Multi-factor authentication (MFA) becoming even more secure

From 19 September 2023 some users may notice a change to the multi-factor authentication (MFA) process. This change is being implemented by Microsoft to encourage users to move to more secure methods of MFA. Not all users will experience a change, it will depend which MFA methods you have registered and which is set as your default - full details are provided below. 

How will MFA be different?

When you sign in and are asked for authentication to access certain systems or documents, Microsoft’s new ‘system preferred MFA’ process will check the authentication methods you have set up and will present you with the most secure method that you have registered based on the following order:

  1. Security key/hardware token
  2. Microsoft Authenticator app
  3. Time-based one-time password
  4. Text message or phone call

You can read more about the full list of available MFA methods on the IT Help website. 

We recommend that all users have more than one method of MFA set up so that you can access University systems if your first method (e.g. your mobile device) is lost or faulty (see below). The change to 'system preferred MFA' means that you will be prompted to use the most secure of your chosen methods; you can check which methods you have set up by logging in to the My Sign-ins website using your Oxford username in the format abcd1234@ox.ac.uk and your SSO password.

Microsoft's 'system preferred MFA' will override the default preference you have set if it is less secure than one of the other methods, but you will still be able to choose whichever registered authentication method you prefer. Please note that the prompt will always indicate the most secure method which Microsoft recommends that you use, helping you to keep personal and University data secure.   

If you are still using telephony options for your MFA, we recommend that you move to Microsoft’s Authenticator app or a security key (such as the FIDO key). 

Do you have a second authentication method set up? 

If you don't already have more than one method of authentication set up, take this opportunity to set up a second method of MFA on a separate device. This really helps if you lose or damage your primary method of authentication as it is much quicker to get set up again. Full instructions, along with the complete list of authentication methods, are available on the MFA help page.

Further information 

Our MFA help pages have been updated to reflect this change.