FAQ - Multifactor-Authentication (MFA)
A token, or more specifically a "security token", is an object or device that generates a one-time security code.
You use the token in combination with a password to log in.
The password is your first authentication factor. The token is your second authentication factor.
This is called multifactor-authentication (MFA) and is more secure than using just a password.
There are several types of tokens.
For more information, see General Information on MFA.
last changed on 12/11/2024
How did this content help you?
Currently, the following token types are supported:
- The hardware token for VPN and RWTH Single Sign-On (HOTP)* (HOTP - HMAC-based One-time Password Algorithm) is used at RWTH with a hardware key such as YubiKey. It can be used for RWTH Single Sign-On as well as for VPN. To use a hardware key for the "Hardware token for VPN and RWTH Single Sign-On (HOTP)", a corresponding manager app (e.g. YubiKey Manager) must be installed on the PC and set up with the token manager. The configuration is then carried out according to the instructions in the app and the Selfservice via the token manager. The hardware token is currently the most secure second factor at RWTH Aachen University.
- The hardware token for RWTH Single Sign-On (WebAuthN/FIDO2)* is used with a hardware key such as YubiKey. To use it, simply insert the key into the usb slot in your PC during the set up in the Selfservice and then follow the instructions on the screen. The hardware token is currently the most secure second factor at RWTH Aachen University.
- The Token Authenticator App, e.g. for smartphones (TOTP) (TOTP - Time-based One-time Password), requires a corresponding app to which the token is linked. This app is then used to continuously generate one-time security codes which expire after a certain amount of time (e.g. 30 seconds). It should be noted that different TOTP apps support different one-time security codes character lengths and hash algorithms.
- The TAN list (one-time security code) contains a list of one-time security codes. The individual one-time security codes are invalid after they have been used or skipped and cannot be used again. This list has to be set up for the use of MFA and saved separately. The one-time security codes are primarily used as a backup solution in case other tokens can no longer be used (e.g. loss of device or e-mail address). The list itself is protected with a password, which must be selected and set when the token is created. The password cannot be viewed or changed afterwards.
- When using the e-mail token, you will be sent a one-time security code when you log in. This code is valid for 15 miutes.
*Recommended for use
last changed on 12/11/2024
How did this content help you?
MFA is mandatory for the following services:
- RWTH Single Sign-On
- MFA is set up in the Token Manager in the IdM Selfservice
- Guide: MFA for Single Sign-On
- VPN
- MFA is set up in the Token Manager in the IdM Selfservice.
- Guide: MFA for VPN
- HPC
- MFA is set up in the RegApp.
- Guide: MFA with RegApp
MFA is optional for the following services:
- M365
- MFA is set up in the M365 account.
- Guide: MFA for M365
- sciebo
- MFA is set up in the sciebo web interface.
- Guide: Authenticator-App (TOTP) for sciebo
- GitLab
- MFA is set up in the GitLab account.
- Guide: Authenticator App (TOTP) for GitLab.
last changed on 12/11/2024
How did this content help you?
You can create tokens in the Token Manager.
You can find the Token Manager in the Selfservice.
last changed on 12/11/2024
How did this content help you?
If you have set up multiple tokens (for example, a TAN list and an Authenticator App), you can set a token as the default.
The token will then be pre-selected in the drop-down menu when you log in.
To set the token as the default, you will need to adjust your browser settings.
Microsoft Edge
- Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
- Select the token you want to set as the default from the drop-down menu.
- Click the three dots in the upper right corner.
- Click Settings.
- Click Privacy, search, and services.
- Click Choose what to clear every time you close the browser.
- Click Cookies and other site data.
- Click Add next to "Don't clear".
- Under "Add site", type: https://sso.rwth-aachen.de
- Close your browser. The next time you log in, your preferred token will be pre-selected in the drop-down menu.
Firefox
- Log in to an SSO-protected platform (such as Selfservice or RWTHmoodle).
- Select the token you want to set as the default from the drop-down menu.
- Click the three lines at the top right.
- Click Settings.
- Click Privacy & Security.
- Under "Cookies and Site Data", click Manage exceptions.
- Under "Adress of website", type: https://sso.rwth-aachen.de
- Click Allow.
- Click Save Changes.
- Close your browser. The next time you log in, your preferred token will be pre-selected in the drop-down menu.
last changed on 02/21/2025
How did this content help you?
The following hardware token standards are currently offered at RWTH:
Hardware tokens are based on various technical standards.
WebAuthn/FIDO2 is the most widely used standard for web services and is therefore used for the RWTH Single Sign-On.
For technical reasons, this standard cannot be used for VPN. For this reason, the HOTP (HMAC-based One-time Password Algorithm) standard was also introduced in order to be able to protect VPNs with the most secure token currently available.
last changed on 12/11/2024
How did this content help you?
One-time security codes (also known as security passwords or codes) are sequences of numbers and/or letters that are requested during authentication by a 2nd factor. The are "one-time" codes because they lose their validity due to e.g. a fixed sequence or a short lifespan.
last changed on 12/11/2024
How did this content help you?
A security key, also known as a hardware key, is a stand-alone object, often in the form of a USB stick or card, which is explicitly intended to serve as a token. Different keys support different token types (WebAuthn/FIDO2, HOTP, TOTP, etc.) and also different methods of issuing the codes (via NFC, only after confirmation of the fingerprint, etc.). A key can be registered and used as several tokens (e.g. for several services and/or as a WebAuthn and HOTP token at the same time).
last changed on 12/11/2024
How did this content help you?
For some token types, the service and the token must be matched so that authentication can work.
This is done by exchanging a "token secret", e.g. via a QR code, a character string or direct communication between the server and the end device. This is effectively a complicated password.
It is then used by the token device to generate the correct codes and by the server to verify the codes.
last changed on 12/11/2024
How did this content help you?
Why is my token not working?
A common reason why you can no longer use a token is that it is not valid. Reasons for this can be that:
- the token is deactivated, or
- an error has occured during setup, or
- all security codes have been used up when using the TAN list (one-time security codes), or
- an outdated token is used when using a hardware key.
What can I do?
- If you have another token, you can delete the one that no longer works.
- If you don't have another token, please follow our Lost Token guide.
Important: Please always set at least two tokens so that you can reset any tokens that no longer work.
last changed on 12/11/2024
How did this content help you?