Multifactor-Authentication describes a procedure in which users must confirm their login via a separate application or a separate medium/device.

This increases the security of both the systems used by the user and the security of services at RWTH Aachen University and can protect users from data misuse.

Employees, students and members of RWTH Aachen University require an additional factor (security key) to their existing login data in order to access the services.

The RWTH Single Sign-On supports two-factor authentification as MFA, which is realized via a so called token.

The Protected Services and respective Token Procedures page explains the options offered by MFA.

As soon as you have set up your tokens in the Selfservice via the Token Manager, you must enter an additional one-time security codes when logging in to a service protected by multifactor-authentification. 
When logging in to the service, you must first enter your known login details. You will then be asked to enter your second factor. 

When using a second factor on RWTH Single Sign-On services, you will first be asked to select a token that you would like to use when logging in. Then follow the instructions on the screen.

Currently, the following token types are supported:

• The hardware token for VPN and RWTH Signle Sign-On (HOTP)* (HOTP - HMAC-based One-time Password Algorithm) is also used at RWTH with a hardware key, the YubiKey also supports this token. It can be used for SSO services as well as for VPN. To use a hardware key for the "Hardware token for VPN and RWTH Single Sign-On (HOTP)", a corresponding manager app (e.g. YubiKey Manager) must be installed on the PC and set up with the token manager. The configuration is then carried out according to the instructions in the app and the self-service via the token manager. The hardware token is currently the most secure second factor at RWTH Aachen University.
• The hardware token for RWTH Single Sign-On (WebAuthN/FIDO2)* is used with a hardware key such as YubiKey. To use it, simply insert the key into the usb slot in your PC during the set up in the Selfservice and then follow the instructions on the screen. The hardware token is currently the most secure second factor at RWTH Aachen University.
• The Token Authenticator App, e.g. for smartphones (TOTP) (TOTP - Time-based One-time Password), requires a corresponding app to which the token is linked. This app is then used to continuously generate one-time security codes which expire after a certain amount of time (e.g. 30 seconds). It should be noted that different TOTP apps support different one-time security codes character lengths and hash algorithms.
• The TAN list (one-time security code) contains a list of one-time security codes. The individual one-time security codes are invalid after they have been used or skipped and cannot be used again. This list has to be set up for the use of MFA and saved separately. The one-time security codes are primarily used as a backup solution in case other tokens can no longer be used (e.g. loss of device or e-mail address). The list itself is protected with a password, which must be selected and set when the token is created. The password cannot be viewed or changed afterwards.
• When using the e-mail token, you will be sent a one-time security code when you log in.