This article will guide you on configuring your Multi-Factor Authentication, setting it up on your devices, managing it and setting up a second method of authentication.
Multi-Factor Authentication (MFA) is a new and more secure way to log in to your University accounts. This prevents fraudsters from accessing, altering, or destroying your personal and sensitive information.
It provides an extra level of protection. When signing in, it asks you to confirm your identity with a password and a phone / tablet. Only successfully presenting two pieces of evidence you can have access to your account.
It is likely that you already use some form of multi-factor authentication if you use online banking.
Adding a phone number for use in MFA process does not make it available as part of your contact information. MFA phone numbers are stored as protected attributes and are not visible to others.
You will see minimal data usage when downloading the Authenticator app. There will be no to minimal impact on your daily phone data usage. If you’re worried about data usage, you can select the SMS or phone line option to authenticate your account.
---
You need MFA to add an extra layer of protection to your university account.
MFA helps to defend your account against fraudsters from:
Accessing
Altering
Destroying your personal data or sensitive information
How often you will be asked to authenticate
As long as you have a University IT account, MFA is needed to keep your account secure.
You will receive a sign in approval request each time you attempt to log in. You can avoid this approval for 30 days by checking the “Do not ask again for 30 days” box.
Please do not remove any of your authentication methods and review them regularly to ensure they are up to date.
---
Since MFA is a mandatory part of the account setup process, Microsoft will ask you to verify your credentials. You can do it doing one of the following actions:
After that, you will have completed your verification steps. You will have access to your app as usual. You can check to remember your login on your device for 30 days. We recommend doing this only if you trust the device and you are sure you will be using it again. Sometimes you will need to complete a new verification step when signing in.
We recommend using the Microsoft Authenticator app as your primary MFA solution.
Microsoft has developed three security features for the Microsoft Authenticator app and the University will be installing these features as the app is used as one of the authentication methods.
To understand why Microsoft has developed these features, how this will help protect the University and who this will impact, please visit the SharePoint page “Microsoft Authenticator app security features”.
From Thursday 23 February 2023, when approving an MFA request on the Microsoft Authenticator app, you will have to:
1. When you receive an MFA request, the usual sign-in request box will appear on your screen. You will notice a number alongside the request asking you to enter the number on your Authenticator app.
2. Open the Authenticator app on your mobile device
3. A notification will appear with this information:
4. Review the application and location details ensuring the notification is displaying the correct information.
5. Enter the number you received in the sign-in request, select YES.
If you have received an unexpected MFA request or the details displayed on the notification are incorrect, please select “NO IT’S NOT ME”. Please go to ‘What to do if you receive an unexpected MFA notification' to understand more.
You will be asked to use MFA whenever you:
Please decline any unexpected MFA notification.
If you are using the Microsoft Authenticator app, please press the report button which will notify iSolutions. This action will not lock out your account and will help iSolutions find more information about the sign in attempt.
To back up or recover your account credentials (using Android or iOS), read the article "Back up and recover account credentials in the Authenticator app".
---
It can take up to approximately 10 minutes to set up MFA. You only need to set up MFA once but you may have to verify your identity from time to time.
You can set up MFA by using the free Microsoft Authenticator app on your mobile phone (recommended), or by receiving an SMS text message or phone call through a landline or mobile phone.
It's not possible to use Softphones to set up MFA.
Please note: To use Microsoft Authenticator app, you will need a mobile device that uses an up-to-date operating system. To check whether your mobile device supports the Microsoft Authenticator app, please visit the following webpages:
Step-by-step instructions:
These instructions work both for Android and iOs devices.
1. Download the app on your mobile device for iOS or Android
2. Now look at the screen of your computer - you should see a new window asking to start the process getting the app. Select 'Next'
3. If prompted, select ‘Allow Notifications’. Make sure to select 'Work or school' from the list of account types.
4. When prompted within the app:
5. You will then receive an approval notification on your mobile device
6. Select ‘Approve’ to confirm the setup. Please note, from Thursday 23 February 2023, the way you approve an authentication request will change. Please go to ‘Approving the MFA request in the Microsoft Authenticator app’ to understand more.
7. Once you approved the notification, click 'Next' in the computer browser
If you want to configure additional MFA methods (recommended) click the link ‘I want to set up a different method’ and follow the instructions in the section "Using SMS or a phone call".
