One of the first things you’ll run into when using your SSO account is Multi-Factor Authentication (MFA). This is an extra level of security put in place to offer a method of authentication in addition to the typical username and password. It means that if someone’s password became compromised, attackers would still need access to that person’s other method of authentication (e.g. a phone number/app/security key) before they were able to get into their emails/files. It is now mandatory for staff and students at Oxford to have MFA enabled on their account, so we thought we would outline some things you can do to improve your experience with it.
Set up multiple methods of authentication. This is the most important point, as having multiple methods dramatically decreases the likelihood you will be locked out of your account if you lost access to your phone/computer. You can set up more than one method of authentication, for example, the Microsoft Authenticator app and a phone number. It works best when the methods are applied to different devices – having the Microsoft Authenticator app on your phone and using the Authy app on your computer gives you a backup in case anything happens to one of your devices. For more information on what’s available, go here: https://help.it.ox.ac.uk/mfa
Check your methods of authentication (and remove old methods as necessary!). They are easy to manage and can be accessed by logging into your ‘My Sign-ins’ page here: https://mysignins.microsoft.com/security-info. You can add new methods of authentication or remove old ones. For more information, go here: https://help.it.ox.ac.uk/mfa-managing-your-multi-factor-authentication-set-up.
Notify us if you receive an MFA notification you didn’t expect. If you are not currently trying to log into a service, and you receive an MFA prompt, it is best to contact us at email@example.com and initiate a password reset, as it may indicate a compromised account. Your data should be safe so long as you don’t approve the rogue login attempt.
Avoid moving to a new phone before setting up an alternate method of authentication. Our system has no way of knowing a new phone is linked to you, so you will either need to keep your old phone until you have set up MFA on your new phone, or use an alternate method of authentication that you have set up (e.g. a landline number or Authy on your computer). For assistance setting up MFA on your new phone, go here: https://help.it.ox.ac.uk/mfa-setting-up-multi-factor-authentication-on-a-new-phone
Phone/text messages may not work as well as a primary method of authentication at college (but still use them as alternate methods of authentication!). Signal in college can be quite patchy, so it is best to use the Microsoft Authenticator app on your phone, or the Authy app on your computer, as your primary method of authentication. Both apps can work with or without internet (through the use of one-time passcodes). If you need assistance connecting to Wi-Fi, please visit our guide here.
The Microsoft Authenticator (and other authenticator apps) can generate codes to get you signed in when you’re offline. If you have an authenticator app set up as a method of authentication, it will have a function to generate a code for you to input as an alternative to an approval notification from the app. To access this, when signing in, click on ‘I can’t use my Microsoft Authenticator app right now’ and then click on ‘Use a verification code from my mobile app’. Then go to your authenticator app on your phone, click on your Nexus account and enter the 6-digit code it has generated. This method is independent of internet access, so you can do it from your phone when you don’t have data/Wi-Fi and still get logged in on your computer.
Central IT Services have also put together an information page on managing your MFA, which you can find here: https://www.it.ox.ac.uk/article/managing-mfa#/