XClose

Information Services Division

Home
Menu

Multi-Factor Authentication (MFA)

Information and guidance for staff, students and alumni registering for MFA.

What is MFA?

MFA (multi-factor authentication) provides an additional layer of security on top of your username and password when you access university resources online. Once set up, it is easy to use and provides increased protection against cyber-attacks.

Why is UCL using MFA?

The university holds a large quantity of personal data, of both staff and students, as well as storing confidential research data with commercial value, which an industry-standard technology such as MFA helps protect. The heightened public awareness of UCL's researchers work in response to COVID-19, and the fact that most work is being carried out online means there is a greater threat of attack of those individuals email and online data, which could lead to data breaches and alien system access and threats to our security.

Which services will be protected with MFA?

MFA is being implemented to provide an extra layer of protection on the following services:

StatusServices 
Staff, Associate staff, Honorary
  • Office 365 applications
  • Any other application that rely on Azure Single Sign-on
StudentOffice 365 applications
AlumniOutlook Web  (OWA)

What do I need to do?

UCL staff: All members of staff, associate staff and honorary are required to register for MFA.

UCL students: All students are required to register for MFA.

UCL Alumni: All Alumni are required to register for MFA. 

This will add a safe and secure two-step verification method to your online credentials from a range of authentication options (such as phone call, text message, or mobile app notification) to access your applications. The implementation of MFA means that an extra authentication step may be required when accessing Office365 applications.

If you have accessibility requirements, please email mfa-rollout-support@ucl.ac.uk. When contacting us please ensure you supply your UCL userID and a contact phone number. 

Video overview

MediaCentral Widget Placeholderhttps://mediacentral.ucl.ac.uk/Player/BF0135I2
 

How-to guides

Once MFA has been enabled on your account you will need to enrol for MFA and configure your authentication preference. You will have the following options; mobile phone application, phone call and text message to use as your authentication method. As a minimum, you will need either an iOS, Android device or a telephone/mobile phone.

Microsoft Authenticator app

This is UCL’s recommended verification method. Users install and use the Authenticator app to generate a verification code that can be entered into the sign-in interface. It may be used for either a notification and verification code, users who register the Authenticator app can use either method to verify their identity.

Register for Multi-Factor Authentication (MFA) with Microsoft Authenticator App

Phone call

An automated voice call is made to the phone number registered by the user. To complete the sign-in process, the user is prompted to enter their pin number followed by # on their keypad.

Register for Multi-Factor Authentication (MFA) with phone call

Text message

With text message verification, as SMS is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.

Register for Multi-Factor Authentication (MFA) with text message

Help and further information

If you have any questions, please email mfa-rollout-support@ucl.ac.uk. When contacting us please ensure you supply your UCL userID and a contact phone number.

Frequently asked questions

I have an accessibility requirement. How can I register for MFA?

If you have accessibility requirements and have been invited to register for MFA, please contact mfa-rollout-support@ucl.ac.uk if you have any queries.

I have received a request to provide secondary authentication but I haven’t attempted to log into my account, what should I do?

Immediately change your password via My Account https://myaccount.ucl.ac.uk/changepw and report this to mfa-rollout-support@ucl.ac.uk

What protection does MFA provide?

MFA provides an additional line of defence for our protected systems and data. Should your password be compromised by a malicious third party, they will be prevented from accessing protected resources without providing secondary authentication.

How can I change my MFA details? 

To add or update your multi-factor authentication details, please visit https://portal.office.com
As people tend to keep a phone number longer than an app, it is always recommended that you register your phone number. 
You can register multiple phone numbers as well as an app from the multi-factor authentication site

Which is the preferred MFA method? 

UCL’s preferred MFA method is the Microsoft Authenticator App, although users can use other authenticator apps.

If you regularly travel internationally, we recommend using the Microsoft Authenticator app whilst connected to a Wi-Fi hotspot to avoid incurring roaming charges. You may experience issues using the text message and phone call verification methods at international locations.

For more information about how to set up the Microsoft Authenticator app on your mobile device, see the Download and install the Microsoft Authenticator app article.

Can I use the Microsoft Authenticator app for MFA on multiple devices? 

Yes, the Microsoft Authenticator supports multiple devices.

When can I expect to be prompted for MFA?

MFA is not designed to be intrusive or demanding. Once you have performed your MFA registration. MFA will trust the device you typically use, and your location. The UCL’s MFA implementation uses a risk-based approach, so that there will only be an additional challenge when accessing from an unusual location or unusual device. All UCL’s managed devices are always deemed secure regardless of their location. To simplify the experience for end users, the UCL’s MFA implementation is designed to only prompt when there is a high security risk. The UCL’s Information Security Group have tested the solution to prove that MFA does challenge in high-risk scenarios. 

