FAQ - Multifactor-Authentication (MFA)

A token, or more specifically a "security token", is an object or device that generates a one-time security code.

You use the token in combination with a password to log in.

The password is your first authentication factor. The token is your second authentication factor.

This is called multifactor-authentication (MFA) and is more secure than using just a password.

There are several types of tokens.

For more information, see General Information on MFA.

Currently, the following token types are supported:

• The hardware token for VPN and RWTH Single Sign-On (HOTP)* (HOTP - HMAC-based One-time Password Algorithm) is used at RWTH with a hardware key such as YubiKey. It can be used for RWTH Single Sign-On as well as for VPN. To use a hardware key for the "Hardware token for VPN and RWTH Single Sign-On (HOTP)", a corresponding manager app (e.g. YubiKey Manager) must be installed on the PC and set up with the token manager. The configuration is then carried out according to the instructions in the app and the Selfservice via the token manager. The hardware token is currently the most secure second factor at RWTH Aachen University.
• The hardware token for RWTH Single Sign-On (WebAuthN/FIDO2)* is used with a hardware key such as YubiKey. To use it, simply insert the key into the usb slot in your PC during the set up in the Selfservice and then follow the instructions on the screen. The hardware token is currently the most secure second factor at RWTH Aachen University.
• The Token Authenticator App, e.g. for smartphones (TOTP) (TOTP - Time-based One-time Password), requires a corresponding app to which the token is linked. This app is then used to continuously generate one-time security codes which expire after a certain amount of time (e.g. 30 seconds). It should be noted that different TOTP apps support different one-time security codes character lengths and hash algorithms.
• The TAN list (one-time security code) contains a list of one-time security codes. The individual one-time security codes are invalid after they have been used and cannot be used again. This list has to be set up for the use of MFA and saved separately. The one-time security codes are only meant as a backup solution in case other tokens can no longer be used (e.g. loss of device or e-mail address) and are not intended for daily use. The list itself is protected with a password, which must be selected and set when the token is created. The password cannot be viewed or changed afterwards.
• When using the e-mail token, you will be sent a one-time security code when you log in. This code is valid for 15 miutes.

*Recommended for use

MFA is mandatory for the following services:

• RWTH Single Sign-On
  • MFA is set up in the Token Manager in the IdM Selfservice
  • Guide: MFA for Single Sign-On
• VPN
  • MFA is set up in the Token Manager in the IdM Selfservice.
  • Guide: MFA for VPN
• HPC
  • MFA is set up in the RegApp.
  • Guide: MFA with RegApp

MFA is optional for the following services:

• M365
  • MFA is set up in the M365 account.
  • Guide:  MFA for M365
• sciebo
  • MFA is set up in the sciebo web interface. 
  • Guide: Authenticator-App (TOTP) for sciebo
• GitLab
  • MFA is set up in the GitLab account. 
  • Guide: Authenticator App (TOTP) for GitLab.

For RWTH Single Sign-On
You can set up your tokens via the Token Manager in the IdM Selfservice 

For VPN
You can set up your tokens via the Token Manager in the IdM Selfservice. 

For the HPC cluster
You can set up your tokens via the RegApp.

Unfortunately, it is currently not possible to set a token as the default.

However, the last token used for RWTH Single Sign-On is stored in a cookie in your browser and then preselected in the drop-down menu when you log in again.

For this to work reliably (even after a browser restart), you need to adjust your browser settings.

Microsoft Edge

1. Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
2. Select the token you want to set as the default from the drop-down menu.
3. Click the three dots in the upper right corner.
4. Click Settings.
5. Click Privacy, search, and services.
6. Click Choose what to clear every time you close the browser.
7. Click Cookies and other site data.
8. Click Add next to "Don't clear".
9. Under "Add site", type: https://sso.rwth-aachen.de

Firefox

1. Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
2. Select the token you want to set as the default from the drop-down menu.
3. Click the three lines at the top right.
4. Click Settings.
5. Click Privacy & Security.
6. Under "Cookies and Site Data", click Manage exceptions.
7. Under "Adress of website", type: https://sso.rwth-aachen.de
8. Click Allow.
9. Click Save Changes.

The following hardware token standards are currently offered at RWTH:

• Hardware token for VPN (HOTP)
• Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)

Hardware tokens are based on various technical standards. 

WebAuthn/FIDO2 is the most widely used standard for web services and is therefore used for the RWTH Single Sign-On.

For technical reasons, this standard cannot be used for VPN. For this reason, the HOTP (HMAC-based One-time Password Algorithm) standard was also introduced in order to be able to protect VPNs with the most secure token currently available.

One-time security codes (also known as security passwords or codes) are sequences of numbers and/or letters that are requested during authentication by a 2nd factor. The are "one-time" codes because they lose their validity due to e.g. a fixed sequence or a short lifespan.

A security key, also known as a hardware key, is a stand-alone object, often in the form of a USB stick or card, which is explicitly intended to serve as a token. Different keys support different token types (WebAuthn/FIDO2, HOTP, TOTP, etc.) and also different methods of issuing the codes (via NFC, only after confirmation of the fingerprint, etc.). A key can be registered and used as several tokens (e.g. for several services and/or as a WebAuthn and HOTP token at the same time).

For some token types, the service and the token must be matched so that authentication can work.

This is done by exchanging a "token secret", e.g. via a QR code, a character string or direct communication between the server and the end device. This is effectively a complicated password.

It is then used by the token device to generate the correct codes and by the server to verify the codes.

Why is my token not working?

A common reason why you can no longer use a token is that it is not valid. Reasons for this can be that:

• the token is deactivated, or
• an error has occured during setup, or
• all security codes have been used up when using the TAN list (one-time security codes), or
• an outdated token is used when using a hardware key. 

What can I do?

• If you have another token, you can delete the one that no longer works.
• If you don't have another token, please follow our Lost Token guide.

Important: Please always set at least two tokens so that you can reset any tokens that no longer work. 

Some services such as GitLab offer the configuration of a second factor in the service itself.

If the service authenticates via RWTH Single-Sign-On, the IdentityProvider first asks for the user name and password and a second factor.

This is followed by the independent request for a second factor by the service itself.

If technically possible, the second factor can be deactivated in the respective service.