You are located in service: Multifactor Authentication (MFA)

Security Key as Hardware Token for RWTH Single Sign-On (WebAuthn/FIDO2)

Security Key as Hardware Token for RWTH Single Sign-On (WebAuthn/FIDO2)

guide

The hardware token for RWTH Single Sign-On (WebAuthn/FIDO2) is used with a physical (hardware) security key by default.
This token requires initialisation in the Token Manager and verification outside of it.

  1. Requirements for using a hardware token
  2. Configuration in the Token Manager
  3. Verification outside the Token Manager
  4. Login with a security key

1. Requirements for using a hardware token

  • You have a hardware security key (hardware token).
    • Compatible with both token types “Hardware token for VPN and RWTH Single Sign-On (HOTP)” and “Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)” are e.g. YubiKeys, Nitrokeys (Pro 2 and 3) and selected Feitian Keys.
    • The support of the WebAuthn/FIDO2 protocol is a minimum requirement for setting up this token.

2. Configuration in the Token Manager

Video tutorial on token setup for the RWTH Single Sign-On.

Step 1
Insert your security key into a USB slot of your PC.

Step 2
Open the Token Manager.

Step 3
Log in with RWTH Single Sign-On.

Step 4
Click on the blue Create button at the bottom left of the Token Manager.

Screenshot of the IDM self-service, the ‘Tokenmanager (MFA)’ is selected. The ‘Create’ button is located at the bottom of the page. Existing token procedures may be listed in a table above it.

Step 5
Choose Hardware Token for RWTH Single Sign-On (WebAuthn/FIDO2).

Screenshot for selecting the type of token. The different types are arranged in a table. “Hardware token for RWTH” is in the second place. This option must be selected, the ‘Next’ button is at the bottom of the page.

Step 6
Click on Next.

Step 7
Enter a unique description for the security key (e.g. My hardware key). This helps you to differentiate between tokens, especially if you have created several.

Screenshot of the page for finalising the key. A name for the key must be assigned under ‘Description’. The ‘Create’ button is located directly underneath.

Step 8
Click on Create.

Step 9
Start the verification process for the hardware token in the Credential Manager or browser by clicking on Register.

Screenshot of the page for verifying the token. The ‘Register’ button is located below the information field.

3. Verification outside the Token Manager

By clicking on Register, you leave the Token Manager and must now confirm the token.
You can either carry out the verification with a Credential Manager or do it in the browser on your end device. How you proceed is up to you, but options may vary depending on the end device.
The following instructions provide examples of verification:

Verification using Windows Credential Manager

Step 1
To set up your hardware token, please follow the on-screen instructions.

Screenshot of the ‘Windows-Sicherheit’ window. The ‘OK’ button is located at the end of the pop-up.

Step 2
If the data is correct, confirm with OK.

Screenshot of the ‘Windows-Sicherheit’ window. The ‘OK’ button is located at the end of the pop-up.

Step 3
If the hardware key was previously used, it might require a PIN code.
If the PIN is required, enter it and confirm with OK.

Screenshot of the ‘Windows Security’ window, which prompts you to enter your PIN. The ‘OK’ button is located at the end of the pop-up.

Step 4
Follow the instructions on screen and tap the security key.
On the Yubikey, tap the circular recess with the Y.

Screenshot of the ‘Windows Security’ window, which prompts you to activate the security key.

If your operating system does not have its own version of the Credential Manager, the tokens are set up by your web browser.

Verification using Firefox

Step 1
Do not anonymize your data in the first step, otherwise the token setup will fail.

Screenshot showing the setup pop-up. Proceed is located at the end of the pop-up.

Step 2
Click on Proceed.

Step 3
If the hardware key was previously used, it might require a PIN code.
If the PIN is required, enter it and confirm with Sign in.

Screenshot of the pop-up window that prompts you to enter your PIN. The ‘sign in’ button is located at the end of the pop-up.

Step 4
Complete the process by tapping the security key.
On the Yubikey, tap the circular recess with the Y.

Screenshot of the pop-up window that prompts you to activate the security key.

Verification using Chrome

Step 1
If there is no key connected to the system yet, you will be asked for the type of device to be used. Please select USB security key.

Screenshot of the ‘Create passkey’ window. The ‘USB security key’ button is the second selection option. Screenshot of the ‘Create passkey’ window. The ‘USB security key’ button is the second selection option.

Step 2
Then follow the instructions on your screen.

 

4. Login with a security key

To use a security key for login with MFA, please proceed as follows:

Step 1
Insert the security key into a USB port of your device.

Step 2
When the application prompts you to enter a one-time security code, tap the security key with your finger.


On the Yubikey, tap the circular recess with the Y.

  • If slot 1  has been configured, tap once briefly.
  • If slot 2  has been configured, press and hold the security key.

Step 3
A code is generated and the process is completed automatically.


 

Please contact the IT-ServiceDesk if you experience any further problems.

last changed on 07/14/2025

How did this content help you?

Creative Commons Lizenzvertrag
This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License