Note: Alumni will be challenged for another factor every login to Office 365. To avoid this, select “Don't ask again for 60 days” option.

Why haven't I received an MFA notification on my phone?

Notifications on your phone may be switched off, please check you have enabled notifications from Microsoft Authenticator App and on your smart phone in Settings.

Please note that some Android users reported issue with receiving notifications even if the notifications settings are on. We recommend to open the Microsoft Authenticator App when you are sign in to MFA protected services.

I no longer have access to my MFA device; what do I do? 

Please contact mfa-rollout-support@ucl.ac.uk who will be able to reset your MFA details to allow you to register your new device.

I get prompted for MFA every time I log on; how do I stop this?

This is expected behaviour if you are using a tool to mask your location such as TOR browser or VPN. If you are not using such a tool please report this to mfa-rollout-support@ucl.ac.uk for investigation. 

Note: Alumni will be challenged for another factor every login to Office 365. To avoid this, select “Don't ask again for 60 days” option.

How can I test and make sure my account is protected by MFA?

We do not expect staff  to test or simulate this activity to ensure MFA is working (as it may be against UCL policies). We regularly monitor sign-ins for risky activities and if required may occasionally ask you to test.

Which email client can I use with my mobile device?

Outlook app

The Outlook app for iOS and Android is fully supported by ISD as it is compatible with MFA and modern authentication.

If you are using your mobile device's default email client and want to switch to the Outlook app, you will need to remove your UCL account first. Once it has been removed, please install the Outlook app and add your account using your userID@ucl.ac.uk email address.

Tip: If you cannot see your contacts in the Outlook app follow, go the Outlook app settings, select Office 365 in the Email Accounts section and turn on Save Contacts

See Connect to Outlook for iOS and Android for instructions on how install the Outlook app and add your email account on your mobile device.

iOS Mail app

MFA and modern authentication also works on following version of iOS, however they are not supported by ISD.

  • iPhone 6 or newer – iOS 11 and above
  • iPhone 5 or older – iOS 10.3+ (10.3.4 is last)

Older versions do not support modern authentication.

Can I use Apple Mail?

For full support from ISD, use the Outlook app on your macOS device.

MFA will work with Apple Mail on macOS 10.15 (Catalina) and 11 (Big Sur), however it is not supported by ISD. To find out which version macOS you are using go to https://support.apple.com/en-us/HT201260

Can I use Thunderbird?

The version of Thunderbird required to support modern authentication, and MFA, is 78.0 and above.

Thunderbird version 78.0 is only offered as a direct download from thunderbird.net and not as an upgrade from Thunderbird version 68 or earlier. A future release will provide updates from earlier versions.

Once your Thunderbird is set up:

  1. Right click on your account
  2. Select Settings
  3. Server Settings
  4. Security Settings
  5. Change the Authentication Method to OAuth2
Which version of Microsoft Office is compatible with MFA?

If you use older versions of Office, they are less secure and not compatible with MFA. Clients that are using older office (Office 2010) or mail protocols such IMAP/SMTP/POP are not supported by modern authentication. For Outlook 2013 or later (Outlook 2013 requires a registry key change).

How do I check which version of Microsoft Office I am running?

On a Windows 10 machine, right-click the Start button and select Apps and Features. Scroll through the list until you see one or more entries for Microsoft Office. You'll see your edition, such as Office Professional, Office 365, Standard 2016, as well as your version (or build) number if you click on the entry.

For example:

Microsoft Office version/build number
I already have Office 2016 on my laptop, why do I still get messages to upgrade my “legacy” applications?

You received a message from ISD to update your “legacy” Office applications because you may be using email clients, SharePoint add-ons, MS Project and other applications which are usually installed separately from Office 365 but connect to O365 services.

You should check your mobile phone and other devices for use of “legacy” applications which are not part of Office 365. These should be replaced or updated with Office 365 applications (it allows you to do so for up to 5 devices including mobiles).

There is no need to re-install Office applications on your laptop if you are already using Office 2016 or Office 2019. If you use Desktop@UCL Anywhere it already has Office 2016 so there is no need to re-install it.

In rare cases, Office 365 sign-in reporting can wrongly interpret “modern” applications as “legacy” applications so if you believe it is the case please contact ISD and we can investigate and provide more detailed information to correct the issue.