Service Multi-factor Authentication (MFA)
Greater security for your login
Every time you log in, an authentication process checks whether the given account really belongs to the user making the request. Typically, a password is used to verify access authorization, and in the context of a login, this is referred to as a factor. However, since a password can easily be obtained along with the username, for example, through phishing, this approach no longer offers state-of-the-art protection against third parties gaining unauthorized access to an account and all of its associated data and rights.
With multi-factor authentication (MFA), your identity is verified during login using other, independent factors in addition to your password. The URZ provides the MFA Token Self Service platform (with the LinOTP software) as a centralized service for Heidelberg university employees and students to set up additional factors. Here, multiple factors are made available, which users can select and set up individually.
If you encounter any obstacles or have any questions when setting up your tokens or using MFA on the VPN, please contact IT Service by video call.
- MFA Token Self Service platform (access limited to the university network or VPN)
- How-to: Setting up an Android smartphone as a software token
- How-to: Setting up an iOS smartphone as a software token
- How-To: Set up KeePassXC as a token
- How-To: Login Cisco Secure Client - AnyConnect - VPN
- Help via video call
Target Group
- University employees
- Students
- Users with a project number
Use
- Additional factors, unlike passwords, are not just static bits of information and cannot be easily copied. As a result, MFA provides a secure login process for the connected services thereby increasing the protection of user accounts and data.
- Factors from different categories, such as “knowledge” (e.g. a personal password) and “possession” (e.g. a smartphone with an authenticator app or a hardware token) as well as “inherent” (e.g. individual biometric characteristics such as fingerprint or face), reinforce each other and significantly reduce the risk of attacks.
- Account theft is made much more difficult and requires considerably more effort. This means that the data and permissions of all users are better protected.
explanatory video: BSI
Access and Requirements
The login for the connected services consists of multiple steps:
- using your personal Uni ID or project number and password (factor one - something the user "knows") as well as
- an additional token in the second step (factor two - something the user "has").
A token is an additional asset that users must have in their possession as a second factor. This includes, for example, a smartphone with a corresponding authenticator app that generates time-based one-time passwords or a hardware token. These one-time passwords can then be entered when logging in to the MFA protected services.
The following requirements must be met to use MFA:
- You must have a Uni-ID or project number.
- You must have set up at least one additional factor (e.g. smartphone with authenticator app) using LinOTP (login via Uni ID or project number).
- The setup of additional factors must be done from the university network or via VPN.
By default, so-called software tokens are recommended for creating one-time passwords, which can be generated using a smartphone and an Authenticator app. It is also possible to generate the tokens using software (KeePassXC) on a PC or Mac if no smartphone/tablet PC is available.
In addition to software-based tokens, hardware tokens can also be used. All institutions therefore have the option of procuring their own hardware tokens in a decentralized manner, whereby the URZ recommends certain manufacturers and devices. A list of tested tokens can be found in the FAQ.
How-tos and training courses
Frequently Asked Questions
Table filters
Table
What applies to new students? | Newly enrolled students receive an initial token by post together with their Uni-ID and the corresponding activation code. This token is a randomly generated password that can only be used ten times and is only valid for a certain period of time. Please set up a permanent token via the MFA Token Self Service platform as soon as possible after receiving the letter. You can access the platform from within the university network. If you do not have access to the university network, you can also access the platform via VPN: Step 1: Set up your VPN access. To do this, download the VPN client Cisco Any Connect with the initial token and log in with it. You can now establish a secure connection to the university network from anywhere via VPN. Step 2: Set up your permanent token. Then log in to the MFA Token Self Service platform and set up your long-term second factor authentication method. |
Do employees also receive an initial token? | No, please access the MFA Token Self Service platform from within the university network or contact the IT service as described below. |
I am not in Heidelberg, but have not yet set up a token. What can I do? | Please contact the URZ video call service to securely set up a token with our service staff: https://www.urz.uni-heidelberg.de/en/newsroom/it-service-now-offering-video-call-consultations |
How many factors should I set up? | We recommend setting up two different tokens (e.g. smartphone and PC). This means that if you lose one of the tokens, you will still have independent access to the Self Service platform and can delete the lost token and set up a new one. |
Do you recommend using a smartphone app as a factor? | Yes, this is a secure factor. Concrete recommendations can be found in the MFA how-tos. |
If no smartphone is available, can a token also be set up using software on a PC? | Yes, it is possible to create the tokens with the KeePassXC software on a PC or Mac if no smartphone/tablet PC is available. This possibility in no way diminishes the benefits of MFA compared to the main risk - the phishing of account data. Of course, there is the possibility that the end device used has been compromised and access to the token has been granted: In this case, however, the input of a hardware token can also be read. Only the much more complex FIDO2 can mitigate this attack vector. |
What do OTP and TOTP mean? | OTP stands for one-time password. TOTP stands for time-based one-time password. |
What kinds of factors are supported? | Initially, time-based one-time passwords (TOTP) on a cell phone or as hardware or as hardware tokens as well as Yubikeys are supported. For the MFA Token Self Service platform, the LinOTP software is used. This supports a wide range of tokens. For most purposes, however, only the only the text-based and not protocol-based methods can be used. We therefore recommend TOTP or HOTP according to the standard RFC 6238, which actually includes almost all tokens on the market. FIDO2 could be added after some time, but we will not be able to support it at the start. |
How do I connect to the VPN via openconnect? | On the command line: sudo openconnect vpn-ac.uni-heidelberg.de/2fa --useragent='AnyConnect' In the Network Manager, please enter the gateway 'vpn-ac.uni-heidelberg.de/2fa' and the programme ID 'AnyConnect'. The Network Manager Openconnect component version 1.2.10 or higher should be used. |
How can I log in to the Token Self Service platform? | Login to the Token Self Service platform is only possible before setting up a token without a second factor. Once a token has been set up, you can only log in with this second factor. Therefore, make sure that you complete the setup completely or delete a partially set up token before logging out of the platform. Otherwise you will no longer be able to log in without the help of the IT service. |
Can employees use hardware tokens? | We advise against this for environmental and organizational reasons. Nevertheless, institutes and other decentralized institutions can purchase their own hardware tokens using the normal Beschaffungsregeln. The technical requirement is that RFC 6238 is supported and that the seeds are transferred to you by the vendor in an encrypted file. Please note that only the IT representatives can import the tokens: https://www.urz.uni-heidelberg.de/de/anleitung-import-von-instituts-token |
Can students use hardware tokens? | As with the institutes, we advise against this. As it is not possible to import individual seeds, the only option here is to use a token generator with camera and RFC 6238 (such as the Rainer SCT Authenticator) with camera. You can use these to scan the QR code on the self-service platform and then generate TOTPs. However, we cannot offer technical support for this solution. Use of this method is at your own risk. |