Practical tips for using Multi-Factor Authentication (MFA)

You should set up at least two MFA methods, so you can continue to access your account if you’re unable to use your first MFA method.

For example, if you already have the Authenticator app on your phone, you can set up the web browser extension or an alternative automated phone call method. You can do this by adding or changing your MFA methods via the Microsoft My Sign-Ins page.

Follow these tips for a smoother MFA experience:

1. When prompted with a Stay signed in? message, choose Yes to remain signed in for longer - but only on trusted devices. This reduces how often you’re prompted to authenticate in your usual device and browser.
2. If you do close the browser, make sure you reopen the same browser normally (not in private or incognito mode), and avoid clearing cookies or site data unless necessary. These actions can trigger a fresh sign-in and MFA prompt each time.
3. On public or shared devices, always log out fully when finished.

If you have lost or damaged your phone and do not have a second method of authentication, you will need to reset your MFA methods. The recommended and fastest option is to use the Self-Service reset tool. You’ll need to sign in to the Password Self Service page to start the process.

Once you have reset your authentication, you can then set up the web browser extension or the automated phone call method to complete MFA.

You will need to set up MFA on your new device if you replace your phone. To do this, use your old device (or an alternative method), to authenticate and finalise setting up MFA on your new device. We have guidance on what to do if you change your device or contact number.

However, if you’ve changed both your phone and number, and haven’t set up an alternative method or can’t access your old device, you'll need to reset your MFA methods. The recommended and fastest option is to use the Self-Service reset tool.

If you don’t have a mobile phone, you can set up the automated phone call method using a phone call back to verify your login, or use the web browser extension method to complete MFA.

Make sure to set up at least two MFA methods, so you can access your account if unable to use your primary method. If these options are not suitable, then please contact IT Support to discuss further.

The Microsoft Authenticator app will work in the same way whether you’re in the UK or abroad:

• if you have a reliable internet connection, the app will send the 2-digit verification code to your device
• if you are offline, you can use the six-digit one-time password code method within the app. To avoid issues, make sure your device's time and date are set automatically
• the automated phone call method will work if you have a mobile call and data package to support incoming international calls

If you would like to use a different primary phone number whilst abroad, then you can add this as an additional method to your account by visiting Microsoft – My Sign-Ins page.

We recommend enabling at least two methods of authentication on your account before travelling to avoid MFA lockout.

All phone numbers used for MFA are encrypted as part of your account. Only you can view and change them.

This information is not accessible to Cardiff University IT staff or anyone else. Your phone number will only be used for the security of your account. This data is not used or transferred to any other system.

Don’t approve any login approval requests you didn’t ask for. It usually means someone else has your username and password and is trying to access your account.

If you receive an unfamiliar login approval request, you should:

1. Reject the request.
2. Change your password right away.
3. Let IT Support know what happened by contacting them via the portal form.