Any SSO account granted an MFA exemption should be regarded as being at greater risk of compromise and unauthorised access.
Through their SSO accounts, some people have access to resources such as patient data, large volumes of personal data, valuable intellectual property, or privileged access to systems. The impact of a breach of such accounts may therefore be significantly higher than for the vast majority of SSO accounts.
This is not a reason to deny exemptions where they are genuinely unavoidable, nor to prevent anyone from doing their job. Nevertheless, thought should be given whether any degree of risk mitigation could reasonably be achieved through technical or procedural measures, or should otherwise be considered as part of local risk management.
Many people within the University are affiliated to multiple organisational units, for example, a department and a college. People should be encouraged to discuss such issues within the parts of the University that they access such critical resources.
General principles
MFA exemptions should only be granted as a last resort:
- An exemption must only be granted if none of the available MFA methods can reasonably be implemented. Ensure that all supported methods are considered before requesting.
- Exemptions should not be granted to avoid the cost of implementing an alternative, such as purchasing a hardware token.
- We aim to be sympathetic to people needing an exemption due to accessibility needs while striving to make MFA, and the advantages it brings, accessible to all.
Primary accounts
A primary account is an account granted to a named individual, typically with a username of the form abcd1234@ox.ac.uk and an associated email address of the form firstname.lastname@unit.ox.ac.uk.
Primary SSO accounts are assigned to individuals for their own use only. No other person should log in to a personal account, and an MFA exemption must not be granted solely for this purpose. Where access to an individual's mailbox is required, for instance by their PA, this should be handled though delegated access.
If necessary, seek further advice about available options from your local IT support staff (ITSS) or the central IT Service Desk.
Secondary accounts
Secondary accounts are non-personal SSO accounts, typically assigned to a particular role, project or resource. Each account has a designated owner, but some or all functions may be accessed by one or more other people. Such accounts must be requested by registered IT support staff or other authorised approver as agreed with IT Services.
Shared access
Certain functions can be shared between people without the need to share login credentials. For example, shared access to a mailbox or calendar should be achieved through delegated access permissions.
Accounts with multiple users
Where a password needs to be shared, consider practical measures to avoid the need for an MFA exemption. For example, Teams Room devices require periodic reauthentication, and it is desirable that this is not limited to one specific person. Sending push notifications to multiple people may be problematic, so is not recommended for such cases. MFA can be set up via an alternate method, for example with each team member’s authenticator app set up to generate a verification code for the account when needed. Currently up to five authenticator apps can be set up for the account.
It is also possible to set up MFA for equipment within clean rooms using a security key or hardware token.
If in doubt, IT support staff should consider seeking advice from their peers. Frequently, someone in another part of the University has encountered a similar problem. For more complex requirements, the Service Desk or Information Security team can offer advice.
Notes on exemptions for people with disabilities
- We strive to be sensitive to the requirements of people with disabilities, while minimising the risk to University IT systems and data, and the potential impact a breach may have on the users themselves.
- If needed, users and ITSS can seek input from University Occupational Health.
- Care should be taken to ensure that information regarding a person's condition is shared no more widely than absolutely necessary. Such sensitive personal data is classified as Confidential and must be handled appropriately.
- Do not include details of conditions in requests to the Service Desk. If required, ask to speak to a member of the Service Desk team in confidence.
