MFA troubleshooting

Multi-factor authentication (MFA) help for accessing your single sign-on (SSO) account

Expand All

If you have set up MFA but do not have access to your MFA device, if it is not urgent then it is advisable to wait until you can regain access. You should then set up additional verification methods that do not use the same device.

If you urgently need to access your account, your MFA settings will need to be reset by your local IT support team. If you are unable to contact your local IT support team, please speak to the central IT Service Desk.

If you can use an alternative MFA method to log in to your account, remove the MFA methods used with your missing device then use the Sign out everywhere option on the My Sign-ins website.

If you are unable to use an alternative MFA method, your MFA settings will need to be reset by your local IT support team. If you are unable to contact your local IT support team, please speak to the central IT Service Desk.

If you have previously set up MFA, you must provide this authentication when adding new devices. If you no longer have access to the your current authentication method, for example if you have replaced a phone that provided this, your MFA settings will need to be reset by your local IT support team. If you are unable to contact your local IT support team, please speak to the central IT Service Desk.

Following a reset of your MFA settings, you should set up additional verification methods to prevent future issues.

Older operating systems and applications may not prompt for a second factor, so may not be compatible with MFA.

Unsupported

The following are not supported before the version shown, or not at all.

  • Android 8
  • iOS 11
  • macOS 10.14
  • Safari 14 (macOS)
  • Office for iPad Pro (iOS 11)
  • Office for iPad and iPhone (iOS 12)
  • Thunderbird 78
  • Evolution 3.27.91
  • Office 2013 (modern authentication can be enabled)
  • Samsung Mail (does not work in most cases)
  • Android Mail (does not work)
  • Gmail (does not work)

Security keys

Security keys function slightly differently as your browser must be able to prompt for them.  Most popular browsers can be used with Windows computers, for other devices the Chrome browser is likely to work, but others may not.

One-time passwords are only valid for a short time and cannot be created correctly if the time of your device is incorrect.  You should synchronise your device to ensure it is using the correct time, date and time zone.

Opening the Microsoft Authenticator app should display current notifications, but the following may enable automatic push notifications.

 

Cause Resolution
No internet connection Check your phone's data and WiFi access.  In these situations the app can also provide a one-time password.
Notifications are disabled Check that push notifications are enabled for the app in your phone's settings.
App has crashed Try to force close the app and restart the phone.
App not set up successfully Set up the app again.
Battery saving features Battery saving features might be blocking background processes.  Change the priority of the notifications or turn off battery saving features.
[Android] Notifications set to low priority  Settings vary for different versions, but try to start the Settings app, select Applications > Notifications, then check the notification priority.
[iOS] Can't receive over WiFi If you can only receive notifications with mobile data, select Settings > General > Reset > Reset Network Settings.  Please note that this will forget all WiFi networks and passwords, mobile settings and VPN/APN.

Cause Resolution
Your login session expired The sessions of devices left on constantly may expire whilst you are away from them.  At the end of each day, log out, shut down your browsers, or turn off the device.
An account you own is being accessed by someone authorised to do so The default MFA methods using Microsoft authenticator, phone calls or text messages will contact you when an authorised person provides a correct SSO username and password for the account.
An account you own is being accessed by a third party

If the cause is not listed above, change your SSO password as a third party might be trying to access your account.

You should also check your recent sign in activity for where the login attempt was made from and report it to the Information Security team.

You will initially be prompted for authentication by your most secure registered method.  The order for this being:

  1. Security key
  2. Microsoft Authenticator prompt
  3. One-time password
  4. Text message or phone call

The default setting will only apply if your most secure methods are equally secure. The default order is set by Microsoft.

Stale request information is provided in our page for how to fix stale request errors.

A 10 minute lock is applied to accounts following too many unsuccessful authentication attempts in a short time.

If the error is still happening after 30 minutes please contact the central IT Service Desk.

Related links

Get support

If you cannot find the solution you need here then we have other ways to get IT support

Get IT support