Multi-factor authentication (MFA) provides an extra layer of security when logging in to some Lancaster University IT services. Use of MFA is mandatory for all University staff, PGR students and student staff.

Once you have enabled MFA, you may be asked to enter a one-time password (OTP) as well as your username and password when logging in to some IT services. This may include when logging in to any Office 365 service on a different device (such as Microsoft Outlook and Microsoft Teams). You will generally use an authenticator app on a mobile device to generate this OTP.

Most major web companies, like Google, Microsoft, Facebook and Apple, use MFA and mandate or recommend users turn it on. By using MFA, you are helping the university to keep its IT systems and services safe, and by extension helping to enhance the security of your own data.

You can set up and manage your MFA authenticators and recovery method at: MFA management. Instructions for doing this are below.

Instructions

View the video for information about setting up MFA using a mobile device. Alternatively written instructions are available using the link beneath this.

 Set up MFA using a mobile device

Before you begin - checklist

  1. Please make sure you have a mobile or tablet device that can run apps to hand - this can be a personal or work device.
  2. Please also have another device to hand - this can be any device with a web browser, such as a PC or Mac.
  3. Please ensure the date and time are set correctly on each device - this should be set automatically where there is an option for this.
  4. Please ensure you have either a personal mobile phone number or a personal (non-Lancaster) email address available for recovery.
  5. Follow the instructions step-by-step to the end - MFA set up is not complete until you have verified your authenticator and added a recovery method.

  1. On your mobile/tablet, open the App/Play store and download Microsoft Authenticator. Set aside this device for now.

    If prompted, make sure you Allow access to your devices camera for the app (this is only required to scan a QR code during the setup process).

  2. On your other device, go to MFA management in a new tab or window and, if prompted, log in using WebLogin.

    If you have previously set up MFA, you will be prompted to enter an OTP now. If you don't have access to the app or key you previously set up, see Recover an OTP with no access to MFA authenticator app or key for further guidance.

  3. Select Register authenticator.
    Register authenticator button

  4. Select Register authenticator app.
    Register authenticator app button

  5. On your mobile/tablet, open the Microsoft Authenticator app.

  6. Click Scan QR code. Alternatively, press + or Add Account to add an account.

    If prompted with a message about Backups, select Continue.

  7. If prompted, select Work or school account then Scan QR code.
    Work or school account

  8. Using this device's camera, scan the QR code which is on the screen of your other device.

    The app will now start generating 6-digit OTP codes on a 30 second loop.
  9. Back on the other device, select Next.
    Next button

  10. In the One-Time Password box, enter the six-digit code displayed under Lancaster University in the Microsoft authenticator app on your mobile/tablet.
    OTP verification screen OTP code

  11. Click Next.

  12. You will see a message App registration complete. Click Back.
     
  13. Select Set up recovery.
    Set up recovery button
     
  14. Select Set up text message recovery.
    Set up text message recovery button

    Text message recovery is recommended. If you don't have a mobile number, you can instead use the email recovery option. 


  15. Enter your mobile number and click Set up.
    Mobile number entry and set up button

  16. In the One-Time Password box, enter the six-digit code sent to you via text from LU_WEBLOGIN.
    OTP entry screen Text message from LU Weblogin

  17. You will see a message Text message recovery setup complete.


MFA is now set up and working to protect your account.

 How can I verify that MFA is set up correctly and working to protect my account?

To verify that MFA is working correctly:

  1. Open a new private or incognito browsing window in your web browser.

  2. Browse to lancaster.ac.uk/office365


As part of the log in process, you should be prompted for an OTP. If you are, then MFA is set up and working correctly on your account. If you are not, then MFA is not set up correctly - please follow the instructions again from the start to set it up.





 Log in to a service when asked for a One-Time Password (OTP)

The following steps apply when logging in to any Lancaster University IT service which requires an OTP.

  1. If prompted, enter your username as normal and click Next.

  2. You will be prompted to enter a One-Time Password.
    One-time password prompt

  3. Open your authenticator app on your mobile device.

  4. Copy the six-digit code displayed in to the one-time password box in WebLogin and click Next.
    OTP code

  5. If prompted, enter your password as normal and click Next.






Frequently asked questions

 Why do I need to use MFA?

The video below provides an overview of how MFA and other new security services work to protect you and the University.



 How often will I get asked for a One-Time Password (OTP)?

There isn't a definitive answer to this question - the number of times you will be asked for an OTP will vary based on a number of factors, such as:

  • Service - you're likely to be asked for an OTP more for certain IT services. You should expect that certain services may ask you for an OTP multiple times per day if you are accessing particularly sensitive information.
  • Device – on your primary device (e.g. regular computer), you may be asked for an OTP less frequently when accessing some services. If you regularly log in on different devices (e.g. in different teaching spaces) you should expect to enter an OTP more often.
  • Browser – if you navigate between different services inside one browser, you may be asked for an OTP less frequently. If you close down your browser regularly, use private browsing mode or use different browsers, you should expect to enter an OTP more often.

It is recommended that you always keep your authentication method (e.g. the authenticator app on your phone, or key) with you so that you are always able to generate an OTP when prompted for one.




 How can I verify that MFA is set up correctly and working to protect my account?

To verify that MFA is working correctly:

  1. Open a new private or incognito browsing window in your web browser.

  2. Browse to lancaster.ac.uk/office365


As part of the log in process, you should be prompted for an OTP. If you are, then MFA is set up and working correctly on your account. If you are not, then MFA is not set up correctly - please follow the instructions again from the start to set it up.



 What do I do if I get a new phone or tablet?

