MFA: Hardware tokens
Information about purchasing and setting up hardware tokens for multi-factor authentication (MFA) on your Oxford Single-Sign On (SSO) account
What is a hardware token?
A hardware token or security key is a dedicated physical device that you plug into your computer or laptop that is used to authenticate your account. Once set up, it does not require any other devices, mobile data or internet connection for you to login to your account.
- A hardware token must be purchased before it can be used to authenticate your account
- You need to set up another authentication method before you can set up a Hardware token, so you will need a phone at initial set up
- After setting up a hardware token this will become your new first factor log in. There will be no requirement to enter an SSO password, as this will be replaced by the hardware token
- Support for using tokens will be provided by your local IT Departments

Yubico security key
Hardware tokens function differently to the other MFA methods in that they replace the password rather than acting purely as a second factor. This means that you need to use a compatible browser in order to be prompted to sign in with your hardware token instead of your password.
- On Windows 10 this generally works well with Edge, Chrome, Firefox and Opera
- On both Linux and MacOS the functionality is variable, with many browsers not able to authenticate with hardware keys. Chrome and Edge work the most consistently
If you think you would like a hardware token for the purposes of multi-factor authentication, please speak to your local IT support in the first instance. They can advise on which type of token will be most suitable and can help with purchasing.
The central authentication servers are configured to allow the use of FIDO2 Hardware tokens (an internet standard for authentication) with the exception of SoloKeys.
Support for using tokens will be provided by your local IT Departments.
Hardware tokens should be purchased through your normal route for purchasing IT equipment
It is possible to reuse an existing hardware token once you have one.
Yubico is one suggested hardware token that you can purchase - these are the recommended suppliers:
- Purchase from Amazon - either set up an Amazon Business Account or purchase directly
- Cost around £20 - £30
- Purchase from Insight
- Costs between £15 and £50, depending on product, 10 unit minimum purchase
Product Description:
|
GTiN 13:
|
Yubico Product Code: |
Info |
---|---|---|---|
Security Key by Yubico | 5060408461600 | 255 | Protocols: U2F, FIDO2 Interfaces: USB-A |
Security Key by Yubico (NFC)
|
5060408461952
|
256 |
Protocols: U2F, FIDO2 Interfaces: USB-A, NFC |
YubiKey 5 NFC |
5060408461426 |
237 |
Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3 Interfaces: USB-A, NFC |
YubiKey 5C NFC |
5060408462331 |
335 |
Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3 Interfaces: USB-C, NFC |
YubiKey 5Ci |
506040846196 |
291 |
Protocols: FIDO2, U2F, Smartcard, OTP, OpenPGP 3 Interfaces: USB-C, Lightning |
Note: the user experience may vary slightly depending on the make, model and browser so this guide should be used in conjunction with the manufacturer’s instructions.
- Go to My Sign-Ins
- On the security info page click + Add Method
On the security info page click + Add Method
- In the drop-down menu click Security Key
In the drop-down menu click Security Key
- Click Add (Note: At this step the system may sometimes prompt you to login again)
- Select USB device
Select USB device
- A message will appear asking you to have your security key ready. Click Next
Have your key ready
- The following message may be displayed: "Your PC will redirect you to a new window to finish setup"
Your PC will redirect you to a new window to finish setup
- Click OK at the Security key setup
Security key setup
- Click OK to continue
Continue setup
- Insert your security key into the USB port
Insert your security key into the USB port
- Now choose a new security key PIN. Make sure you enter a PIN which you will remember. The PIN should be between 4 and 8 digits long. If you have setup the key previously, enter your existing PIN
Create a PIN for this security key
or
Enter your existing PIN
- Click OK
- You will be prompted to tap the security key for verification purposes
Touch your security key
- You may sometimes be prompted to enter your SSO password for additional verification. Type your password in and click Sign-In. If not, go to step 16
Enter your password
- You will be prompted to authenticate using your existing default method of authentication.
Please authenticate to continue - Enter a name for your key and click Next
Name your security key. This will help distinguish it from other keys.
- The system will confirm that the hardware token is set-up. Click Done
You're all set!
- The hardware token will appear on your security info page
The hardware token will appear on your security info page
To set up a hardware token in Linux you may need your browser to present itself as running OSX (Apple’s operating software). The best way to do this is through Chrome:
- Install the Chrome Extension “User Agent Switcher” (offered by Google)
- Once installed, go to the options for the extension and add a new user agent under Chrome
The fields are:
- New User-agent name: YubiKey (or whatever you want) New User-Agent
- String: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198
- Safari/537.36
- Group: leave empty
- Append? : Replace
- Indicator Flag: OSX
Once done, switch the agent to OSX, then follow the instructions in the above section for setting up hardware tokens for MFA.
Setting up a hardware token can only be done after another multi-factor authentication method has been set-up. This means that the hardware token is not automatically set as your default sign-in method.
This section will guide you through the process of how to make a hardware token your default sign-in method when logging in for the first time.
- Insert your hardware token into the USB port
- Select the account, which you would like to sign-in to, and go to step 3
If the account is not listed, click Use another account and choose, Sign-in options and Sign in with a security key then go to step 4
Select the account you want to login with
- The Oxford Single Sign-On page will display. Click Sign in with a security key
Click Sign in with a security key
- Enter your security key PIN and click OK
Please enter your security key PIN
- You will be prompted to tap the security key for verification purposes
Touch your security key
- The login process is complete, and the hardware token is now the default sign-in method.
For future sign-ins you will be prompted for the pin to unlock the hardware token, rather than your password.
The IT Service Desk doesn’t have the capability to reset the credentials for a hardware token. This must be done by the user. To reset your hardware token, follow the steps outlined in the steps on the manufacturer’s website.
Get support
Local IT support provides your first line of on-the-spot help
Common requests and fault reports can be logged using self-service
The Central IT Service Desk is available 24x7 on +44 1865 6 12345
If you do not have access to your Single Sign-On, you can use this form to contact the Service Desk