Skip to main content

Two-step authentication

Two-step authentication makes your account more secure by requiring something you have (a numeric code on your phone) and something you know (your username and password) to sign in.

Most major commercial web properties – Google, Facebook, Twitter, Apple, and so on – run two-step authentication. They suggest strongly that their customers turn it on.

Note: two-step authentication is a mandatory University policy for all staff and postgraduate researchers. It's optional for postgraduate taught and undergraduate students.

We're implementing the policy in Single Sign-on between March and June 2018 in phases – central service and administration departments first, then one faculty at a time. When we implement the policy for your department, you'll be prompted to turn on two-step authentication but you can skip this for up to two weeks. After that, you won't be able to sign in without using two-step authentication.

When two-step authentication is enabled, the sign-in process is as follows:

  1. You enter your username and password.
  2. You're prompted to enter a verification code – a six-digit number.
  3. Generate the code on your phone using an authenticator app or receive a code by text message.
  4. If the code you type matches the code on your phone, you're signed in successfully.
  5. To avoid having to type a code each time you sign in, choose a duration from the Don't ask for a code again on this device drop-down list: until you close your browser; one week; one month; six months or one year. (Only recommended for devices that you're confident are physically secure.)

    Note: During private browsing sessions, or when your browser settings delete cookies when you close the browser, you're always prompted to enter a verification code each time you sign in, even if you have previously selected Don't ask for a code again on this device.

Related articles

Turn on two-step authentication