Multi-factor authentication (MFA)

Set up and manage MFA for your Single Sign-On (SSO) account

Set up more than one MFA method

Add multiple methods so you do not rely on the same device, phone connection or internet access

 

Expand All

From 19 September 2023 you will be prompted to use the most secure method that you have registered, based on this order:
Method Description Requirements after setup Usage

Security key / Hardware token

 Physical device that usually plugs into your computer.

A security key supporting FIDO2 (check with your local IT support team).

compatible web browser.

Most commonly, provide a pin then touch a button on a USB device.
Microsoft Authenticator Default authenticator app suggested when setting up MFA.

An Android or iOS device.

Internet access (for authorisation prompts).

Prompts for authorisation.

Can provide a one-time password.
Alternative authenticator Authenticator apps such as Authy, Duo Security, or Google Authenticator. A mobile device. Provides a one-time password.
Authy Authenticator app for mobile devices and desktop computers.

A Windows, macOS, Linux, Android or iOS device.

 Provides a one-time password.
Phone call Automated call made to your phone number. A device able to receive phone calls.

Prompts to press # on your device.
Text message Automated text sent to your phone number. A device able to receive text messages. Provides a one-time password.

 

Travelling abroad

If you may travel abroad, add at least one method that does not require a phone connection or internet access.

 

Microsoft Authenticator is an app for Android and Apple mobile devices.

The app prompts for authorisation if an internet connection is available, or can provide a one-time password.

 

  1. Download Microsoft Authenticator from your device's app store.
  2. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.
  3. If MFA is already set up on your account, provide authentication using an existing method.
  4. If you do not enter the account setup automatically, select +Add sign-in methodAuthenticator appAdd
  5. If available, select Pair your account to the app by clicking this link and skip to step 9
  6. In the Microsoft Authenticator app, select + > Add account > Work or school AccountScan a QR code
  7. On the My Sign-ins website, select Next
  8. In the Microsoft Authenticator app, scan the displayed QR code.
  9. On the My Sign-ins website, select Next and you will be presented with a two-digit number.
  10. In the Microsoft Authenticator app, provide the test notification sent to the app with the two-digit number.

Many authenticator apps can provide a one-time password.  They should not require internet access or phone connectivity.

The setup process is provided below, but you may need to refer to your apps documentation.

 

  1. Download and install the authenticator.
  2. Open the authenticator and add a new account.
  3. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.
  4. If MFA is already set up on your account, you may need to provide authentication using an existing method.
  5. Select +Add sign-in methodAuthenticator appAdd
  6. Select I want to use a different authenticator app > Next
  7. If a QR code is displayed, either scan it (skip to step 11) or select Can't scan image
  8. In the authenticator, provide the Secret key displayed.
  9. If prompted, leave the Token length as 6 digit.
  10. On the My Sign-ins website, select Next
  11. Provide the 6 digit code displayed by the authenticator, then Next

Authy is an alternative authenticator app available for both desktop and mobile devices.

Authy provides a one-time password, only requiring a phone for its initial setup or internet access to set up additional devices.

 

  1. Download and install Authy from its web site, or your mobile device's app store.
  2. Open Authy, provide a phone number, email address and complete the initial setup.
  3. In Authy, select either + in the Tokens tab, or  > Add Account
  4. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.
  5. If an existing MFA method is already set, provide authentication using an existing method.
  6. If an existing MFA method is already set, select +Add sign-in methodAuthenticator appAdd
  7. Select I want to use a different authenticator app > Next
  8. If a QR code is displayed, if you can scan it in Authy then skip to step 14 otherwise select Can't scan image
  9. In Authy, if you are prompted to Scan QR Code select Enter Code Manually
  10. Provide Authy with the Secret key displayed on the My Sign-ins website.
  11. Select a logo for the account.
  12. Provide a name such as Nexus365.
  13. If prompted, leave the Token length as 6 digit.
  14. If prompted, provide a password for your Authy account.
  15. On the My Sign-ins website, select Next
  16. Provide the 6 digit code displayed in Authy, then Next

Set up Authy on additional devices

If you are setting up Authy on multiple devices it is better to synchronise your token across them.

During setup, an internet connection is required for both devices.