8. You will receive a success message once you have finished the setup
9. Click 'Done' to complete the process
Microsoft Authenticator uses 'Push Notification' as default verification. After you complete MFA registration, you can change it as explained in the section "How to change your default sign-in method".
1. Select the option 'I want to set up a different method'
2. Select 'Phone' as the different method and click on 'Confirm'
3. Choose your country and enter your phone number, then select how you wish the verification to happen. This can be either an SMS message or a Phone Call (you will find the options 'Text me a code' or 'Call me'). For the example here below, we are using the SMS option.
4. You will then be asked to verify your method:
Using a text message (SMS)
You will receive a text message with a (random) 6-digit code on your mobile.
In your browser window, enter the code into the 'Enter code' field and click 'Next'.
Your phone is now registered as a method of authentication
Select 'Next' to end the process.
For Phone
You will receive a call, asking you to select a Key on the phone to verify your signing.
1. Answer the phone call on your mobile phone
2. The recorded voice message will instruct you to press the # symbol on your phone's touchpad
3. After pressing the pound sign, your mobile number is successfully registered
4. Click 'Next'
Please remember that SMS or phone notifications are great as fail-back second factors.
If you do not wish to use any of the above methods, you can request a free MFA physical token (similar to a key fob) from Stores by completing the "Computer Peripheral Purchasing" form. No authorisation is needed.
Tokens are only available for current members of staff and Postgraduate Research Students (PGRs).
How it works after receiving your token:
1. When you log into anything that requires MFA, you will be prompted for:
2. Turn on you token by pushing the button in it
3. The token will display the code you need. The code will be active for 60 seconds, then a new code will appear
4. Enter the code into the MFA window and select the Verify button
Evolution users will need to use the Evolution-EWS client to access their Office 365 email.
iSolutions have registered Evolution-EWS as a Microsoft Azure Active Directory app registration.
Application ID: 51e20fb2-de82-43a4-932d-cb56b81262ac
When adding your university account to Evolution-EWS:
When you add your university account in Thunderbird, you will need to click on the Advanced config link after it auto-detects the server settings.
You will then need to set Thunderbird to use OAuth2 for both the IMAP and SMTP server configurations.
Once you hit 'Done', you should see the Microsoft 365 login screen pop-up asking you to enter your password and additional MFA verification. After that, it will appear a screen asking for some permissions on your Office 365 account.
How to reconfigure an existing account
For IMAP, click on:
For SMTP, please follow:
If OAuth2 does not appear, you may need to restart Thunderbird and go back into the account settings.
This approach is no longer fully supported by iSolutions. We recommend you choose an application that natively supports Multi-Function Authentication (for example the Evolution Linux-based mail client rather than Thunderbird).
If you use an app password, you will be required to provide MFA on campus and will not be able to take full advantage of the current University’s security policies.
For the best experience use the Microsoft Authenticator App - this offers advanced functionality including one-touch authentication approval via notifications. An additional benefit of using the App is, if you do not have a signal or wi-fi connection on your phone, the App will generate a one-time passcode which you can use instead of receiving an app notification or SMS.
Instructions:
1. When approving your sign-in request, click on the sentence "I can’t use my Microsoft Authenticator app right now
2. Select the option “Use a verification code”
3. Now open your Authenticator app
4. Tap on the 'University of Southampton' option
5. You will see a one-time password. Password will change every 20 seconds
6. Enter the code (displayed into the Authenticator app) into the sign in window
To check that MFA has been set up on your account or if you need to change settings go to the page My sign-ins / Security info.
You should see the authentication options you chose during set-up. If you do not, repeat the setup process.
---
We strongly recommend that you set up a second method of authentication on your University IT account.
This means that if one method fails, you have another way to authenticate and you will not be locked out of your account. For example, if you lose or upgrade your device, you can still authenticate your log-in and access University IT services.
To set up a second authentication method, you need to:
We recommend that the Microsoft Authenticator app is your primary method. As a second method, choose from either:
If you are an international student and use a different mobile phone when you return home, please make sure you add this to your account before you leave the UK. This means you will still be able to sign in if you cannot access your UK mobile phone.
