The Hardware token for VPN and RWTH Single Sign-On (HOTP) is used with an external hardware component, a security key (e.g. Yubikey). Just like the "Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)", it is detached from the end device used and is therefore currently the most secure type of token at RWTH Aachen University. 

The security key generates a one-time password with which you are forwarded to the desired service. The one-time password is not time-limited, but is restricted to the security key used.

Note: Not all security keys are compatible with both "Hardware token for VPN and RWTH Single Sign-On (HOTP)" and "Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)". Compatible are e.g. Yubikeys, Nitrokeys (Pro 2 and 3) and selected Feitian keys.

You can use the token if you meet the following requirements:

• You have a security key.
• You have installed a corresponding manager app (e.g. YubiKey Manager).

This token type can be used for authentication of the following services:

• RWTH Single Sign-On.
• VPN.

To configure this type of token, please choose "Hardware token for VPN and RWTH Single Sign-On (HOTP)" in the Token Manager in IdM Selfservice.

• Step 1: Insert your security key into the usb slot of your PC.
• Step 2: Select a unique description for the security key (e.g. My HOTP key for VPN) and enter the description in the corresponding field in the token manager.
• Generate a secret code to link your security key (e.g. Yubikey) to the Token Manager. Follow the instructions in the app. (Instructions for setting up a Yubikey)
• Step 3: Click on "Create" in the Token Manager.

• Step 4: Copy the "secret" from the token manager into your app.
• Step 5: Follow the instructions on the screen in your app.

Important: The length of the security codes in the Token Manager and in the app must be set identically.

• Step 6: In the Selfservice, click with the mouse in the "Security code" field and tap on your security key. A code will automatically appear in the field, which is needed to confirm the token
• Step 7: Click on "Complete" in the Selfservice.

Resync:

If no security code is generated when the token is used, you must synchronize the token in the token manager.

To do this, click on the button to the right of the token type on the overview page in the Token Manager. You must then enter two security codes generated in direct succession in the fields by clicking in the fields and tapping on your security key. Synchronization takes place automatically.

In case of further problems please contact the IT-ServiceDesk.