You are located in service: multifactor authentication (MFA)

Hardware Token for VPN and RWTH Single Sign-On (HOTP)

Hardware Token for VPN and RWTH Single Sign-On (HOTP)

guide

The hardware token for VPN and RWTH Single Sign-On (HOTP) is used with a physical security key (e.g. YubiKey).

  1. Requirements for the use of the hardware token
  2. Configuration
  3. Login with a security key
  4. Resync (optional)

1. Requirements for the use of hardware token:

  • You have a hardware security key (hardware token).
    • Yubikey 5 Series, Nitrokey 3 and selected Feitian keys are compatible with both "Hardware token for VPN and RWTH Single Sign-On (HOTP)" and "Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)".
    • To set up this token, the security key must at least support the OTP (one time password) protocol.
  • You have installed a corresponding manager app (e.g. Yubico Authenticator).

2. Configuration

Video tutorial on token setup for VPN using the Yubikey Manager:

 

Step 1
Insert your security key into a USB slot of your PC.

Step 2
Open the Token Manager.

Step 3
Log in with RWTH Single Sign-On.

Step 4
Click on the blue Create button at the bottom left of the Token Manager.

Screenshot showing the IDM self-service, the ‘Token Manager (MFA)’ is selected. The ‘Create’ button is located at the bottom of the page. Existing token procedures may be listed in a table above.

Step 5
Choose Hardware token for VPN and RWTH Single Sign-On (HOTP).

Screenshot showing the options available when creating  a token. The different types are arranged in a table. ‘Hardware token for VPN and RWTH’ is in first column, it must be selected. The ‘Next’ button is at the bottom of the page.

Step 6
Click on Next.

Step 7
Enter a unique description for the security key (e.g. My HOTP key for VPN). This helps you to differentiate between tokens, especially if you have created several tokens.

Optional
You can adjust the length of the security code under Advanced options. The default setting is 6 characters, which does not need to be changed.
You must make sure that the length of the one-time security codes in the Token Manager and in the Manager app are set to the same length. If you cannot change the length of the codes, leave them at the default setting of 6 characters.

Screenshot showing the page for finalizing the key. A name for the key must be assigned under ‘Description’. Below is a box for activating ‘Advanced options’. The ‘Create’ button is located directly underneath.

Step 8
Click on Create.

Step 9
Copy the code under Token secret. You will need it in Step 14. Do not share the token secret with anyone else.

Screenshot showing the ‘verify token’ page. Beneath ‘Token secret’ is a code consisting of letters and numbers. Copy this code for a later step.

Step 10
Keep the RWTH Token Manager open in the background. Navigate to the OTP configuration of your security key in the Manager app.

In the Yubico Authenticator via Slots.

Screenshot of the Yubico Authenticator. The “Slots” button for setting up the key is located beneath “Start, Accounts, Passkeys and Certificates”.

Step 11
Select one of the slots to configure it. A Yubikey has two configurable slots, one for a short tap and one for a long hold.

Please note:
If one slot is already being used for another application (e.g. Bitwarden or similar), you can select the other slot so that the configuration is not deleted. New Yubikeys have their first slot occupied by a Yubico-OTP-Token - this slot can be overwritten.

Screenshot of the Yubico Authenticator, the menu item “Slots” is selected. The setup options are shown below. 1. “short touch” and 2. “long touch”.

Step 12
In the next window, select OATH-HOTP.

Screenshot of the Yubico Authenticator, the menu item “Slots” is selected. The “OATH-HOTP” option is located at the bottom of the page beneath the “Setup” heading.

Step 13
Paste the copied token secret into the corresponding Secret Key field in the Manager app.

Please note:
Make sure that the length of the one-time security codes in the Token Manager and in the Manager app are set to the same length. The default setting is 6 digits, which does not need to be changed.

Step 14
Click Save.

Screenshot of a pop-up with the title “OATH-HOTP”. The code, consisting of letters and numbers, is in a field labelled “Key”. Below this is a drop-down menu for setting the character length, which is preset to “6 digits”. The “Save” button is below this, at the end of the pop-up window.

Step 15
Return to the Token Manager and click in the gray area under "Security code".

Step 16
Tap on your security key with your finger.

For the Yubikey, tap on the circular recess with the Y on it.
If slot 1 has been selected in Step 11, tap once briefly; if slot 2 has been selected, press and hold the security key.


A code will be entered automatically in the field "Security Code".

Screenshot of the ‘verify token’ page. Below ‘Security code’ is an input window. This must be selected before the security key is entered. The ‘finish’ button is located below.

Step 17
By entering the security code, the process should be completed automatically and the overview of the tokens created should be displayed.
If this is not the case, click on Complete manually in the Token Manager.

Please note:
If you now receive an error message, an error has occurred somewhere in the process.

  • Please check again whether you have correctly tapped short (slot 1) or held long (slot 2).
  • If the error message persists, click Cancel and delete all tokens in the Token Manager overview that do not have a green plug symbol on the far right.
  • Then restart the process. Make sure that the length of the security code is the same in the Manager app and in the Token Manager.
  • In case of further problems please contact the IT-ServiceDesk.
 

3. Login with a security key

To use a security key for login with  MFA, please proceed as follow:

Step 1
Insert the security key into a USB port of your device.

Step 2
When you are promted to enter a one-time security code, tap the security key with your finger.


On the Yubikey, tap the circular recess with the Y on it.

  • If slot 1  has been set up, tap once briefly.
  • If slot 2  has been set up, press and hold the security key.

Step 3
A code is generated in the input field and the process is completed automatically.

 

4. Resync (optional)

A HOTP token generates a new code every time you activate it - regardless of whether you actually use the codes.
If several codes are generated in this way without being used for authentication, authentication with this token may no longer work.
If you enter the Token Manager with another token, such as the backup tan list, you can usually restore the HOTP token by synchronizing it.

Step 1
Click on the button to the right of the token type on the overview page in the Token Manager.

Screenshot showing the IDM self-service, the ‘Token Manager (MFA)’ is selected. Existing token procedures can be found in a table. The ‘resync’ button is located in the same column as the type of token.

Step 2
Enter two one-time security codes generated directly one after the other in the fields (1) and (2) by clicking in the fields and tapping or holding your security key (depending on the configuration in step 11).

Screenshot of the ‘Resync token’ page.  The first code is entered in the ‘code 1’ box and the second code in the ‘code 2’ box. The ‘Resync token’ button is located at the bottom of the page.

Step 3
Synchronization takes place automatically. If this is not the case, please click Resync token.
If the security key is still not accepted, you can delete it in the overview. This allows you to configure it again.


 

Please contact the IT-ServiceDesk if you experience any further problems.

last changed on 07/14/2025

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License