FAQ - Multifactor-Authentication (MFA)

MFA is mandatory for the following services:

• RWTH Single Sign-On
  • MFA is set up in the Token Manager in the IdM Selfservice
  • Guide: MFA for Single Sign-On
• VPN
  • MFA is set up in the Token Manager in the IdM Selfservice.
  • Guide: MFA for VPN
• HPC
  • MFA is set up in the RegApp.
  • Guide: MFA with RegApp

MFA is optional for the following services:

• M365
  • MFA is set up in the M365 account.
  • Guide:  MFA for M365
• sciebo
  • MFA is set up in the sciebo web interface. 
  • Guide: Authenticator-App (TOTP) for sciebo
• GitLab
  • MFA is set up in the GitLab account. 
  • Guide: Authenticator App (TOTP) for GitLab.

The following token types are currently supported. Several or all token types can be used simultaneously:

• Hardware token
  • for VPN and RWTH Single Sign-On (HOTP) *
  • for RWTH Single Sign-On (WebAuthN/FIDO2) * 
• Biometric data
  • as hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)
• Authenticator App
  • for mobile devices (TOTP) *
  • for laptops and fixed computers (TOTP) *
• TAN- List (one-time security code)
  • Must be created once to set up multi-factor authentication
  • Only recommended as a backup token
• Email
  • Cannot be used as a second factor for VPN use
  • Can still be used as a second factor for RWTH Single Sign-On login

*Recommended for use.

• To be able to use all token types for multifactor authentication, a hardware token must support at least the HOTP and WebAuthn/FIDO2 protocols.
  • HOTP for use as a hardware token for VPN and RWTH Single Sign-On (HOTP)
  • WebAuthn/FIDO2 for use as a hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)
    • Alternatively, a mobile device that can capture biometric data can be used as a hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)
• With the HOTP protocol, only one of the two token types can be created, but all RWTH services with multifactor authentication can be accessed. A hardware token that only supports the HOTP protocol is theoretically sufficient.
   
• The manufacturer of the hardware token does not matter.
  • YubiKeys, Nitrokeys (Pro 2 and 3) and selected Feitian Keys are examples of hardware security keys that can be used.
• Additional software may need to be downloaded to link the hardware token to the token manager. In case of complications, please contact the provider.

Employees of RWTH Aachen University can obtain YubiKeys, hardware tokens of the Yubiko brand, from their institution, given that it provides hardware tokens and still has them in stock.

Please contact your supervisor or a person with the role “Bestellung IT” (Order IT) at your institution.

In addition to the YubiKeys provided, you can also use your own security keys. The manufacturer does not matter.
Please ensure that the security keys you purchase yourself support at least the HOTP and WebAuthn/FIDO2 protocols if you want to use them for all protected RWTH services.

The following hardware token standards are currently offered at RWTH:

• Hardware token for VPN (HOTP)
• Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)

Hardware tokens are based on various technical standards. 

WebAuthn/FIDO2 is the most widely used standard for web services and is therefore used for the RWTH Single Sign-On.

For technical reasons, this standard cannot be used for VPN. For this reason, the HOTP (HMAC-based One-time Password Algorithm) standard was also introduced in order to be able to protect VPNs with the most secure token currently available.

Unfortunately, it is currently not possible to set a token as the default.

However, the last token used for RWTH Single Sign-On is stored in a cookie in your browser and then preselected in the drop-down menu when you log in again.

For this to work reliably (even after a browser restart), you need to adjust your browser settings.

Microsoft Edge

1. Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
2. Select the token you want to set as the default from the drop-down menu.
3. Click the three dots in the upper right corner.
4. Click Settings.
5. Click Privacy, search, and services.
6. Click Choose what to clear every time you close the browser.
7. Click Cookies and other site data.
8. Click Add next to "Don't clear".
9. Under "Add site", type: https://sso.rwth-aachen.de

Firefox

1. Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
2. Select the token you want to set as the default from the drop-down menu.
3. Click the three lines at the top right.
4. Click Settings.
5. Click Privacy & Security.
6. Under "Cookies and Site Data", click Manage exceptions.
7. Under "Adress of website", type: https://sso.rwth-aachen.de
8. Click Allow.
9. Click Save Changes.

Some services such as GitLab offer the configuration of a second factor in the service itself.

If the service authenticates via RWTH Single-Sign-On, the IdentityProvider first asks for the user name and password and a second factor.

This is followed by the independent request for a second factor by the service itself.

If technically possible, the second factor can be deactivated in the respective service.

Why is my token not working?

A common reason why you can no longer use a token is that it is not valid. Reasons for this can be that:

• the token is deactivated, or
• an error has occured during setup, or
• all security codes have been used up when using the TAN list (one-time security codes), or
• an outdated token is used when using a hardware key. 

What can I do?

• If you have another token, you can delete the one that no longer works.
• If you don't have another token, please follow our Lost Token guide.

Important: Please always set at least two tokens so that you can reset any tokens that no longer work.