Multi-factor authentication (MFA)

Travelling abroad

If you may travel abroad, add at least one method that does not require a phone connection or internet access.

MFA prompts occur when you log into apps and services using your SSO or when your session times out.

Some systems may impose their own rules, prompting for MFA more often than others depending on the person's account activity. In most cases however, prompt frequency will depend on the service and whether you are using a web browser or standalone application.

Web browsers

Browser based session timeouts depend on the type of service you access:

• Azure login based services, such as web based versions of Outlook, Teams, OneDrive, SharePoint Online, Dynamics365, should persist for 7 days.
• Web based Outlook has a session time out of 8 hours.
• Shibboleth protected resources, such as CoSy or TeamSeer, should persist for 11 hours.

Authentication is not required again until the session expires or the browser is closed.

Timeouts outlined above are the advertised session times set by the policy, but some browsers can be set to retain sessions on closure and allow sessions to last longer than advertised.

Applications

Standalone applications have a token that should persist for 90 days unless you need to log in again for other reasons, such as following a software update.

The Teams application for Linux is an exception as it is similar to a browser, with session times persisting for 7 days.

MFA exemptions can be requested due to exceptional circumstances. Please refer to our MFA exception guidance.

All available MFA options should first be discussed with your local IT support team as an exemption could lead to severe consequences for the University through data loss, system impairment and reputational damage.

Exemptions are requested using the Exemption from Multi-Factor Authentication (MFA) service request and must be authorised by someone such as your manager, supervisor, tutor or administrator.