Hardware Token for VPN and RWTH Single Sign-On (HOTP)
The hardware token for VPN and RWTH Single Sign-On (HOTP) is used with a physical security key (e.g. YubiKey).
1. Requirements for the use of hardware token:
- You have a hardware security key (hardware token).
- Yubikeys, Nitrokeys (Pro 2 and 3) and selected Feitian keys are compatible with both "Hardware token for VPN and RWTH Single Sign-On (HOTP)" and "Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)".
- To set up this token, the security key must at least support the OTP (one time password) protocol.
- You have installed a corresponding manager app (e.g. YubiKey Manager).
Video tutorial on token setup for VPN.
Step 1
Insert your security key into the USB slot of your PC.
Step 2
Go to the Token Manager.
If you have already set up one or more tokens, you will be asked to enter a one-time security code.
Please select the token you wish to use from the drop-down menu and enter the corresponding one-time security code.
Step 3
Then click on Next.
Step 4
Click on the blue Create button at the bottom left of the Token Manager.
Step 5
Choose Hardware token for VPN and RWTH Single Sign-On (HOTP).
Step 6
Then click on Next.
Step 7
Enter a unique description for the security key (e.g. My HOTP key for VPN).
This helps you to differentiate between tokens, especially if you have created several tokens.
You can adjust the length of the security code under Advanced options. The default setting is 6 characters, which does not need to be changed.
Just make sure that the length of the one-time security codes in the Token Manager and in the Manager app are set to the same length.
Step 8
Then Click on Create.
Step 9
Copy the code under Token secret and navigate to the manager app for your security key. Keep the RWTH Token Manager open in the background.
Step 10
Navigate to the OTP configuration of your security key in the Manager app.
In the YubiKey Manager via Applications (1) > OTP (2).
Step 11
Then select Configure. Either slot 1 (left) for a short tap or slot 2 (right) for a long hold.
If one slot is already being used for another application (e.g. Bitwarden or similar), you can select the other slot so that the configuration is not deleted.
Step 12
In the next window, select OATH-HOTP.
Step 13
Paste the copied token secret into the corresponding field (1) in the Manager app.
Make sure that the length of the one-time security codes (2) in the Token Manager and in the Manager app are set to the same length.
The default setting is 6 characters, which does not need to be changed.
Step 14
Then click Finish.
Step 15
As soon as you have finished in the Manager app, return to the Token Manager and click in the gray area under Confirm token / Security code.
Now tap on your security key with your finger. For the Yubikey, tap on the circular golden recess with the Y on it.
If slot 1 (left) has been selected, tap once briefly; if slot 2 (right) has been selected, press and hold the security key.
A security code should be entered automatically, which is used to confirm the token.
Step 16
By entering the security code, the process should be completed automatically and the overview of the tokens created should be displayed.
If this is not the case, click on Complete manually in the Token Manager.
If you now receive an error message, an error has unfortunately occurred somewhere in the process. Please check again whether you have correctly tapped short (slot 1) or held long (slot 2).
If the error message persists, click Cancel and delete all tokens in the Token Manager overview that do not have a green plug symbol on the far right.
Then restart the process. Make sure that the length of the security code is the same in the Manager app and in the Token Manager.
In case of further problems please contact the IT-ServiceDesk.
To use a security key after successful setup for the MFA, insert it into the USB port of your device and tap it with your finger when you receive the prompt to enter a one-time security code from the application.
On the Yubikey, tap the circular golden recess with the Y on it. If slot 1 (left) has been selected, tap once briefly; if slot 2 (right) has been selected, press and hold the security key.
If the one-time security codes of the security key no longer work for authentication, you can synchronize the hardware token in the token manager.
To do this, however, you need at least one other functioning token, usually the backup tan list, to access the token manager.
Step 1
Click on the button to the right of the token type on the overview page in the Token Manager.
Step 2
Enter two one-time security codes generated directly one after the other in the fields (1) and (2) by clicking in the fields and tapping or holding your security key (depending on the configuration in step 15).
Step 3
Synchronization takes place automatically. If this is not the case, please click Resync token.
If the security key is still not accepted, you can still delete it in the overview, but you will then have to configure it again.
In case of further problems please contact the IT-ServiceDesk.
