30th May 2023

Multi-factor Authentication (MFA)

The University of Hertfordshire is committed to cyber security: Find out what action you need to take to protect your University login account.

All students are required to use MFA when logging into University Systems

What does this mean for me?

At the University of Hertfordshire, we use Microsoft MFA (MS MFA) as an extra layer of security in addition to your university password.

MFA asks you to confirm your identity using a second 'factor', such as a push notification on the MS MFA app on your phone.

If you are a new student you will be asked to set up MS MFA when you first start using your UH user account. Simply follow the instructions on the screen as they pop up.

Use the app: We strongly recommend that you use the Microsoft Authenticator app on your smartphone. This is especially important if you are an International Student as the app will work regardless of location, phone signal, or wifi availability.

Do not uninstall and then reinstall the app once you have it as this will prevent you from logging in to your account.

If you are a current student and have not yet set up MFA, you will need to do this the next time you log in to a protected system such as O365, StudyNet (to access your timetable), or Canvas. Please don't wait until you need to use a system to set up your authentication device as this may delay access to key systems when you most need them.

Get the Microsoft Multi-factor Authentication app

MFA enrolment overview diagram:

MFA set up process diagram

How do I manage my MFA devices and methods?
How do I use MFA?
MFA enrolment instructions
Setting up MFA without a smartphone.
Guidance for new students
Adding additional authentication method (recommended)
International Students
Our 'Top Tips' for MFA
Frequently asked questions (FAQs)
NHS laptops and working in secure locations
I'm a new student and I can't log in to complete UH registration
Setting up and using MFA outside the UK
MFA and computer-based exams
Number matching security feature for MS MFA app
Help and support

How do I manage my MFA devices and methods?

Go to https://mysignins.microsoft.com/security-info, log in using your hertsusername@herts.ac.uk, and follow the on-screen instructions to add method.
You can set up phone call and SMS as additional methods, but we always recommend choosing the MS MFA App as your default authentication method.

How do I use MFA?

When you log into a protected system you will receive a request to authenticate. You need to have your phone with you if this is how you authenticate.
How often you have to authenticate will vary and is dependent on factors such as switching between browsers and devices.
If you are using the app you will also be asked to enter a 2-digit code. This is called number matching and is a quick and effective additional security measure.

When would I use the One Time Password (OTP) code that appears in the app?

Sometimes it may not be possible to use the push notification; perhaps you have no Wi-Fi or phone signal but you need to log into a system. In this case, you can use the one-time password code in the app, which is refreshed every 30 seconds and works even in airplane mode.
Select ‘use a different verification option’ and then enter the OTP code from your app.
You will need to install the Microsoft Authenticator app and add it as a security method first. Do this before you need it!

I have received an authentication request on my phone, but I am not logging into anything?

Do not approve the request if you did not initiate it. You should select DENY or IT'S NOT ME to the request.
If you are using the app, you may have to open the app in full in order to select this.
Please report any suspicious activity on your account to the Helpdesk immediately.
Remember, you can change your password anytime by going to https://www.pss.herts.ac.uk

Can I use the app for MFA on my personal accounts?

Yes, you can add your personal Microsoft account and other non-MS accounts such as Google or Facebook.
Find out more on the Microsoft help pages.

MS MFA enrolment instructions

You will need:

your mobile phone
a PC or tablet connected to the internet

Authentication via the Microsoft app on your smartphone is recommended. If you don’t have a smartphone, don’t worry, you can still set up MFA; see further down for non-smartphone setup instructions.

On your PC / tablet go to https://mysignins.microsoft.com/security-info

If your university student account is not your default Microsoft account, please log out of this first.
Log into your UH student account and remember to put @herts.ac.uk after your username. You will now see the 'my sign ins’ security info page.
Once signed in click on ‘add method’. Select ‘authenticator app’ from the drop-down list, and then ‘add’.
The next screen will ask you to install the Microsoft authenticator app. Leave this window open while you download the app to your smartphone. If prompted allow notifications in the app.
In the app, select ‘add an account’ and choose the one called ‘work or school’
- Select the required app permissions such as ‘use camera,’ which you will need as part of the set-up process.
- You can change the camera app permission when the set up is complete.
- Once you have downloaded the app click next on your computer.
A QR code will be generated which you need to scan with your phone’s camera.
- If you can’t scan the image, you can enter the URL code manually.
- If the QR code times out, simply repeat.
- Click next on your computer to get an ‘approve sign-in request sent to your phone to confirm it is all working.
Confirm your sign-in on the authentication pop-up request that will appear on your phone, and you are now all signed up.

