Security Key as Hardware Token for RWTH Single Sign-On (WebAuthn/FIDO2)
The hardware token for RWTH Single Sign-On (WebAuthn/FIDO2) is used with a physical (hardware) security key by default. Information on these security keys can be found here.
To set up this token, both part of the setup in the token manager and verification outside the token manager must be carried out.
- Requirements for the use of the hardware token
- Configuration in the Tokenmanager
- Verification outside the Token Manager
- Login with a security key
1. Requirements for the use of the hardware token
- You have a hardware security key (hardware token).
- Compatible with both token types “Hardware token for VPN and RWTH Single Sign-On (HOTP)” and “Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)” are e.g. YubiKeys, Nitrokeys (Pro 2 and 3) and selected Feitian Keys.
- To set up this token, the security key must at least support the WebAuthn/FIDO2 protocol.
2. Configuration in the Tokenmanager
Video tutorial on token setup for the RWTH Single Sign-On.
Step 1
Insert your security key into the USB slot of your PC.
Step 2
Go to the Token Manager.
Step 3
Log in with RWTH Single Sign-On.
Step 4
Click on the blue Create button at the bottom left of the Token Manager.
Step 5
Choose Hardware Token for RWTH Single Sign-On (WebAuthn/FIDO2).
Step 6
Click on Next.
Step 7
Enter a unique description for the security key (e.g. My hardware key). This helps you to differentiate between tokens, especially if you have created several tokens.
Step 8
Click on Create.
Step 9
Start the verification process for the hardware token in the credential manager or browser by clicking on Register.
3. Verification outside the Token Manager
By clicking on Register, you leave the Token Manager and must now confirm the token.
You can either carry out the verification with a Credential Manager or do this in the browser on your end device. How you proceed is up to you, but may vary depending on the end device.
The following instructions provide examples of verification:
Verification using Windows credential manager
Step 1
To set up your hardware token, please follow the on-screen instructions.
Step 2
If the data is correct, confirm with OK.
Step 3
Whether a PIN is required depends on whether and how the hardware key was previously set up.
If you are prompted to enter your PIN, enter the secure PIN you chose previously.
Step 4
If the data is correct, confirm with OK.
Step 5
Then follow the instructions on the screen and tap the security key with your hand.
On the Yubikey, tap the circular golden recess with the Y on it.
If your operating system does not have its own credential manager, such as that of Windows, the tokens are set up by your web browser.
Verification using Firefox
Step 1
Do not anonymize your data in the first step, otherwise the token setup will fail:
Step 2
Then click on Proceed.
Step 3
The hardware key can now be connected to the system.
Whether a PIN is required depends on whether and how the hardware key was previously set up.
If you are prompted to enter a PIN, enter the secure PIN you have chosen yourself.
Step 4
Then click on Sign in.
Step 5
Complete the process by tapping the security key.
On the Yubikey, tap the circular golden recess with the Y on it.
Verification using Chrome
Step 1
If there is no key connected to the system yet, you will be asked for the type of device to be used. Please select USB security key:
Step 2
Then follow the instructions on your screen.
4. Login with a security key
To use a security key for login with MFA, please proceed as follow:
Step 1
Insert the security key into the USB port of your device.
Step 2
When the application prompts you to enter a one-time security code, tap the security key with your finger.
On the Yubikey, tap the circular golden recess with the Y on it.
- If slot 1 (left) has been set up, tap once briefly.
- If slot 2 (right) has been set up, press and hold the security key.
Step 3
A code is generated in the input field and the process is completed automatically.
Please contact the IT-ServiceDesk if you experience any further problems.