You will need to set up MFA again by downloading the app onto your new device. You should follow the instructions further up this page to enable MFA.

If, during this process, you have no access to an existing app or key to generate an OTP to log in to MFA management, follow the guidance at: Recover an OTP with no access to MFA authenticator app or key.




 Do I need to set up different apps for different services or devices?

You can set up authenticator apps on multiple devices if you wish to. You'll be able to use any of them to generate OTPs you can use to log in to services. You use these same authenticator app(s) to generate OTPs to log in to any service which requires it - you don't need to set up different ones for different services.



 What should I do if I can't access the app I previously set up?
 Is it OK to use my personal phone or tablet to download the app?

If you have access to a work-provided mobile or tablet, you should use this to download the app.

If you don't have access to a work-provided device then you can use your own device. In doing this, you are helping the university to keep its IT systems and services safe, and by extension helping to enhance the security of your own data.

After the app is set up, it doesn't use any data allowance on your phone, nor does it take up significant storage space. It can't access other parts of your operating system. All it does is provide an OTP when you open it.




 What should I do if I don't have a modern mobile phone or tablet?

Any device that is able to run and install authenticator apps is OK to use - it doesn't have to be new, nor does it have to be provided by the University. If you have neither a phone or tablet that can run an authenticator app, please contact ISS for further advice.



 How secure/private are authenticator apps?

Apps are the most convenient way to generate OTPs as most people generally have their phone with them, as well as being more secure as you have to unlock your phone before being able to generate an OTP. Installing an authenticator app does not jeopardise the security of any of your personal data as the app cannot access other things on your phone.

The apps only ask for minimal access to your device. For example, they may only ask for access to your camera to scan the QR code on screen and not for any other purpose. This camera access can be disabled as soon as you have scanned the QR code.

As with any app, you should only install apps from a trusted App Store (for example, the Apple App Store or the Google Play Store).

The security advice for those using an authenticator app is no different from the standard advice that you should always apply to ensure your device is secure (e.g enabling encryption and using lock screen/biometric security). For more guidance, see Security of digital devices.




 Why do you recommend I use a personal mobile number for recovery?

We recommend using a mobile number as you will be able to access this even if you lose access to your authenticator app. This will make recovery simpler. Your mobile number is only used for the purposes of OTP recovery; it will never be used for any other purpose. Any personal contact information entered for the purposes of account recovery is held in highly secure Lancaster University data centres. It will only be used for the purposes of OTP recovery; it will never be used for any other purpose.

An alternative to using a mobile number is to register a personal (non-Lancaster) email address for recovery.

If you choose not to set up account recovery using either a mobile number or email address, it may mean losing access to your IT account if you lose access your authenticator app - hence setting up recovery is highly recommended.




 How do I set up MFA with a physical authentication key?

Physical authentication keys are an alternative form of authenticator which are available to a small number of University staff under special circumstances. If you are given a physical authentication key, follow the instructions below to set it up.

Set up MFA using a physical authentication key

  1. On your PC or laptop, go to MFA management in a new tab or window and, if prompted, log in using WebLogin.

    If you have previously set up MFA, you will be prompted to enter an OTP now. If you don't have access to another method for generating an OTP, see Recover an OTP with no access to MFA authenticator app or key for help.

  2. Select Register authenticator.
    Register authenticator button

  3. Select Register authenticator key.
    Register authenticator key

  4. Turn over your physical authentication key. There will be a number. Enter this in the Serial no box and click Register.

  5. Turn your physical authentication key back over. Press the power button to the left of the screen.

  6. In the One-Time Password box, enter the six-digit code displayed on the screen of your physical authentication key.
    OTP verification screen 

  7. Click Next.

  8. You will see a message Authenticator key registration complete. Click Back.
     
  9. Select Set up recovery.
    Set up recovery button
     
  10. Select Set up text message recovery.
    Set up text message recovery button

    Text message recovery is the recommended option. If you don't have a mobile number, you can instead use the email recovery option. 

  11. Enter your mobile number and click Set up.
    Mobile number entry and set up button

  12. In the One-Time Password box, enter the six-digit code sent to you via text from LU_WEBLOGIN.
    OTP entry screen Text message from LU Weblogin

  13. You will see a message Text message recovery setup complete.

  14. MFA is now set up and working to protect your account.

     How can I verify that MFA is set up correctly and working to protect my account?

    To verify that MFA is working correctly:

    1. Open a new private or incognito browsing window in your web browser.

    2. Browse to lancaster.ac.uk/office365


    As part of the log in process, you should be prompted for an OTP. If you are, then MFA is set up and working correctly on your account. If you are not, then MFA is not set up correctly - please follow the instructions again from the start to set it up.




 What should I do if I find a physical authentication key?

Please hand in any physical authentication keys you find to ISS or Security as soon as possible.



 What does "validation required" mean?

If the Manage your One-Time Password authenticators page lists any of your authenticators as 'validation required', this is because the validation step wasn't completed when the authenticator was being registered. You can validate an authenticator by entering the OTP code shown on the authenticator in the One-Time Password box at the bottom of the page. 

For a recovery authenticator (e.g. SMS or email) you can cause an OTP to be sent with the following steps:

  1. Click use OTP recovery in the One-Time Password box at the bottom of the page
  2. Select the type of the recovery authenticator (e.g. SMS or email)
  3. Enter the email address or phone number that you registered
  4. When the OTP is sent to your email address or mobile phone, enter the OTP code in the One-Time Password box at the bottom of the page.


 I have another question or issue with MFA not covered here - who should I contact?

If you have a question or experience a problem with MFA, please contact ISS either via: