Your Oxford SSO Account
What is SSO Used For?
Your university SSO account (usually in the format abcd1234@OX.AC.UK) is used to log into:
- Nexus365 email (Outlook)
- Course Materials Hub (Moodle)
- Various other websites/applications across the university
It is separate from your Maths IT account, Remote Access account, etc. Please see the IT Information for New Users page for more details of the different accounts.
SSO Account Activation
Your SSO account is created when you apply for a university card. The activation instructions are usually sent to your personal email address.
If you do not receive them, they expire before you use them, or your forget your login details after creating them:
- Staff: Ask the HR team to resend them, or visit the Maths IT team with your university ID
- Visitors: Ask the visitors coordinator to resend them, or visit the Maths IT team with your university ID
- Students: Contact your college IT support team
- Out of hours: Contact the Central IT Service Desk
Changing Your Password
Go to https://webauth.ox.ac.uk/password to change your SSO password. (This will not affect your Maths password or other accounts.)
Set a Security Question
Go to https://webauth.ox.ac.uk/security_question to set a security question that you can use to reset your SSO password if you should forget it in the future.
Forgotten Password / Security Question
If you have forgotten both your password and your security question/answer:
- Staff and visitors: Visit the Maths IT team with your university ID
- Undergraduate students: Contact your college IT support team
- Postgraduate students: Either contact your college IT support team or visit the Maths IT team with your university ID
- Out of hours: Contact the Central IT Service Desk
Once your ID has been verified, you will be provided with a rescue code that you can use to set a new security question and then reset your password.
Multi-Factor Authentication (MFA)
The university requires MFA for all SSO accounts. (Here is an OxCERT video on why MFA is needed.)
We strongly recommend setting up more than one MFA method, in case you find yourself in a situation where one method does not work - e.g. lost/broken mobile phone. We normally recommend that you set up the Microsoft Authenticator app on your smartphone, plus another method which does not depend on the same device.
You will be prompted to set up MFA when you first log into your SSO account. Alternatively, go to https://mysignins.microsoft.com/security-info and log in using your SSO username (e.g. abcd1234@ox.ac.uk), then click "Add sign-in method":
You can now choose which method to add:
Note: The methods available may vary over time. In particular, phone verification is being phased out, because it is less secure, and is not available to accounts created since 12 Aug 2025.
Microsoft Authenticator
For Microsoft Authenticator setup instructions, please see the IT Services article How to use multi-factor authentication.
Google/Other Authenticator
For Google Authenticator or other Authenticator app setup instructions, please see the IT Services article How to use multi-factor authentication ("Alternative authenticator" tab).
KeePassXC
KeePassXC is an open source, local-first password manager that is pre-installed on departmental desktops/laptops. You can use it to save passwords and MFA codes, all encrypted with a master password known only by you.
First, you need to create a password database:
- Open KeePassXC
- Click "Create Database"
- Enter a database name, e.g. "My Passwords"
- Accept the default encryption settings - click "Continue"
- Set a strong Master Password to encrypt your database
- Click "Done"
- Choose somewhere within your home directory to save the database
Each time you launch KeePassXC it will prompt for your master password automatically. (If not, click "Open Database" and select the database you created earlier.)
Next, create an entry in the database:
- Click "New Entry"
- Fill in the following:
- Title: Oxford SSO
- Username: e.g.
abcd1234@ox.ac.uk - Password: Your SSO password (optional)
- URL:
https://login.microsoftonline.com
- Click "OK"
Now we can set up MFA:
- Right-click the "Oxford SSO" entry you just created
- Click "TOTP" then "Set up TOTP"
- In the Microsoft "Add a sign-in method" window (see above), select "Microsoft Authenticator"
- Click "Set up a different authentication app", then "Next"
- Click "Can't scan the QR code?"
- Click "Copy key"
- Go back to KeePassXC and paste the secret key into the box - e.g. press Ctrl-V on Windows/Linux, or Option-V on macOS
- Click "OK" to save it
- Right-click the "Oxford SSO" entry again
- Click "TOTP" then "Copy TOTP"
- Go back to the Microsoft setup page and click "Next"
- Paste the code into the box - e.g. press Ctrl-V on Windows/Linux, or Option-V on macOS
- Click "Next" to complete the process
When you are prompted to enter your authenticator code when logging in:
- Click the "Authenticator" icon
- Click the 6-digit code to copy it to the clipboard
- Paste the code into the box - press Ctrl-V on Windows/Linux, or Option-V on macOS
- Click "Verify"
Alternatively, to streamline this, there is a browser extension you can use...
KeePassXC-Browser Integration
Initial setup:
- In KeePassXC, go to Tools → Settings → Browser Integration
- Tick "Enable browser integration"
- Tick the browser(s) that you want to use it with
- Click "OK"
- Install the browser extension/add-on for your browser (Chrome/Edge/Firefox)
- Click the "KeePassXC-Browser" icon (it may be hidden in the "Extensions" menu by default)
- Click "Connect"
- Enter a name to identify the browser, e.g. "Edge on Maths desktop"
- Click "Save and allow access"
Your browser now has access to your KeePassXC database.
Next time you log in, you should see the KeePassXC icon next to each field (username, password, code) - simply click it to fill in that field automatically:
If the icon doesn't appear automatically, click the KeePassXC icon in the toolbar then "Redetect login fields". Alternatively, right-click the field, go to the "KeePassXC-Browser" submenu, then select "Fill in Username/Password/TOTP", as appropriate. There are also keyboard shortcuts available - see KeePassXC → Settings → Keyboard shortcuts for details.
Authenticator Extension for Chrome/Edge/Firefox
Authenticator Extension is a simple browser plugin that allows you to set up MFA on your desktop/laptop, without needing a phone. Their Quickstart guide includes screenshots that may be useful for reference.
To use it with your SSO account:
- Install it in your browser
- In the Microsoft "Add a sign-in method" window (see above), select "Microsoft Authenticator"
- Click "Set up a different authentication app", then "Next"
- Click the "Authenticator" icon on the browser (it may be hidden in the "Extensions" menu by default)
- Click the "Scan QR code" icon:
- Click and drag to select the Microsoft QR code with your mouse
- Click "OK" to confirm it has been added
- Click "Next"
- Click the "Authenticator" icon again
- Click the 6-digit code to copy it to the clipboard (it will be labelled with "Microsoft" and your SSO username)
- If prompted, click "Allow" to allow the extension to copy the code to the clipboard (you should only need to do this once)
- Paste the code into the box - e.g. press Ctrl-V on Windows/Linux, or Option-V on macOS
- Click "Next" to complete the process
When you are prompted to enter your authenticator code when logging in:
- Click the "Authenticator" icon
- Click the 6-digit code to copy it to the clipboard
- Paste the code into the box - press Ctrl-V on Windows/Linux, or Option-V on macOS
- Click "Verify"
Hardware Security Key
If you have a hardware security key, such as a YubiKey, please see the IT Services article How to use multi-factor authentication ("Security key" tab).