IT Center Help

IT Security
Multifactor Authentication (MFA)
FAQ

FAQ - Multifactor Authentication (MFA)

FAQ - Multifactor Authentication (MFA)

Which services are protected by MFA?

MFA is mandatory for the following services:

RWTH Single Sign-On
- MFA is set up in the Token Manager in the IdM Selfservice
- Guide: MFA for Single Sign-On
VPN
- MFA is set up in the Token Manager in the IdM Selfservice.
- Guide: MFA for VPN
HPC
- MFA is set up in the RegApp.
- Guide: MFA with RegApp

MFA is optional for the following services:

M365
- MFA is set up in the M365 account.
- Guide: MFA for M365
sciebo
- MFA is set up in the sciebo web interface.
- Guide: Authenticator-App (TOTP) for sciebo
GitLab
- MFA is set up in the GitLab account.
- Guide: Authenticator App (TOTP) for GitLab.

last changed on 12/11/2024

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

Which tokens are usable?

The following token types are currently supported. Several or all token types can be used simultaneously:

Hardware token
- for VPN and RWTH Single Sign-On (HOTP) *
- for RWTH Single Sign-On (WebAuthN/FIDO2) *
Biometric data
- as hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)
Authenticator App
- for mobile devices (TOTP) *
- for laptops and fixed computers (TOTP) *
TAN- List (one-time security code)
- Must be created once to set up multi-factor authentication
- Only recommended as a backup token
Email
- Cannot be used as a second factor for VPN use
- Can still be used as a second factor for RWTH Single Sign-On login

*Recommended for use.

last changed on 05/15/2025

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

Which hardware tokens can be used?

A hardware token must support the HOTP and WebAuthn/FIDO2 protocols to be used for every type of multifactor authentication.
- HOTP for use as a hardware token for VPN and RWTH Single Sign-On (HOTP).
- WebAuthn/FIDO2 for use as a hardware token for RWTH Single Sign-On (WebAuthn/FIDO2).
  - Alternatively, a mobile device that can capture biometric data can be used as a hardware token for RWTH Single Sign-On (WebAuthn/FIDO2).
With the HOTP protocol only one of the two token types can be created, but all RWTH services with multifactor authentication can be accessed. A hardware token that only supports the HOTP protocol is theoretically sufficient.
The manufacturer of the hardware token does not matter.
- YubiKeys, Nitrokeys (Pro 2 and 3) and selected Feitian Keys are examples of hardware security keys that can be used.
Additional software may need to be downloaded to link the hardware token to the Token Manager. In case of complications, please contact the provider.

last changed on 07/14/2025

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

How do I obtain a hardware token?

Employees of RWTH Aachen University can obtain YubiKeys, hardware tokens of the Yubiko brand, from their institution, given that it provides hardware tokens and still has them in stock.

Please contact your supervisor or a person with the role “Bestellung IT” (Order IT) at your institution.

In addition to the YubiKeys provided, you can also use your own security keys. The manufacturer does not matter.
Please ensure that the security keys you purchase yourself support at least the HOTP and WebAuthn/FIDO2 protocols if you want to use them for all protected RWTH services.

last changed on 05/15/2025

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

Why are there different hardware tokens?

The following hardware token standards are currently offered at RWTH:

Hardware token for VPN (HOTP)
Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)

Hardware tokens are based on various technical standards.

WebAuthn/FIDO2 is the most widely used standard for web services and is therefore used for the RWTH Single Sign-On.

For technical reasons, this standard cannot be used for VPN. For this reason, the HOTP (HMAC-based One-time Password Algorithm) standard was also introduced in order to be able to protect VPNs with the most secure token currently available.

last changed on 12/11/2024

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

How do I set a token as the default?

Unfortunately, it is currently not possible to set a token as the default.

However, the last token used for RWTH Single Sign-On is stored in the cache of your browser and then preselected in the drop-down menu when you log in again.

For this to work reliably (even after a browser restart), you need to adjust your browser settings.

Microsoft Edge

Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
Select the token you want to set as the default from the drop-down menu.
Click the three dots in the upper right corner.
Click Settings.
Click Privacy, search, and services.
Click Choose what to clear every time you close the browser.
Click Cookies and other site data.
Click Add next to "Don't clear".
Under "Add site", type: https://sso.rwth-aachen.de

Firefox

Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
Select the token you want to set as the default from the drop-down menu.
Click the three lines at the top right.
Click Settings.
Click Privacy & Security.
Under "Cookies and Site Data", click Manage exceptions.
Under "Adress of website", type: https://sso.rwth-aachen.de
Click Allow.
Click Save Changes.

last changed on 09/09/2025

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

Why am I asked twice for a second factor in some services?

Some services such as GitLab offer the configuration of a second factor in the service itself.

If the service authenticates via RWTH Single-Sign-On, the IdentityProvider first asks for the user name and password and a second factor.

This is followed by the independent request for a second factor by the service itself.

If technically possible, the second factor can be deactivated in the respective service.

last changed on 03/04/2025

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

Why does the password that I set not work as a one-time-password for MFA?

When creating a TAN list, you are required to set a password. This password serves to open the PDF document containing your TAN list, which should be downloaded to your device.

The password itself does not work as a one-time-password when using MFA! Please use one of the numerical codes from your TAN list instead.

last changed on 09/12/2025

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ

My tokens are not working. What do I do?

Why is my token not working?

A common reason why you can no longer use a token is that it is not valid. Reasons for this can be that:

the token is deactivated, or
an error has occured during setup, or
all security codes have been used up when using the TAN list (one-time security codes), or
an outdated token is used when using a hardware key.

What can I do?

Try the last code if you are using a TAN list.
If you have another token, you can delete the one that no longer works.
If you don't have another token, please follow our Lost Token guide.

Important: Please always set at least two tokens so that you can reset any tokens that no longer work.

last changed on 09/12/2025

How did this content help you?

This work is licensed under a Creative Commons Attribution - Share Alike 3.0 Germany License

Share this FAQ