Watch this video from Microsoft to see how it looks on the screen.

Setting up MFA without a smartphone.

On your PC / tablet go to https://mysignins.microsoft.com/security-info
If your university student account is not your default Microsoft account, please log out first.
Log into your UH student account and remember to put @herts.ac.uk after your username. You will now see the ‘my sign ins’ security info page.
Once signed in click on ‘add method’, select 'phone’ from the drop-down list, and then ‘add’.
Select your country code and enter your phone number
Select text me a code or call me
Enter the code sent to your phone number to confirm your MFA setup.
On the security page, you can then set the default authentication method to either call or text

Guidance for new students

All new students are automatically directed to enrol in Microsoft Multi-factor Authentication (MS MFA) as part of their University account setup process.
Remember to enter your username in the format: username@herts.ac.uk (e.g. ab19cde@herts.ac.uk)
Can't sign in to complete registration?

Setting up an alternative authentication method and/or device.

Being able to authenticate on a second device will enable you to access your accounts if you lose or forget your primary mobile device or if you need to set up MFA on a new phone.
Simply return to https://mysignins.microsoft.com/security-info, log in, and follow the on-screen instructions to add method.
You can also choose your default authentication method here, although we always recommend using the app whenever possible.
If you have lost or forgotten your authentication method, please contact the Helpdesk.

International Students

International Students intending to travel to the UK to study should use the Microsoft Authenticator app as the default authentication method.

Video: Set up multi-factor authentication with a mobile device in Microsoft

Authentication methods using a non-UK SIM number for SMS and calls will stop working once you are in the UK.

You will not be able to add a UK SIM card number as an authentication method unless you can also authenticate using another method to confirm the change - this is why you should set up the MFA app before you arrive in the UK.

The Microsoft Authenticator app is designed to work internationally.

Once you have arrived in the UK log into https://mysignins.microsoft.com/security-info and add any further methods you’d like to use such as a UK mobile number.
The MS MFA app can create time-based one-time passwords (OTPs) that you can use to verify your account without needing access to the internet or a mobile network.

If you are unable to authenticate after traveling to the UK, please contact the Helpdesk for further support.

Q: I am an international student studying at an overseas campus/college - do I need to enrol in MFA?

Yes. If you have a University of Hertfordshire student log-in account you will need to enrol in MFA.

Top tips for MFA:

Remember: You must have your authentication device with you in order to log in - so please don't leave it behind.
It may take up to 20 mins for accounts to synchronise following authentication device setup.
If you can, use the MS MFA app with notifications as your default method.
Do not uninstall and then reinstall the app once you have it as this will prevent you from logging in to your account.
No signal? Changed your sim card? Open the app and use the One Time Passcode (OTP) to authenticate.
Register more than one authentication device and method

FAQs (frequently asked questions and answers)

I am a returning student, do I need to set up MFA each year?

No, setting up MFA is a one-time action and is linked to your Herts user account that you use throughout your studies at Herts.

Can I opt out of MFA?

No, you cannot opt out.
Removing your authentication method will not un-enroll you, but will prevent you from logging into our systems, including O365 applications and StudyNet.
If you have removed your authentication methods and can no longer log in, please contact the Helpdesk.

What happens if I remove the UH account from the app?

This is not recommended unless you already have the phone/SMS authentication method set up as well.
You won’t be able to log into any system or update the security settings on your Microsoft account as you will no longer have any means of authenticating. You will need to call the Helpdesk.

Will this cost me anything?

Downloading and using the authenticator app is free.
The University and Microsoft will not charge for calls or texts, but you may be subject to usage charges to receive calls or texts just like any other call or text according to your phone contract.

I don't have a smartphone.

If you do not have a suitable phone, you can also authenticate via text or phone call.
If you cannot use the app, text (SMS), or phone call options please contact the Helpdesk.

Can I use a hardware authentication device such as Yubikey?

Yes, you can use a hardware device such as a Yubikey but our Helpdesk is unable to provide support for setting up hardware devices used for authentication.
Not all hardware devices will be compatible with Microsoft MFA.
To identify compatible Yubikeys and Yubikey MFA enrolment instructions please read this article from Yubikey.

I am already using the Microsoft Authenticator app for another account – can I use the same app?

Yes – just follow the ‘add account’ instructions in the app.

