MFA: how often should I get prompted?
An explanation of frequency of MFA prompts and conditional access policies
This page explains how often you should expect to get prompted to do MFA on your Oxford Single Sign-On (SSO) account and goes into more detail about conditional access policies.
When do I get prompted for MFA?
MFA prompts should be expected at the start of each session. Over time, with repeated use of the same devices from the same locations, these prompts may decrease in frequency. Some systems may prompt for MFA more often than others, and unusual account activity may also increase the frequency of MFA prompts. Simply changing or staying on the same IP address is not enough to either trigger or suppress MFA prompts on their own.
MFA prompts should be expected when you first log into a service or app that requires your SSO login. However, how often you are asked to verify with MFA will vary depending on what service you are using and whether you are using a browser or an app.
Browser based sessions will timeout, depending on which service you are accessing:
- Azure login based services, which include Outlook, Outlook Web Access (OWA), Teams, OneDrive, Office, SharePoint Online, Dynamics365, Teams Web Client, should persist for seven days, which means you should only be asked to verify with MFA every seven days
- Shibboleth protected resources, such as CoSy, TeamSeer or Clarity, should persist for 11 hours, which means you will be asked to verify with MFA every 11 hours
If you close your browser, you will be asked to verify again with MFA
If you login in a browser for one service, you shouldn't need to verify with MFA for other services in the same browser (including on other tabs) until the session expires or the browser is closed
If you use several different browsers, such as Chrome, Firefox or Edge, you will be prompted to authenticate after timeout for each browser session
In addition to the above some services may require you to refresh your login more frequently and these rules are imposed by the individual services. For example Outlook Web Access (OWA) logs you out after 8 hours of inactivity
Applications, unlike browsers, have a 90 day rolling token, which means that you should not be asked to verify with MFA if you use an app more frequently than every 90 days. Any changes that cause you to login again, such as a software update, will trigger MFA verification.
Examples of such applications are:
- Outlook (Windows, Android, Mac/iOS)
- Mac Mail
- Office applications
- Teams on Windows (NB: not web version)
- OneDrive client for Windows
- Flow app for Mobile Devices
Note: Teams on Linux behaves like a browser application and, as such, session times act in line with the browser session of seven days.