Two-step authentication makes your account more secure by requiring something you have (a numeric code on your phone) and something you know (your username and password) to sign in.
Most major commercial web properties – Google, Facebook, Twitter, Apple, and so on – run two-step authentication. They suggest strongly that their customers turn it on.
Note: two-step authentication is mandatory University policy for all staff and postgraduate researchers. It's optional for postgraduate taught and undergraduate students. For security reasons you are also required to set security questions for your account, this makes it easier for you to reset your password should you forget it.
When two-step authentication is enabled, the sign-in process is as follows:
- You enter your username and password.
- You're prompted to enter a verification code – a six-digit number.
- Generate the code on your phone using an authenticator app or receive a code by text message.
- If the code you type matches the code on your phone, you're signed in successfully.
To avoid having to type a code each time you sign in, choose a duration from the Don't ask for a code again on this device drop-down list: until you close your browser; one week; one month; six months or one year. (Only recommended for devices that you're confident are physically secure.)Note: During private browsing sessions, or when your browser settings delete cookies when you close the browser, you're always prompted to enter a verification code each time you sign in, even if you have previously selected Don't ask for a code again on this device.
- Turn on two-step authentication
- Sign in with an authenticator app
- Sign in with a text message
- Sign in when you don't have your phone with you
- Backup verification codes
- What duration should I choose?
- Lost or stolen phones
- New device or changed phone number
- Revoke remembered devices
- Private browsing
- Allow cookies from the Single Sign-on domain