I can't remember my student login username and/or password

Your username is in the format username@herts.ac.uk
If you have forgotten your username please contact the Library and Computing Service Helpdesk.
If you have forgotten your student account password you can reset this at https://www.pss.herts.ac.uk/

What do I do if I lose or forget my authentication device?

Please contact the Helpdesk.
You will be asked to provide your username or student ID number.
Please be aware that Helpdesk staff will need to confirm your identity but they will never ask for your password.
You may need to wait 15 minutes once Helpdesk has provided assistance before you are able to log in.

How do I make sure notifications don't continue to go to my lost device?

Adding Authenticator to your new device doesn't automatically remove the app from your old device. Even deleting the app from your old device isn't enough. You must both delete the app from your old device AND tell Microsoft or your organization to forget and unregister the old device.
Find out more on the Microsoft FAQ page

How do I set up MS MFA on a new phone?

Please ensure you have first set up an alternative method of authentication such as a landline, SMS, or another mobile.

If you are able to, keep the authenticator app active on your old phone while you set up the new one, as that can still be used as a method of authentication.

If your phone has been lost or stolen please contact the Helpdesk.

Watch this video or read below to set up your new phone.

Download the Microsoft MFA app to your new phone.
On your PC / tablet go to https://mysignins.microsoft.com/security-info
Enter your password and sign in (you will be prompted to authenticate on your current device at this point)
Click 'Add method'
From the drop-down options select your required method and click Add
Open the App, click Add account, then click Work or School Account
Select the option to Scan a QR code. You may get a prompt asking you to give the authenticator app permission to access the Camera. Please allow access to the camera.
Scan the QR code
Approve the notification that will now be sent to the app on your phone.
Click Next
The app set-up is complete, and your multi-factor authentication method has been set-up
Delete the existing authentication methods linked to the old phone

I got a new device or restored my device from a backup. How do I set up my accounts in Authenticator again?

If you turned on Cloud Backup on your old device, you can use your old backup to recover your account credentials on your new iOS or Android device.
For more info, see the Backup and recover account credentials with Authenticator article.

I am getting unexpected MFA prompts

Do not ignore unexpected prompts, it could be a sign that someone else has got hold of your username and password
Do not authenticate any unexpected login attempts as this may give a criminal access to your accounts
Go to https://pss.herts.ac.uk and change your password to something only you will know as soon as possible
If you do spot any unusual or suspicious activity on your University account call the Helpdesk for further advice

Do not allow others to use your mobile number to authenticate to their accounts, or ask others to use their mobile phone to authenticate access to your account.

Technical issues and troubleshooting

Troubleshooting - There are some common two-step verification problems that seem to happen more frequently than any of us would like. Microsoft has put together this article to describe fixes for the most common problems.

I am following the instructions to set up MFA but get an error message like this:

We recommend opening up a different web browser (e.g. Firefox or Mozilla) and then logging into https://mysignins.microsoft.com/security-info .

Sometimes clearing your browser cache can help resolve a variety of issues. Here are instructions on how to do this for some of the most commonly used browsers:

Chrome browser

On your computer, open Chrome.
At the top right corner, click the 3 vertical dots
Click settings and then in the search bar at the top type "cache" - click clear browsing data
At the top, choose a time range.
Next to "Cookies and other site data" and "Cached images and files," check the boxes are ticked.
Click Clear data.
Restart Chrome

Safari browser

From the home screen, Select Settings > Safari.
At the bottom of Safari's settings screen, Select Clear cookies and data or Clear Cookies and Clear Cache.
Confirm when prompted.
Restart Safari

Edge browser

Open Microsoft Edge, select Menu (3 dots icon on top right corner of the browser) > Settings > Privacy, search & services.
Under Clear browsing data, select Choose what to clear.
Select "Cached images and files" and "Cookies and other site data" check box and then select Clear.
Restart Edge

IE (Internet Explorer) browser

Click on the cog icon in the top right-hand corner
Click Internet Options
Under Browsing history, Select Delete
In the window that opens, check the Temporary Internet Files & cookies and website data and press the delete button at the bottom.
Restart IE

I have made several attempts to login into my MFA account after setting it up but failed

Please contact the Helpdesk: Telephone: +44 (0)1707 284678 or email: helpdesk@herts.ac.uk

I have set up MFA but I am not receiving any SMS, calls, or push notifications when authenticating

The most likely explanation is that you have changed your sim card (and telephone number), or perhaps you have lost your signal, Wi-Fi, or data connection.
As long as you have previously set up the MS Authenticator app on your mobile phone you can use the One Time Passcode (OTP) function.
This will continue to work even with no sim card or in airplane mode.
Contact the Helpdesk for further assistance if needed

I don’t see any notifications when the app is closed

You may need to check your app and phone settings.
Find out more on the Microsoft FAQ page.

