MFA help
Help for using multi-factor authentication (MFA) to access your single sign-on (SSO) account
The University of Oxford has a particularly high profile in teaching and research and we are under continuous cyber attack.
MFA was introduced to protect the University's systems and data, increasing security by double locking accounts, requiring an additional method of verification to be used in addition to your SSO username and password.
If you have set up MFA but do not have access to your MFA device, if it is not urgent then it is advisable to wait until you can regain access. You should then set up additional verification methods that do not use the same device.
If you urgently need to access your account or none of your verification methods are working, please contact your local IT support team to reset them. If you are unable to contact your local IT support team, please speak to the Service Desk.
If you can use an alternative MFA method to login to your account, delete the MFA methods used with your missing device then use the Sign out everywhere option on the My Sign-ins website.
If you are unable to use an alternative MFA method, please contact your local IT support team for assistance. If you are unable to contact your local IT support team, please speak to the Service Desk.
| Cause | Resolution |
| Your login session expired | The sessions of devices left on constantly may expire whilst you are away from them. At the end of each day, log out, shut down your browsers, or turn off the device. |
| An account you own is being accessed by someone authorised to do so | The default MFA methods using Microsoft authenticator, phone calls or text messages will contact you when an authorised person provides a correct SSO username and password for the account. |
| An account you own is being accessed by a third party |
If the cause is not listed above, change your SSO password as a third party might be trying to access your account. You should also check your recent sign in activity for where the login attempt was made from and report it to the Information Security team. |
Opening the Microsoft Authenticator app should display current notifications, but the following may enable automatic push notifications.
| Cause | Resolution |
| No internet connection | Check your phone's data and WiFi access. In these situations the app can also provide a one-time password. |
| Notifications are disabled | Check that push notifications are enabled for the app in your phone's settings. |
| App has crashed | Try to force close the app and restart the phone. |
| App not set up successfully | Set up the app again. |
| Battery saving features | Battery saving features might be blocking background processes. Change the priority of the notifications or turn off battery saving features. |
| [Android] Notifications set to low priority | Settings vary for different versions, but try to start the Settings app, select Applications > Notifications, then check the notification priority. |
| [iOS] Can't receive over WiFi | If you can only receive notifications with mobile data, select Settings > General > Reset > Reset Network Settings. Please note that this will forget all WiFi networks and passwords, mobile settings and VPN/APN. |
One-time passwords are only valid for a short time and cannot be created correctly if the time of your device is incorrect. You should synchronise your device to ensure it is using the correct time, date and time zone.
| Cause | Resolution |
| Cookies not enabled | Enable cookies within your web browser. |
| Cookies and cached content | Clear the cache and cookie information held by your browser and try again. |
| Old bookmarks | A bookmark for the login page might have expired. Try to navigate to the login from a different web page. |
| Multiple copies of the page | Multiple copies of the page might be open in your web browser. Close all instances of the page and try again. |
| Page accessed using the back button | Close and reopen the web browser and try again. |
A 10 minute lock is applied to accounts following too many unsuccessful authentication attempts in a short time.
If the error is still happening after 30 minutes please contact the Service Desk.
Older operating systems and applications may not prompt for a second factor, so may not be compatible with MFA.
Unsupported
The following are not supported before the version shown, or not at all.
- Android 8
- iOS 11
- macOS 10.14
- Safari 14 (macOS)
- Office for iPad Pro (iOS 11)
- Office for iPad and iPhone (iOS 12)
- Thunderbird 78
- Evolution 3.27.91
- Office 2013 (must be enabled for this version)
- Samsung Mail (does not work in most cases)
- Android Mail (does not work)
- Gmail (does not work)
Security keys
Security keys function slightly differently as your browser must be able to prompt for them. Most popular browsers can be used with Windows computers, for other devices the Chrome browser is likely to work but others may not.
MFA prompts occur when you log into apps and services using your SSO or when your session times out.
Some systems may impose their own rules, prompting for MFA more often than others depending on the person's account activity. In most cases however, prompt frequency will depend on the service and whether you are using a web browser or standalone application.
Web browsers
Browser based session timeouts depend on the type of service you are accessing:
- Azure login based services, such as web based versions of Outlook, Teams, OneDrive, SharePoint Online, Dynamics365, should persist for 7 days.
- Web based Outlook has a session time out of 8 hours.
- Shibboleth protected resources, such as CoSy, TeamSeer or Clarity, should persist for 11 hours.
The browser will not require authentication again, for the service accessed or other services, until the session expires or the browser is closed.
Please note the session timeouts outlined above are the advertised session times set by the policy. However, it is possible to configure some browsers to retain sessions on closure or to utilise the Windows Work or school accounts on your device through your browser, so the sessions persist longer than advertised.
Applications
Standalone desktop and mobile applications have a token that should persist for 90 days unless you need to login again for other reasons, such as following a software update.
The Linux Teams application is a notable exception as it behaves like a browser application, with session times persisting for 7 days.
You should be able to switch easily between two separate logins, but if you cannot then clearing your browsers cache and cookies should resolve the issue.
You can also keep logins separate by using:
- a different browser for each login, such as Chrome and Firefox.
- a separate browser profile for each login.
- a private / incognito window for a second login.
MFA exemptions can be requested due to exceptional circumstances, such as accessibility issues.
Please first discuss all available MFA options with your local IT support team. The circumstances for exemptions are limited and regularly reviewed as they reduce the security of an account, which could lead to severe consequences for the University through data loss, system impairment and reputational damage.
Exemptions are requested using the Exemption from Multi-Factor Authentication (MFA) service request and must be authorised by someone such as your manager, supervisor, tutor or administrator.
Microsoft disabled basic authentication in January 2023, as such app passwords can no longer be used for MFA.
Using a smart watch to approve Microsoft Authenticator approval requests is no longer possible following the introduction of number matching on the 22 February 2023. It is recommended to remove the Microsoft Authenticator app from smart watches.
If you do not have the option to input the numbers into your Microsoft Authenticator app when requested, it may be that you need to upgrade your Authenticator app to the latest version. This will not affect your second method of authentication, if you have this set up, which you will be able to use as usual.
Get support
If you cannot find the solution you need here then we have other ways to get IT support