1. Click on 'Change'
2. Select your favourite method
3. Click on ‘Confirm’
1. Click on 'Change'
2. Enter the phone number you want to use
3. Click on 'Next': you will receive a code via SMS or a phone call to verify your identity
4. Enter your code or follow the instructions
5. Once verify your identity, a confirmation banner will appear on your page. Click on 'Done' to close the banner.
1. Click on the 'Delete' button
2. A confirmation banner will appear. Click on 'OK' to delete this method
You might need to reset the device chosen to confirm your identity through Microsoft Multi-Factor Authentication (MFA). You can self-reset it by using Subscribe. To do that, you need first to request a Temporary Access Pass (TAP).
To request a TAP and find guidance on self-resetting your secondary method of authentication, please read the article "How to manage your university and computing account using Subscribe".
Please note: you can request your TAP only if you have added and verified a secondary contact email to your account at least 14 days before making this request.
---
If you have a new phone or device, there are 2 ways to make MFA work on your new phone:
Please note: you should carry out this process before you wipe your old phone.
1. Log in to My Sign-ins / Security info
2. Enter your University email (for example: abc1ef22@soton.ac.uk) and password
3. Approve MFA prompt using your current mobile device. If your current phone is broken and you did not set up an alternative backup method, please contact ServiceLine.
4. Click on 'Security Info'
5. Click on 'Add Method'
6. Select 'Authentication App'
7. Click 'Add'
8. On your new phone download the Microsoft Authenticator App for iOS or Android
9. On the Microsoft Authenticator app on your phone follow the instructions to 'Add Work Account'. If prompted, allow the app to take pictures and record videos.
This will give you the ability to scan the QR code on the next screen.
10. Return to this screen on your computer and press 'Next'
If you allow notifications, you will be able to get the pop-up 'Approve' or 'Decline' notifications. Otherwise, you will have to enter the 6-digit code each time.
11. Click 'Next'
12. Using the camera on your mobile device, scan the QR code which is displayed on the screen.
13. On the Microsoft Authenticator app on your phone press 'Approve'. You will then see the account added to your new mobile device.
Please note, from Thursday 23 February 2023, the way you approve an authentication request will change. Please go to ‘Approving the MFA request in the Microsoft Authenticator app’ to understand more.
14. Back on this screen, you will see your new device added. You can now safely delete your old device from this list.
Please contact ServiceLine if:
---
Yes, however setup for smartwatches is not supported by ServiceLine. If you would like to set this up yourself, please see supplier documentation for Apple, Android and Garmin watches.
Please note, from Thursday 23 February, the way you approve an authentication request will change and you will no longer be able to approve the notifications through your smartwatch due to Microsoft discontinuing the functionality.
Please go to ‘Approving the MFA request in the Microsoft Authenticator app’ to understand more.
Please note, the FAQs listed under this section will only come into effect from Thursday 23 February 2023.
You don’t need to do anything. The sign-in location details are based on the IP address of the device you are trying to sign into which will depend on your internet service provider (for example Sky, BT, Virgin etc). This means that the location could be from a different place in the UK (for example London, Bristol).
If you are based in the UK and the sign-in location details display a different country, please do not sign in and select “NO IT’S NOT ME” on the app. This will then notify iSolutions where they can find out more information about the sign in attempt.
Yes, the location will change as it is based on the IP address of the device you are trying to sign into which will depend on the internet service provider in that country. The location could be from a different place in that country.
If the sign-in location details display a country to you are not in, please do not sign in and select “NO IT’S NOT ME” on the app. This will then notify iSolutions where they can find out more information about the sign in attempt.
Yes, if you are connected to the University VPN when receiving an MFA request, your sign-in location will always report as being situated in Southampton, UK.
If you use one of the following methods to authenticate, you will not be impacted by the changes to the Microsoft Authenticator app:
If you are only using the app to generate a verification code, you will not be impacted by the new features as this only affects “push notifications”.
It might happen that your mobile device does not open the sign-in screen in a new window, not allowing you to see the matching number. This can happen when you are trying to sign in and use Microsoft Authenticator on the same device.
You can bypass this issue by selecting the link "I can’t see the number" at the bottom of the screen:
You will be able to see the matching number again for a few seconds. After that, you can enter your matching number and select Yes.
