Important: migration to Microsoft MFA for authentication
These help articles cover two-step authentication on the University's Single Sign-on service (also known as Web Sign-on). We're currently replacing this service with Microsoft's Multi-Factor Authentication (MFA) - read more about this. We're migrating users to the Microsoft service in batches; if you see a message about the Microsoft account portal when you go to https://websignon.warwick.ac.uk/origin/account/twostep, you've been migrated. Some things to note about authentication codes:
- Codes from the My Warwick app - it's not possible to use the My Warwick app for authentication codes once you've been migrated. For that reason, if you currently use codes from My Warwick you should switch to another authentication method, such as an authenticator app.
- Codes from an authenticator app or text message - your settings for these authentication methods are migrated from Single Sign-on to Microsoft MFA and will continue to work.
- Backup codes - these are not a feature of Microsoft MFA. Instead, once you've been migrated you should specify backup authentication methods in the Microsoft account portal, such as receiving a code via text message, or via an automated voice call to a landline number.
If you lose access to your account, please contact the Help Desk for assistance.
Two-step authentication makes your account more secure by requiring something you have (a numeric code on your phone) and something you know (your username and password) to sign in.
Most major commercial web properties – Google, Facebook, Twitter, Apple, and so on – run two-step authentication.
Note: Enabling two-step is University policy. For security reasons you are also required to set security questions for your account; this makes it easier for you to reset your password should you forget it.
When two-step authentication is enabled, the sign-in process is as follows:
- You enter your username and password.
- You're prompted to enter a verification code – a six-digit number.
- Generate the code on your phone using an authenticator app or receive a code by text message.
- If the code you type matches the code on your phone, you're signed in successfully.
To avoid having to type a code each time you sign in, choose a duration from the Don't ask for a code again on this device drop-down list: until you close your browser; one week; one month; six months or one year. (Only recommended for devices that you're confident are physically secure.)Note: The above step does not apply if you've been migrated to Microsoft MFA - see box above.
During private browsing sessions, or when your browser settings delete cookies when you close the browser, you're always prompted to enter a verification code each time you sign in, even if you have previously selected Don't ask for a code again on this device.
- Turn on two-step authentication
- Sign in with an authenticator app
- Sign in with a text message
- Sign in when you don't have your phone with you
- Backup verification codes
- What duration should I choose?
- Lost or stolen phones
- Use an alternative device to authenticate
- New device or changed phone number
- Revoke remembered devices
- Private browsing
- Allow cookies from the Single Sign-on domain