MFA help

Expand All

MFA setup and usage information is provided on our Multi-factor authentication (MFA) page.

The University of Oxford has a particularly high profile in teaching and research and we are under continuous cyberattack.

MFA was introduced to protect the University's systems and data, increasing security by double locking accounts, requiring an additional method of verification to be used in addition to your SSO username and password.

If you have set up MFA but do not have access to your MFA device, if it is not urgent then it is advisable to wait until you can regain access.  You should then set up additional verification methods that do not use the same device.

If you urgently need to access your account or none of your verification methods are working, please contact your local IT support team to reset them.  If you are unable to contact your local IT support team, please speak to the Service Desk.

If you can use an alternative MFA method to log in to your account, delete the MFA methods used with your missing device then use the Sign out everywhere option on the My Sign-ins website.

If you are unable to use an alternative MFA method, please contact your local IT support team for assistance.  If you are unable to contact your local IT support team, please speak to the Service Desk.

Cause Resolution
Your login session expired The sessions of devices left on constantly may expire whilst you are away from them.  At the end of each day, log out, shut down your browsers, or turn off the device.
An account you own is being accessed by someone authorised to do so The default MFA methods using Microsoft authenticator, phone calls or text messages will contact you when an authorised person provides a correct SSO username and password for the account.
An account you own is being accessed by a third party

If the cause is not listed above, change your SSO password as a third party might be trying to access your account.

You should also check your recent sign in activity for where the login attempt was made from and report it to the Information Security team.

Opening the Microsoft Authenticator app should display current notifications, but the following may enable automatic push notifications.

 

Cause Resolution
No internet connection Check your phone's data and WiFi access.  In these situations the app can also provide a one-time password.
Notifications are disabled Check that push notifications are enabled for the app in your phone's settings.
App has crashed Try to force close the app and restart the phone.
App not set up successfully Set up the app again.
Battery saving features Battery saving features might be blocking background processes.  Change the priority of the notifications or turn off battery saving features.
[Android] Notifications set to low priority  Settings vary for different versions, but try to start the Settings app, select Applications > Notifications, then check the notification priority.
[iOS] Can't receive over WiFi If you can only receive notifications with mobile data, select Settings > General > Reset > Reset Network Settings.  Please note that this will forget all WiFi networks and passwords, mobile settings and VPN/APN.

One-time passwords are only valid for a short time and cannot be created correctly if the time of your device is incorrect.  You should synchronise your device to ensure it is using the correct time, date and time zone.

Stale request information is provided on our How to fix stale request errors page.

A 10 minute lock is applied to accounts following too many unsuccessful authentication attempts in a short time.

If the error is still happening after 30 minutes please contact the Service Desk.

The authentication requested when you initially sign in has now been updated to match your most secure registered method.  The order for this being:

  1. Security key / Hardware token
  2. Microsoft Authenticator prompt
  3. Time-based one-time password
  4. Text message or phone call

Older operating systems and applications may not prompt for a second factor, so may not be compatible with MFA.

Unsupported

The following are not supported before the version shown, or not at all.

  • Android 8
  • iOS 11
  • macOS 10.14
  • Safari 14 (macOS)
  • Office for iPad Pro (iOS 11)
  • Office for iPad and iPhone (iOS 12)
  • Thunderbird 78
  • Evolution 3.27.91
  • Office 2013 (must be enabled for this version)
  • Samsung Mail (does not work in most cases)
  • Android Mail (does not work)
  • Gmail (does not work)

Security keys

Security keys function slightly differently as your browser must be able to prompt for them.  Most popular browsers can be used with Windows computers, for other devices the Chrome browser is likely to work, but others may not.

MFA prompts occur when you log into apps and services using your SSO or when your session times out.

Some systems may impose their own rules, prompting for MFA more often than others depending on the person's account activity.  In most cases however, prompt frequency will depend on the service and whether you are using a web browser or standalone application.

Web browsers

Browser based session timeouts depend on the type of service you are accessing:

  • Azure login based services, such as web based versions of Outlook, Teams, OneDrive, SharePoint Online, Dynamics365, should persist for 7 days.
  • Web based Outlook has a session time out of 8 hours.
  • Shibboleth protected resources, such as CoSy, TeamSeer or Clarity, should persist for 11 hours.

The browser will not require authentication again, until the session expires or the browser is closed.

Please note the session timeouts outlined above are the advertised session times set by the policy. However, it is possible to configure some browsers to retain sessions on closure or to utilise the Windows Work or school accounts on your device through your browser, so the sessions persist longer than advertised.

Applications

Standalone desktop and mobile applications have a token that should persist for 90 days unless you need to log in again for other reasons, such as following a software update.

The Linux Teams application is a notable exception as it behaves like a browser application, with session times persisting for 7 days.

You should be able to switch between two separate logins, but if not you should be able to resolve issues if you clear your web browser's cache and cookies.

You can also keep logins separate by using:

  • a different browser for each login, such as Chrome and Firefox.
  • a separate browser profile for each login.
  • a private / incognito window for a second login.

MFA exemptions can be requested due to exceptional circumstances.  Please refer to our MFA exception guidance.

All available MFA options should first be discussed with your local IT support team as an exemption could lead to severe consequences for the University through data loss, system impairment and reputational damage.

Exemptions are requested using the Exemption from Multi-Factor Authentication (MFA) service request and must be authorised by someone such as your manager, supervisor, tutor or administrator.

Microsoft disabled basic authentication in January 2023, as such app passwords can no longer be used for MFA.

Using a smartwatch to approve Microsoft Authenticator approval requests is no longer possible following the introduction of number matching on the 22 February 2023. It is recommended to remove the Microsoft Authenticator app from smartwatches.

If you do not have the option to input the numbers into your Microsoft Authenticator app when requested, it may be that you need to upgrade your Authenticator app to the latest version. This will not affect your second method of authentication, if you have this set up, which you will be able to use as usual.

Get support


If you cannot find the solution you need here then we have other ways to get IT support

Get IT support