Setting up or adding a 2nd factor for central university Single Signon

The university has enabled MFA (Multi-Factor Authentication) for its Webauth services. Whilst the use of a second factor is not currently being enforced, if you need to use secure Weblearn you do need to enable it and it will be compulsory for everyone from March 2021.

To setup the second factor please go to https://mysignins.microsoft.com/security-info and login using "<sso>@ox.ac.uk" as your username (where <sso> is your central university SSO account username). In the next page click on "Add Method"

Screenshot

You can now choose which method to add. You can setup multiple methods, which is advisable in case you find yourself in circumstances where one method does not work (eg no mobile reception). We would normally recommend that you setup the Microsoft Authenticator app on your smartphone and another method which does not depend on the same device. The following methods are currently enabled:

  • Authenticator app: This is a method where you either use the Microsoft Authenticator mobile app to simply click "Approve" when a 2nd factor is required or where you use a third party mobile or a laptop/desktop application to generate the required codes. (multiple applications can be configured)
  • Security key: This is a method where you have a hardware token and would like to use that for 2nd factor authentication.
  • Phone / Alternative Phone: This is a mobile phone text method or a phone call method (to any phone) where Microsoft would call/text you a code whenever the second factor is required. Please note that this method requires your phone to have mobile reception to receive the calls/texts. (2 phones allowed)
  • Office phone: This is a method where Microsoft would call your office phone. (1 phone allowed)

For most of these will be self explanatory how to set them up, so we will just further document the Authenticator app method for Microsoft Authenticator and Third Party TOTP applications. Two free cross platform third party apps are Authenticator for Chrome/Firefox/Edge, which is a really simple browser plugin or KeePassXC which is a full featured password manager that can be integrated with browsers, mobile phones etc.:

 

  • Select "Authenticator app" as the method above and click "Next".
  • Install the authenticator app you plan to use. This could be Microsoft Authenticator if you plan to use that to simply click "Approve" whenever a 2nd factor authentication is required or a simple mobile app such as Google Authenticator or a desktop password manager such as KeePassXC.
  • If you are planning to use the Microsoft Authenticator you can now just follow the instructions in the dialogs which should be straightforward.
  • If you are planning to use a Third Party phone/desktop/laptop application, please click "I want to use a different authenticator app".
  • In your app start creating a new account. Eg in KeePassXC select "Entries" and then "Add New Entry" give it a name and add any other details you may want and then save the entry.
  • Click "Next" in the "Set up your account" dialog on the Microsoft website.
  • You will now be given a QR code which you can scan if you application supports that (most relevant for mobile applications). Otherwise click "Can's scan image?" and you will be given a "secret key" to enter into the app. For example in KeePassXC right click on your created entry and select "TOTP..." -> "Set up TOTP..." and enter the security key in the dialog (leave all other settings on defaults).  You can now go to "TOTP" -> "Show TOTP" to display the generated codes which you can now use to complete the Microsoft dialog.
  • Enter the generated code in the final dialog to confirm the method.

Once you have the application setup you can now use it to generate the required codes. You can also setup another application if you wish, for example if you wanted one on your mobile and one on your laptop etc.

Here is an OxCERT video on why MFA is needed and how to set it up

Please contact us with feedback and comments about this page. Last updated on 02 Apr 2022 21:54.