verification. Type your password in and click Sign-In. If not, go to step 16

Enter your password
You will be prompted to authenticate using your existing default method of authentication.
Please authenticate to continue
Enter a name for your key and click Next

Name your security key. This will help distinguish it from other keys.
The system will confirm that the hardware token is set-up. Click Done

You're all set!
The hardware token will appear on your security info page

The hardware token will appear on your security info page

Making a hardware token your default sign-in method

Setting up a hardware token can only be done after another multi-factor authentication method has been set-up. This means that the hardware token is not your default sign-in method.
This section will guide you through the process of how to make the hardware token your default sign-in method when logging for the first time using a hardware token.

Insert your hardware token into the USB port
Select the account, which you would like to sign-in to, and go to step 3
If the account is not listed, click Use another account and choose, Sign-in options and Sign in with a security key then go to step 4

Select the account you want to login with
The Oxford Single Sign-On page will display. Click Sign in with a security key

Click Sign in with a security key
Enter your security key PIN and click OK

Please enter your ssecurity key PIN
You will be prompted to tap the security key for verification purposes

Touch your security key
The login process is complete, and the hardware token is now the default sign-in method
For future sign-ins you will be prompted for the pin to unlock the hardware token, rather you’re your password.