Overview: Multi-factor authentication (MFA)

The University of Oxford has a particularly high profile and faces continuous threats from unauthorised account access attempts.

Multi-factor authentication (MFA) was introduced to protect the University's systems and data, increasing security by requiring an additional method of verification to be used along with your SSO username and password.

Full details on how to set up the different authentication methods are provided on our how to use MFA page. You should make sure to add multiple authentication methods so you do not rely on access to a particular phone or an internet connection.

Expand All

Method Description Requirements after setup Usage

Security key / Hardware token

Physical device that usually plugs into your computer

A security key supporting FIDO2

compatible web browser

Most commonly, provide a PIN then touch a button on a USB device

Microsoft Authenticator Default authenticator app suggested when setting up MFA

An Android or iOS device

Internet access (for authorisation prompts)

Prompts for authorisation

Can provide a one-time password

Alternative authenticator Authenticator apps such as Authy, Duo Security, or Google Authenticator A mobile device Provides a one-time password
OneAuth Alternative authenticator app for mobile and desktop devices A Windows, macOS, iOS or Android device Provides a one-time password
Phone call Automated call made to your phone number A device able to receive phone calls

Prompts to press # on your device

Text message Automated text sent to your phone number A device able to receive text messages Provides a one-time password


Travelling abroad

If you may travel abroad, add at least one method that does not require a phone connection or internet access.


MFA prompts occur when you log into apps and services using your SSO or when your session times out.

Some systems may impose their own rules, prompting for MFA more often than others depending on the person's account activity. In most cases however, prompt frequency will depend on the service and whether you are using a web browser or standalone application.

Web browsers

Browser based session timeouts depend on the type of service you access:

  • Azure login based services, such as web based versions of Outlook, Teams, OneDrive, SharePoint Online, Dynamics365, should persist for 7 days.
  • Web based Outlook has a session time out of 8 hours.
  • Shibboleth protected resources, such as CoSy or TeamSeer, should persist for 11 hours.

Authentication is not required again until the session expires or the browser is closed.

Timeouts outlined above are the advertised session times set by the policy, but some browsers can be set to retain sessions on closure and allow sessions to last longer than advertised.


Standalone applications have a token that should persist for 90 days unless you need to log in again for other reasons, such as following a software update.

The Teams application for Linux is an exception as it is similar to a browser, with session times persisting for 7 days.

MFA exemptions can be requested due to exceptional circumstances. Please refer to our MFA exception guidance.

All available MFA options should first be discussed with your local IT support team as an exemption could lead to severe consequences for the University through data loss, system impairment and reputational damage.

Exemptions are requested using the Exemption from Multi-Factor Authentication (MFA) service request and must be authorised by someone such as your manager, supervisor, tutor or administrator.

Get support

If you cannot find the solution you need here then we have other ways to get IT support

Get IT support