FAQ - Multifactor-Authentication (MFA)

A token, or more precisely a "security token", is an object or device that is registered with a login/authentication service as a login factor. With this token, users can prove their identity, similar to the use of passwords. The combination of a password (1st factor) and the token (2nd factor) results in improved security. 

The second factor generates a one-time security code, which is requested in different ways depending on the type of token. 

You can find more information on the token types under General information.

The following tokens are available at RWTH Aachen University: 

• Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)*
• Hardware token for VPN (HOTP)*
• Smartphone token (TOTP)* 
• TAN list (one-time security codes) 
• E-Mail

*Recommended for use

Learn more

You can create, activate, deactivate and delete your tokens in the Selfservice via the Token Manager.

Hardware tokens are based on various technical standards. 

The following hardware token standards are currently offered at RWTH:

• Hardware token for VPN (HOTP)
• Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)

WebAuthn/FIDO2 is the most widely used standard for web services and is therefore used for the RWTH Single Sign-On. For technical reasons, this standard cannot be used for VPN. For this reason, the HOTP standard was also introduced in order to be able to protect VPNs with the most secure token currently available.

One-time security codes (also known as security passwords or codes) are sequences of numbers and/or letters that are requested during authentication by a 2nd factor. These are "unique" as they lose their validity due to e.g. a fixed sequence or a short lifespan.

A security key, also known as a hardware key, is a stand-alone object, often in the form of a USB stick or card, which is explicitly intended to serve as a token. Different keys support different token types (WebAuthn/FIDO2, HOTP, TOTP, etc.) and also different methods of issuing the codes (via NFC, only after confirmation of the fingerprint, etc.). A key can be registered and used as several tokens (e.g. for several services and/or as a WebAuthn and HOTP token at the same time).

For some token types, the service and the end device must be matched so that authentication can work. This is done by exchanging a "token secret", e.g. via a QR code, a character string or direct communication between the server and the end device. This is effectively a complicated password. This is then used by the token device to generate the correct codes and by the server to verify the codes.

The YubiKey is a hardware key that you can use for the tokens "Hardware token for VPN (HOTP)" and "Hardware token for RWTH Single Sign-On (WebAuthn/FIDO2)". 

Where can I get a YubiKey? 

Please contact your supervisor at your institution. 

Who gets a YubiKey?

YubiKeys can be obtained for all employees of RWTH Aachen University. 

In addition to the YubiKeys provided, you can also use your own. 

How do I set up the YubiKey? 

You can find instructions on how to set up the YubiKey under "Set up YubiKey".

To delete a token in the token manager, you must carry out the following steps:

1. Log in to IdM Selfservice and click on "Tokenmanager".
2. Click on the checkbox of the token you wish to delete.
3. Now click on "Delete".
4. The token has been successfully deleted.

A common reason why you can no longer use a token to log in to the service with the 2nd factor is that it has lost its validity. Reasons for this can be that

• the token is deactivated, or
• an error has occured during setup, or
• all security codes have been used up when using the TAN list (one-time security codes), or
• an outdated token is used when using a hardware key. 

If another token is available, please use it to delete the token that no longer works in the Selfservice via the Token Manager. 

If you no longer have any tokens, please contact the IT ServiceDesk to have the tokens reset. 

Important: Please always set at least two tokens so that you can reset any tokens that no longer work. You can find instructions on how to manage your tokens under "Set up tokens".

Wenn Sie einen Token verloren haben, können Sie ihn selbstständig deaktivieren oder löschen. Dazu wurden Sie bei der Einrichtung angehalten, eine TAN-Liste (Einmal Sicherheitscodes) einzurichten.  

Navigieren Sie im Selfservice zum Tokenmanager und deaktivieren bzw. löschen Sie den verloren gegangenen Token. Sie können dann auch einen neuen Token einrichten. 

Wenn diese Möglichkeit nicht besteht, nutzen Sie das Rücksetzverfahren für MFA Token.