I am getting an error message when signing into Canvas

You may occasionally get a log-in failure when going to Canvas directly from a web browser via a bookmark.

This is a cache issue and is usually resolved by opening up Canvas in another browser or in incognito mode.

NHS laptops and working in secure locations

We are aware that NHS laptops may restrict your ability to manage your MFA devices and authenticate.

If you are a student using a work computer (e.g. NHS) that restricts your web browser access you may need to log into a different device to set up your authentication methods.

Once set up you will be able to authenticate on the work computer you normally use.
The LRCs are open 24/7 if you wish to come onto campus to use a PC.

If you are working in a secure location where mobile phone access is restricted and are unable to authenticate please get in touch with the Helpdesk to discuss other options.

I am a new student and I can't log in to complete registration.

You will initially need to log in using the username and one-time password we provided.
If you can't remember your details please contact the Helpdesk.
You can change or recover your University password online at https://www.pss.herts.ac.uk/
You will not be able to log in further until you have set up your additional account authentication method, if you are unable to do this please contact the Helpdesk.
If you have successfully logged in and set up your authentication method, but are still unable to complete registration please contact ask@herts.ac.uk and include a screenshot of your issue if possible.

Setting up and using MFA outside the UK

Q: Is the Microsoft Authenticator app for Android available for download in China.

Yes, but with some feature limitations. Find out more on the Microsoft help pages.

Q: Can I use MFA if I live or travel abroad?

Yes. The Microsoft Authenticator app is designed to work internationally.

MFA and computer-based exams and assessments

This will be determined by the conditions set for your particular exam,

If necessary you will be allowed to use an MFA device before the exam starts so you can successfully log in to any systems or software required for the exam.
Your authentication device (typically your mobile phone) must then be switched off and put away as instructed by the invigilator in accordance with the requirements for each exam session.
Please note that the arrangements may vary between exams.
If you have any issues with MFA before the exam or you have lost/forgotten your phone please contact the Helpdesk as soon as possible. Telephone: +44 (0)1707 284678 or email: helpdesk@herts.ac.uk .
For more detailed information please read: MFA and computer-based exam guidance for staff and students

Number matching

From May 2023 number matching will be added to the Microsoft Authenticator app (push notifications) used for multi-factor authentication (MFA).

This is in response to increased numbers of push notification fatigue attacks by cybercriminals.
If you use a different authentication method like SMS, you will be unaffected

What do you need to do?

When you log in to a protected system you will be presented with a two-digit number to enter into the app on your mobile device instead of simply approving.
Please keep using the MS MFA app as your default authentication method if you can (the app is our recommended authentication method).
Make sure the app is updated on your phone to the latest version to ensure it is working securely and correctly.

Will I still be able to use MFA on my smartwatch?

No, smartwatches are not supported for this feature.

Please add another device (mobile phone) if you have not already done so and make this your default authentication device.
We recommend removing the Microsoft Authenticator app from smartwatches.
Find out how to set up a new authentication method or device and manage your MFA devices.

What will it look like?

The next time you log in to a protected system the login screen will ask you to authenticate and show you a randomly generated number.

Screen shot of numbers appearing on screen

Open the app on your phone, enter the code, and click YES.
Android phone MS MFA app screen shot
(Android phone example above – iPhone will look slightly different)

You may also use alternative verification options if you have set them up in advance.

Screen shot of alternative verification options

Remember: If you get an unexpected authentication request you should select NO, IT’S NOT ME.

This may indicate that your username and password have been compromised and you should change your password at https://www.pss.herts.ac.uk/ and alert the Helpdesk.
Find out more about setting up and managing your University password.

Can't enter numbers in your app?

If you do not have the option to input the numbers into your Microsoft Authenticator app when requested, you may need to upgrade your Authenticator app to the latest version.
You will still be able to use SMS/ phone calls if you have set this up before.

If you have any problems authenticating when logging into your University account, please contact the Helpdesk

Help and support

Find out more about the MS Authenticator app directly from Microsoft

Contact the Library and Computing Services Helpdesk

Online: https://helpdesk.herts.ac.uk/login
Telephone: +44 (0)1707 284678
Email: helpdesk@herts.ac.uk

Find out more, including information about permissions and data: Microsoft Authenticator app FAQs

Staying safe online Viruses and worms on your PC Choosing and managing your password Your University account