When you request to receive your MFA code using the SMS option, it might happen that the notification pops up on your locked phone screen, previewing your secret code. This depends on your device settings.
You can avoid this by changing the notification settings on your device: for example, you can disable all notifications, or hide sensitive content from notifications on your locked screen.
Find guidance about changing notification settings on Android, iPhone, and iPad:
Please note, from Thursday 23 February 2023, the way you approve an authentication request will change and therefore you will no longer be able to approve notifications through your locked phone screen. Please go to ‘Approving the MFA request in the Microsoft Authenticator app’ to understand more.
If you have the app installed on your mobile device you will be able to use Microsoft Authenticator to receive a verification code, but the push notification (advanced MFA features such as number matching) is not supported.
If you are using an Android phone you will need to visit the Lenovo, Huawei or Samsung Galaxy Store. You can find up-to-date information about the Microsoft Authenticator App at the page "Microsoft Authenticator availability and limitations for Android in China".
If you are using an iPhone you need to visit the app store and download the app.
We recommend you change your MFA set-up and receive your code via the Microsoft Authenticator app, at least for the period you're away.
If you are leaving the country or are planning to do it, you may need to change your Multi-Factor Authentication (MFA) set up for it to work properly with no phone signal or internet connection.
What you need to do:
Microsoft Authenticator will generate a one-time passcode which you can use instead of receiving an app notification or SMS. This action will not use the phone network or your internet connection.
Underneath the QR code, you will see a code that you can enter into the Microsoft Authenticator app to complete the setup.
On the QR code scanning screen in the app, pick the option 'or enter code manually', enter the code, then hit finish.
If your iPhone or iPad is using iOS 10 or below you will not be able to use the app. If it is an Android device using Android 5 or below that will also not be supported by the app.
If you can’t download the Microsoft Authenticator App, you can use the alternative text message or phone call for authentication.
MFA using Apple Mail only works on macOS Mojave or higher. Earlier versions such as 'High Sierra' do not support MFA. If this is a University provide Mac and is running High Sierra or lower, please contact ServiceLine to arrange a time for us to upgrade your system.
What you need to do to access your email account using Mac Mail:
If you are using an iOS device, please remember that Microsoft Outlook App is the only email client supported by iSolutions.
The only iSolutions supported email client on both iOS and Android devices is the Microsoft Outlook App. This will also provide the most consistent experience for accessing your University email, calendar and contacts.
Not all native email clients support MFA. If you wish to continue using the native email client on your device (Mail/Email/Gmail):
If you are still unable to access the account within the app, then you will need to utilise the supported Outlook App – download it from Google Play or App Store.
Some iOS users may receive an automated email with the following subject and text:
This could be due to temporary conditions, like your network location.
Contact ServiceLine with any questions or concerns about this email.
Additionally, the following message may appear in your Calendar app: “Calendar Invitation - Your response to the invitation cannot be sent.”
You can fix the issue removing and re-adding the account will resolve these errors.
When you choose to scan the QR code, your device can come up asking for a URL. In this case, you need to allow the Authenticator app access to the camera.
You can do it following these steps:
Now you can go back to Microsoft Authenticator App and scan the QR code again.
This information is automatically populated as part of data synchronisation between university systems. You can safely ignore this.
When you have received your MFA Token you will need to complete the following steps:
iSolutions need to know that you have received your token. To do that, please:
iSolutions will set up your token within 5 days. You will then receive an email notification to say that your ticket has been closed and your token is ready to use.
To set up a second method of authentication, please follow the instructions in the chapter "Setting up a second method of authentication".
We can only allocate 1 token per person. This token is linked to your IT account.
If it is lost, stolen or needs to be replaced, please raise a ticket with ServiceLine through the Request Form. Service Line will decommission the existing token and re-issue a new one.
If you need any other help with MFA or setting up a second method, please contact ServiceLine.
The phone lines are open from 08:30 – 18:00 Monday – Friday, each day the University is open.
---
How to manage your university and computing account using Subscribe
How to add or remove your university email account using Outlook
Was this article helpful?
If you have any further comments, please put them below.
Please note that feedback is anonymous - if you require a reply or assistance, please raise a ticket via ServiceLine.
Thank you for your feedback, it is much appreciated.