  1. Open Authy on your existing device.
  2. Select  > Settings  > Devices > enable Multi-Device
  3. Select  > Settings  > Accounts > enable Backups / Authenticator Encrypted Backups
  4. Create an Authy backup password.
  5. On any additional devices, download and install Authy from its web site, or the device's app store.
  6. If Authy is already set up on the additional device, reset it by either selecting Authy Desktop > Log out and reset device, or by reinstalling the app.
  7. Open Authy and provide the phone number used with the existing device.
  8. Select the Existing Device verification method.
  9. On the existing device, confirm the notification.
  10. On your additional device, select the Nexus 365 account.
  11. Provide your Authy backup password.

An automated call can be made to a land or mobile telephone number, prompting for the press of a specified key.

 

  1. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.
  2. If MFA is already set up on your account, provide authentication using an existing method.
  3. If you do not enter the account setup automatically, select +Add sign-in method > Alternative phone > Add
  4. Provide the phone number to use.
  5. Select Call me, then Next
  6. Verify the call made to the phone.

A one-time password can be sent to a telephone number.

 

  1. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.
  2. If MFA is already set up on your account, provide authentication using an existing method.
  3. If you do not enter the account setup automatically, select +Add sign-in method > Phone > Add
  4. Provide the phone number to use.
  5. Select Text me a code, then Next
  6. Provide the 6 digit code sent to your device, then Next

A security key, also known as a hardware token, is a device you can plug into your computer to authenticate your account.  Security keys are supported by your local IT support team.

An existing MFA method must be used during setup but the setup of different keys may vary slightly.

 

  1. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.
  2. Provide authentication using an existing method.
  3. Select +Add sign-in method > Security Key > Add
  4. If prompted, authenticate this using an existing authentication method.
  5. Select USB deviceNext > OK > OK
  6. Insert your security key into your device's USB port.
  7. Set a password to use with the key or provide the existing password.
  8. Touch your security key.
  9. If prompted, authenticate this using an existing authentication method.
  10. Provide a name to help you to identify the authentication method.

The following assume the method is set as your default authentication method.

 With internet access

  1. Provide your username in the format abcd1234@ox.ac.uk and your SSO password and select sign in.
  2. After selecting sign in you will be presented with a two-digit number on your screen.
    MFA. Screenshot showing Microsoft authenticator app number matching example
  3. The Microsoft Authenticator app on your phone will ask you to enter the numbers shown on your computer screen into the Microsoft Authenticator app.
    MFA. Screenshot showing adding a number into the Microsoft authenticator example without numbers
  4. Once you have entered the numbers, select Yes.
    MFA. Screenshot showing adding a number into the Microsoft authenticator example with numbers
  5. After selecting Yes you will have approved your authentication request and be able to continue using your computer.

Without internet access

  1. Provide your username in the format abcd1234@ox.ac.uk and your SSO password.
  2. Select I can't use my Microsoft Authenticator app right nowUse a verification code
  3. Open Microsoft Authenticator
  4. Select the account used for your SSO account.
  5. Provide the 6 digit password displayed by the app.

Authentication apps such as Authy and Google Authenticator should work in the same way, but may differ slightly.  You should not require internet access.

  1. Provide your username in the format abcd1234@ox.ac.uk and your SSO password.
  2. Open the authenticator app.
  3. Select the account used for your SSO account.
  4. Provide the 6 digit password displayed by the app.

Warning: Only approve notifications you initiate

Check why you may receive authentication calls that you did not initiate

 
  1. Provide your username in the format abcd1234@ox.ac.uk and your SSO password.
  2. A call will be made to your nominated phone.
  3. Listen to the automated message and press the phone's hash/pound key # to confirm that you initiated this.

You will have around 30 seconds to approve the message from the time you pick up the call.

  1. Provide your username in the format abcd1234@ox.ac.uk and your SSO password.
  2. A text message will be sent to your nominated phone.
  3. Provide the 6 digit password provided in the text message.
  1. Provide your username in the format abcd1234@ox.ac.uk
  2. Insert the security key into your device's USB port.
  3. Provide your security key pin.
  4. Touch your security key.

  1. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.
  2. Select the Delete option, next to the method you want to remove.

If you delete your default sign-in method, the next available method will automatically become your default method.

Preferred MFA method change

From 19 September 2023, the authentication requested when initially signing in will change to your most secure registered method.  The order of this being:

1. Security key / Hardware token
2. Microsoft Authenticator prompt
3. Time-based one-time password
4. Text message or phone call

 

 

To update your default MFA method:

 

  1. In a web browser, login to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your Single Sign-On (SSO) password.
  2. Select the Change option, next to Default sign-in method
  3. Select the drop-down menu and choose your preferred default sign-in method.

Related links

Get support

If you cannot find the solution you need here then we have other ways to get IT support

Get IT support