Multi-Factor Authentication (MFA) is an additional layer of security used to protect your account and your data, as well as Royal Holloway's data and services. After entering your username and password to access a Royal Holloway service, you will be prompted to authenticate using a separate device or app which functions as an additional opportunity to confirm your identity. MFA makes it harder for others to access your university account without your knowledge. You have likely encountered this type of security in your personal life accessing online banking or other services. You can read more about Multi-Factor Authentication on Microsoft’s support pages.
When you login to an MFA-enabled service for the first time, you will receive a notification that ‘More Information is Required’ and be prompted to set up MFA by picking one or more methods for authentication. The standard is that the user sets up the Microsoft Authenticator App and a phone-based approach (using call or text message). It’s always best to setup a variety of methods which minimises the impact of technical issues or missing devices.
Once MFA has been configured, you will be periodically prompted to check that the details Microsoft holds are up to date.
You can also manage your own details from the Security Info tab of the My Account area.
At Royal Holloway, we recommend that you setup the Microsoft Authenticator app and add a phone number for use with MFA.
At minimum you should have two methods of MFA configured, although setting up additional methods can be beneficial.
Microsoft Authenticator App: The Microsoft Authenticator app is the simplest method of verifying your identity and is recommended by the university. It can be installed on an Android or iOS device.
There’s two ways the app can be used for MFA.
The first, which uses push notifications, is generally the fastest and most convenient. You will need to download the app to your preferred device and set up authentication. This is the method we recommend.
You can also use the app to provide six-digit one-time passcodes, or OTP codes. OTP codes work well when you don’t have internet access on your phone or mobile device and you can’t receive notifications. Instead of approving a push notification, you type the OTP code into the browser you’re trying to sign in to. OTP codes refresh every 30 seconds, so they can be difficult to use before they time out, particularly if you have accessibility requirements.
SMS or Phone Call: If you don’t want to download an app, you can opt to register a phone number which you can use for authentication either by call or text message.
In addition to the primary methods, it's possible to configure some alternate or additional methods for authentication.
Alternate Authenticator Apps: While the Microsoft Authenticator app is recommended, it’s possible to register your Microsoft account with another app such as Google Authenticator. Just select ‘I want to use an alternate authenticator app’ when on the Microsoft Authenticator App setup screen.
Email: You can provide an additional email address, separate from your college email, to receive links to verify your identity. This method works well for password reset but cannot be configured as the primary method for MFA when accessing applications.
Security Questions: It’s possible to setup a series of security questions that can be used to verify your identity, this method works best for resetting passwords but cannot be used for day-to-day authentication.
We suggest that you pick methods of MFA which are the most convenient for you. If you always carry a personal device with you, it’s recommended that you use this device to authenticate quickly and easily. Most people use their personal mobile phone.
App notifications use a tiny amount of data or are free if you are connected to Wi-Fi. OTP codes are available offline and use no data at all. It is free to receive calls or text messages.
Whilst you can use a phone number for MFA, we don’t recommend that you use your office number or your home landline as your primary method of authentication. You can be challenged for MFA anywhere, so linking MFA to fixed location means you might not be able to get access if you’re signing in from somewhere else. Our office telephony is now provided via Microsoft Teams, which requires you to use MFA to sign in, so you will be caught in a loop if you use this number. If you do use your home or office number as your primary method, make sure you also add a backup.
You will need to contact the IT Service Desk to intervene on your behalf if you lose access to your device. The Service Desk can help you access your account to add a new method of MFA, or investigate other options until such a time that you can get a new device setup.
Notifying the IT Service Desk also means they can remove your old device if it was stolen or sold, this will prevent it being used for authentication going forward. It’s also worth choosing the option to ‘sign out everywhere’ from the Security Info tab of the My Account page to ensure that your account is logged out from any missing devices.
When you do get a new mobile, you can add your new device as an option for Multi-Factor Authentication from this same Security Info page by selecting the option for ‘+ Add Sign-in Method’.
MFA is not meant to be a barrier to accessing Royal Holloway services, but it’s important that your identity is checked regularly. Generally, you will be prompted to authenticate when accessing a service for the first time or after a set number of days, although certain services such as the college’s VPN will require more regular authentication.
Multi-Factor Authentication is a requirement for accessing Royal Holloway services.
This could suggest that someone is attempting to access your university account, you should immediately change your password and contact the IT Service Desk to request further advice.
The Microsoft Authenticator App works well with most screen readers and assistive technologies. If you do experience difficulties, please contact the IT Service Desk who can work with you on your specific requirements.
You may occasionally run into problems with MFA, particularly when trying to use a third-party email management platform, clone an existing device or when using a mobile phone running an older OS version. Check out our FAQs for further advice.
The way that we use the Microsoft Authenticator app at Royal Holloway will be changing.
At the point of receiving your push notification, the app will soon verify your identity via number matching.
Number matching works by prompting the user to enter a two-digit number to verify that it is them trying to login to a Royal Holloway service. If the number shown on screen matches the one entered in the app, the user will be authenticated.
From time to time, Microsoft will require Multi-Factor Authentication, but you will not receive the automated app push notification to your mobile device. This can happen if you're signing in from a new location, on a VPN, or sometimes your notification can just take a little time to come through. If you manually open your app the number matching prompt should appear so you can complete the request, even if you didn't get a notification yet. Simply navigate to the app and review your outstanding authentication requests as normal to complete number matching.
If your number matching prompt still doesn't appear, you can try another authentication method. If you consistently have an issue with the app, you should contact the IT Service Desk.