The hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)  can alternatively also be used with end devices with options for biometric fingerprint or face recognition. Please check yourself first whether your end device supports these functions.
To set up this token, both part of the setup in the token manager and verification outside the token manager must be carried out.

1. Requirements for the use of the hardware token
2. Configuration in the Tokenmanager
3. Device configuration
   • Setup for Apple devices
   • Setup for Android devices

1. Requirements for the use of the hardware token

• You have an end device with options for biometric fingerprint or facial recognition
• To set up this token, the WebAuthn/FIDO2 protocol must be supported as a minimum. The biometric data fulfils these requirements for most end devices.

2. Configuration in the Tokenmanager

Step 1
Use your end device with options for biometric fingerprint or facial recognition for the whole setup.

Step 2
Go to the Token Manager.

Step 3
Log in with RWTH Single Sign-On.

Step 4
Click on the blue Create button at the bottom left of the Token Manager.

Step 5
Choose Hardware Token for RWTH Single Sign-On (WebAuthn/FIDO2).

Step 6
Click on Next.

Step 7
Enter a unique description for the security key (e.g. Smartphone Touch/Face ID). This helps you to differentiate between tokens, especially if you have created several tokens.

Step 8
Click on Create.

Step 9
Start the verification process for the hardware token in the credential manager or browser by clicking on Register.

3. Device configuration

Setup for Apple devices

By using Apple Touch ID or Face ID as a hardware token for RWTH Single Sign-On, secure login to RWTH services can be enabled without a separate hardware security key.

Please check first whether your device supports these functions.

• Apple smartphones are best suited for this.
• Apple computers that have fingerprint scanners (Mac computers with Magic Keyboard, Apple Chip and MacOS Big Sur 11.4 or newer) can also be used for Touch ID.

If you already use the Apple Keychain function, you can integrate Touch ID or Face ID as a hardware token for RWTH Single Sign-On (WebAuthn/FIDO2) as follows:

Step 1
Select an end device on which Touch ID and / or Face ID is already set up or with which this can be done.

Step 2
If this has not yet been done, the Touch ID or Face ID function must be activated in the system settings.

• For MacOS devices: Select the Apple menu (apple icon) > System Preferences > Touch ID & Password
• For iOS devices:
  • For Touch ID: Select Settings (gear icon) > Touch ID & Code > Configure Touch ID
  • For Face ID: Select Settings (gear icon) > Face ID & Code > Configure Face ID

Step 3
Follow the respective instructions on the screen of your end device. The required biometric data (fingerprints or facial images) must be added.

Step 4
Once this is complete, call up the Token Manager on the respective end device and follow the steps under Configuration in the Tokenmanager.
As soon as you have started the registration, continue with the next step here.

Step 5
After you have clicked on Registration, a new window will open where you can Select a device for your passkey.
Select Apple Keychain here, or if this is not possible, select This device.

Step 6
Follow the instructions displayed on the screen.
It may be necessary to place your finger on the Touch ID sensor or face the camera.

After confirmation, the overview in the token manager is displayed again and the token is now set up.

The next time you log in to an RWTH service, you must select the Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2) option.
Authentication is then carried out using the previously set up fingerprint or facial image.

Setup for Android devices

By using the biometric fingerprint or facial recognition of Android as a hardware token for the RWTH Single Sign-On, a secure login to RWTH services can be enabled without a separate hardware security key.
Please check first whether your device supports these functions.
You can integrate biometric fingerprint or facial recognition as a hardware token for RWTH Single Sign-On (WebAuthn/FIDO2) as follows:

Step 1
Select an end device on which a biometric fingerprint or facial recognition is already set up or with which this can be done.

Step 2
If this has not yet been done, the biometric fingerprint or facial recognition function must be activated in the system settings.

Select Settings (gear icon) > Security and privacy > and then select Biometric data under the Additional security settings tab.

• Either select Fingerprints
• Or select Face recognition

Step 3
Follow the instructions on the screen of your device. The required biometric data (fingerprints or facial images) must be added.

Step 4
Once this is complete, call up the Token Manager on the respective end device and follow the steps under Configuration in the Tokenmanager.
As soon as you have started the registration, continue with the next step here.

Step 5
After you have clicked on Registration, a new window will open where you can Select a device for your passkey.
Select This device here.

Step 6
Follow the instructions displayed on the screen.
It may be necessary to place your finger on the fingerprint sensor / screen or face the camera.

After confirmation, the overview in the token manager is displayed again and the token is now set up.

The next time you log in to an RWTH service, you must select the Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2) option.
Authentication is then carried out using the previously set up fingerprint or facial image.

Please contact the IT-ServiceDesk if you experience any further problems.