On this page you will learn how to set up your first token for multi-factor authentication (MFA) in the Token Manager.
This is necessary for the following accounts:

• RWTH Single Sign-On account
• VPN account

The MFA is set up in the following steps:

1. Setting up the first token
2. Setting up further tokens
3. Assistance with the selection of the hardware token

1. Setting up the first token

Vidoe tutorial on first steps in the Token Manager.

First call up the Token Manager.

When you open the Token Manager for the first time, you must first create a TAN list, download it and store it securely locally. The TAN list serves as a backup for resetting lost tokens and is necessary to generate additional tokens.

Make sure to generate a new TAN list before using the last code on your current list.

Please note: 
If you cancel the generation of the TAN list, you will be locked out of the token manager and must visit the IT-ServiceDesk during opening hours with a valid ID document to verify your identity.

I. Choose "Create".

II. Choose "TAN list (one-time security codes)" and click "Next".

III. Enter a unique description for the list (e.g. My TAN list) and a password which complies with the RWTH password guidlines (at least 8 characters, at least 1 digit, at least 1 letter).

Please note:
After you have set your password, you cannot view or change it

Click on "Create and Download" to save the TAN list on your device.

IV. Please make sure that your list has been saved to your device and can be opened. If you need to restart the download, you can do so by clicking "Download Again".

We strongly recommend that you immediately set up an additional type of token. To do so, you should choose "Next" to return to the list of available token types.

2. Setting up further tokens

After you have created the first TAN list, click "Next" or "Create" to choose another type of token.

The following token types are available:

• Hardware token for VPN and RWTH Single Sign-On (HOTP)*
• Hardware token for RWTH Single Sign-On (WebAuthn/FIDO)*
• Authenticator App e.g. for Smartphone (TOTP)*
• TAN list (one-time security codes)
• E-Mail

*Recommended for use

3. Assistance with the selection of the hardware token

• To protect both the RWTH Single Sign-On and VPN accounts simultaneously with just one hardware key, you must set up the "Hardware token for VPN and RWTH Single Sign-On (HOTP)".
• If you purchase a hardware key (e.g. YubiKey) yourself and want to use it for RWTH Single Sign-On and VPN at the same time, make sure that it at least supports the OTP protocol. 
• The most secure standard for web services is WebAuthn/FIDO2, which can be set up with the "Hardware token for RWTH Single Sign-On". 
• If you do not have a hardware key (e.g. YubiKey), use one of the other tokens.

In case of further problems please contact the IT-ServiceDesk.