Skip to main content

Multi-factor authentication (MFA)

MFA will be introduced for the HESA Identity system (IDS) in Spring 2022. 

MFA provides an additional layer of protection for software systems and the data they contain. In practice this means you will need to perform one extra step to log in to any HESA system that you use.

This change is driven by HESA’s commitment and obligation to maintain the highest standards of information security and data protection. Implementation of MFA has been specifically recommended by the Information Commissioner’s Office and is essential to ensure the security of the personal data processed in HESA systems.  

The Basics

Access to HESA systems is controlled by the HESA Identity System (IDS). When you log in to any of the systems below you currently use an IDS username and password. From Spring 2022 after you enter your password you will be asked to authenticate your log-in via a third-party app on your phone.

The HESA systems controlled by IDS log-on are:

  • HESA Data Collection System
  • HESA Data Platform
  • Issue Management System
  • Graduate Outcomes Portal
  • Heidi Plus

Frequently asked questions

If your question is not covered below please email [email protected]


Do I need to provide my phone number or other personal details to HESA?

No. HESA will not collect or store any new personal information as part of the authentication process.

When will this change occur?

The current planned date for roll-out of MFA is Thursday 31 March 2022. We will contact all users in advance to confirm this date or let you know of any changes to the schedule.

How often will I be asked to authenticate?

You will be asked to authenticate each time you log in to IDS.

Can I receive an authentication code by SMS text message or email?

No. You will only be able to authenticate via a third-party authenticator application.

If your organisation provides a full-featured password manager as a desktop application or browser plug-in you may also be able to authenticate your IDS log-in by this means.

Which third party authenticator apps can I use?

Please contact your IT or Information Security department to discuss your requirements.

Examples of authenticator applications include those listed below. Please note that there are others available and HESA does not endorse any particular third-party application for this purpose.


  • Microsoft authenticator
  • Google authenticator
  • LastPass authenticator
  • Keeper
  • 1Password

How do I get technical/practical support?

We will publish detailed instructions and training materials on this page in due course.

The Liaison team are available during usual office hours to support you. Email [email protected] or call +44 (0)1242 388 531.

Technical support for individual authenticator apps is provided by the app’s developers.

Can we use a shared email account to log in to IDS?

No. You must not use a shared account to access HESA systems. The IDS terms and conditions require that your credentials must be kept confidential and use of a shared log-in breaches this requirement.. Users must not attempt to use any third party software to allow the use of a shared email account.