How-To Setting up an iOS smartphone as a software token
This guide describes how to set up an iOS smartphone as a software token for multi-factor authentication.
Multi-factor authentication (MFA) is performed in 3 steps that together secure your logins onto all supported services from now on.
- In the first step, you install an Authenticator app on a smartphone as a so-called token. Once set up, the Authenticator app generates one-time passwords for each login. This ensures that only people who have access to the smartphone in addition to the usual login data can log in to the MFA-enabled services.
- In the second step, register your smartphone with the MFA Token Self Service Portal LinOTP, the web service for managing your own tokens for use at university services. LinOTP can be accessed around the clock via the link on the right from within the university network or through a VPN.
- While the first two steps are only carried out once per smartphone, the third step describes the logon to an MFA-enabled service and is thus carried out many times. At first, only the university's VPN is supported here. Other services will follow.
Video-Tutorial
In addition to these instructions, you can watch the german video tutorial, which briefly shows you how to set up the token. We recommend that you also read the instructions in text form, as this contains more detailed information.
Installing the Authenticator app on your smartphone
Before setting up your first token, you must install a corresponding app on your mobile phone. Depending on your smartphone, please follow the steps below to ensure the security of your MFA credentials.
1. Installing the Authenticator app.
Open the Apple App Store on your iOS device and search for the “FreeOTP Authenticator” (provider Red Hat - ID 872559395) or an alternative of your choice. Install it on your device.
Creating a token
1. Log in to MFA Token Self Service Platform.
Log in to https://mfa.uni-heidelberg.de on a trusted device other than your iOS smartphone with your usual university credentials. Before entering your data, you should check the domain and the shield symbol next to it to ensure that all transmitted data is really exchanged with our MFA solution.
2. Creating a token.
In the section “Set up new authentication method” select the option “Soft token (time-based)” and click on "Set up".
In the window that opens, you can enter a name at the bottom under “Token description” (e.g. “Work mobile phone” or "Private mobile phone"). Then click on “Next”.
You will now be shown a QR code, which you can scan with your smartphone.
Please do not click on "Next" until your smartphone has been successfully set up!
If the setup on your smartphone cannot be completed:
Please press “Cancel” and confirm the cancellation in the dialogue that immediately follows. You will now return to the overview of your tokens. This should be empty. If a token is still listed here, but you have not successfully set up a token, please delete the displayed token.
Setting up a smartphone as a token
To add this token, the following steps are now required depending on the smartphone:
1. Add a token.
Open the Authenticator app. A button “Add a token” is displayed in the middle of the main screen of the app. Tap it to add a new token.
2. Scan the QR code.
Point the camera of your iOS device at the QR code displayed in LinOTP. The app will automatically recognise the code and add the token.
Important: If you do not complete the token setup on your device for any reason, you must also end the process in the Self Service platform by clicking "Cancel" or, if it has already been completed, delete the token BEFORE logging out.
3. Select an icon.
Select an icon to be assigned to the token. You can choose from the available icons or upload your own image.
4. Activate the additional security.
Activate the option that the token is only displayed after unlocking the phone. This protects the token from unauthorised access.
Testing a token
After you have successfully set up the token, you can tap on the corresponding entry in all Authenticator apps after you have unlocked your phone again.
The time-based one-time password (TOTP) is displayed and you can use it for the login via MFA.
Back on the self-service platform, you can now click on "Continue" and the confirmation of the token setup will appear. Click on "Test" to continue with the test.
In the dialogue that opens, please enter the current one-time password from your token and press "Submit".
It will now be shown whether your test was successful.
Test successful
If possible, set up a second token (e.g. KeePassXC) or log out of the platform.
You can now use MFA in all compatible applications. You can find specific help on this in the instructions for the corresponding services.
Test unsuccessful
If the test was not successful, please try again immediately. If this test is also unsuccessful, please delete the token immediately by clicking on the three dots in the overview and then on "Delete".
In this case, please contact your IT representative or the IT service.