Information Services Division


Multi-Factor Authentication (MFA)

Information and guidance for staff, students and alumni registering for MFA.

What is MFA?

Multi-factor Authentication (MFA) is a process that adds a second layer of verification to your UCL account when you sign in. This should be familiar for anyone using online banking and many other accounts for other online services (such as Google, Facebook, Apple, etc.).

You can find a simple explanation of the importance of MFA in this guide from the National Cyber Secuity Centre.

Why is UCL using MFA?

The university holds a large quantity of personal data, of both staff and students, as well as storing confidential research data with commercial value, which an industry-standard technology such as MFA helps protect. The huge increase in online activity in recent years means it is especially important that our computer accounts are at much more risk than they used to be, and tend to contain much more data. UCL's role as a leading research university means our online activities are under a greater threat of attack now than they have ever been. If an account is compromised, it could lead to loss of data, as well as reputational and financial damage to individuals and the University as a whole.

More information on UCL's Enhanced MFA is available on SharePoint (April 2024).

Which services will be protected with MFA?

MFA is being extended to provide an extra layer of protection for the majority of digital services used at UCL. How often you will be asked to provide an MFA check will depend on which services you use, the kind of data they store, and the level of access you have. Applications that contain more sensitive data, where risks of unauthorised access are greater, or where users have privileged access (such as administrator or super-user) will generally require more frequent MFA checks.

What do I need to do?

All members of staff (staff, associate staff and honorary), students and alumni are required to register for MFA.

This will add a safe and secure two-step verification method to your online credentials from a range of authentication options. At UCL we recommend using the Microsoft Authenticator as it provides the simplest experience and allows you to pass MFA with a few taps. Alternatively the Authenticator app or alternatives can be used to create one-time codes. The final option (phone-call/SMS) is now discouraged as there is an increased risk that phone SIM cards can be hijacked or cloned to gain access to codes.

If you have accessibility requirements, please email itservices@ucl.ac.uk

Video overview

MediaCentral Widget Placeholderhttps://mediacentral.ucl.ac.uk/Player/BF0135I2

How-to guides

Once MFA has been enabled on your account you will need to enrol for MFA and configure your authentication preference. You will have the following options; mobile phone application, phone call and text message to use as your authentication method. We encourage everyone to register for multiple method. As a minimum, you will need either an iOS, Android device or a telephone/mobile phone.

Microsoft Authenticator app

This is UCL’s recommended verification method. When a user responds to an MFA push notification using the Authenticator app, they'll be presented with a number. They need to type that number into the app to complete the approval. 

Register for Multi-Factor Authentication (MFA) with Microsoft Authenticator App

Phone call

An automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to enter their pin number followed by # on their keypad.

Register for Multi-Factor Authentication (MFA) with phone call

Text message

With text message verification, as SMS is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface. Please note:

  • Delivery of SMS messages can be unreliable, especially if travelling abroad or using an international phone number.
  • The use of text messages is no longer considered particularly secure as an MFA method - this is because a common attack strategy involves cloning or hijacking mobile phone SIM cards.  

Register for Multi-Factor Authentication (MFA) with text message

Help and further information

If you have any questions, please email itservices@ucl.ac.uk. When contacting us please ensure you supply your UCL userID and a contact phone number.

To speed up the process, when contacting us please provide the following information:

Full NameFull Name
UCL User IDDate of Birth
UPI (On UCL card)UCL User ID
DepartmentUPI and Student Number
(On UCL card)
Personal Phone Number registered on MyAccountDepartment/course
 Personal Phone Number registered on MyAccount

Frequently asked questions

I have an accessibility requirement. How can I register for MFA?

If you have accessibility requirements and have been invited to register for MFA, please contact itservices@ucl.ac.uk if you have any queries.

I have received a request to provide secondary authentication but I haven’t attempted to log into my account, what should I do?

Immediately change your password via My Account https://myaccount.ucl.ac.uk/changepw and report this to itservices@ucl.ac.uk

What protection does MFA provide?

MFA provides an additional line of defence for our protected systems and data. Should your password be compromised by a malicious third party, they will be prevented from accessing protected resources without providing secondary authentication.

How can I change my MFA details? 

To add or update your multi-factor authentication details, please visit your Microsoft Account page (https://myaccount.microsoft.com/) and select the Security info section.
You can register Authenticator apps on multiple devices (e.g. on a phone and a tablet) and it is sensible to also register a recovery phone number. 

Which is the preferred MFA method? 

UCL’s preferred MFA method is the Microsoft Authenticator App, although users can use other authenticator apps.

If you regularly travel internationally, we recommend using the Microsoft Authenticator app whilst connected to a Wi-Fi hotspot to avoid incurring roaming charges. You may experience issues using the text message and phone call verification methods at international locations. We encourage everyone to register for multiple method.

For more information about how to set up the Microsoft Authenticator app on your mobile device, see the Download and install the Microsoft Authenticator app article.

Can I use the Microsoft Authenticator app for MFA on multiple devices? 

Yes, the Microsoft Authenticator supports multiple devices.

When can I expect to be prompted for MFA?

MFA is not designed to be intrusive or demanding, and it is a process familiar to many users in other places (like online banking, or social media accounts).

You can expect to be prompted:

  • At least every 60 days for normal activities if you use the same device. If you use multiple devices to access UCL services (e.g. mail on your phone or tablet), you will be prompted at least every 60 days on each.
  • Every time you sign into a new device using your UCL account - this includes if you use the Private/Incognito browser sessions.
  • If your sign-in activity is considered risky - usually this occurs if you are connecting from an unusual or higher risk location, are using a private VPN service.
  • More frequent prompts will occur is you are using some UCL services, especially if they contain sensitive research or UCL data, or if your account has higher levels of system or data access.

Note: Alumni and honorary will be challenged for another factor every login to Office 365. To avoid this, select “Don't ask again for 60 days” option. (This setting does not apply for other user types and you may be prompted more frequently even if this option is selected).

Why haven't I received an MFA notification on my phone?

Notifications on your phone may be switched off, please check you have enabled notifications from Microsoft Authenticator App and on your smart phone in Settings.

Please note that some Android users reported issue with receiving notifications even if the notifications settings are on. We recommend to open the Microsoft Authenticator App when you are sign in to MFA protected services.

I no longer have access to my MFA device; what do I do? 

Please contact itservices@ucl.ac.uk who will be able to reset your MFA details to allow you to register your new device.

I get prompted for MFA every time I log on; how do I stop this?

This is expected behaviour if you are using a tool to mask your location such as TOR browser or VPN. If you are not using such a tool please report this to itservices@ucl.ac.uk for investigation. 

Note: Alumni and honorary will be challenged for another factor every login to Office 365. To avoid this, select “Don't ask again for 60 days” option.

How can I test and make sure my account is protected by MFA?

Over the next few months, as MFA policies are being being refined, you can test your existing registration details using a simple UCL website specifically created for this purpose.

Access the site from UCL's Identity and Access Management SharePoint site here.

Which version of Microsoft Office is compatible with MFA?

All modern versions of Office, installed on or available for staff and students to download, work with MFA.

Can I use MFA on my UCL account for signing into my laptop or computer?

Not yet. MFA on your UCL Microsoft account doesn't extend to your laptop login, even on UCL-managed devices. We do recommend you look at other options to protect your devices (such as face id, or fingerprint readers). These offer the same benefits of second-factor authentication protection to your devices.