Tokens can be set up and managed directly in IdM Selfservice in the MFA-Tokenmanager. Each token is assigned a serial number.

 

Note

Make sure that no third party has access to your tokens and delete or renew them if in doubt.

 

Your active participation is required: Only when used in a security-conscious manner, can tokens meaningfully contribute to data security. Please protect any devices with your tokens on them from being accessed by third parties.

The following types of tokens are available:

1. Hardware token (WebAuthn/FIDO)
2. TOTP (Smartphone-Token)
3. TAN list (one-time security codes)
4. E-mail

Our MFA-Tokenmanager allows you to view, activate, deactivate, edit or delete your assigned tokens as well as create new tokens.

Click on "create" in order to assign a new token. 

Note: If you have not yet created a token, you must first generate a TAN list (one-time security codes). This serves as a backup in case your other tokens are lost. 

If you do not have any of the other tokens and all ten one-time security codes in the TAN list have been used up, you will no longer be able to access systems that require two factors. In this case, you can contact the IT-ServiceDesk.

If you want to deactivate the usage of MFA, you can delete all tokens yourself and then log in as usual using only your username and password. 

Choose the desired token type from the list, then click on "next" in order to start the process for assigning your new token.

Hardware token (WebAuthn/FIDO)

A hardware token is used with an external hardware component (hardware key). Since the hardware token is completely detached from used devices, it is a very secure from of a second factor. It generates and transmits a one-time password so that you are forwarded to the desired service. The form of the one-time password depends on the hardware key used.

Important: When selecting the hardware key, make sure that it is compatible with the WebAuthn protocol used. 

Assign a self-selected, unique description for the token and click on "Create".

Start the setup of the hardware token by clicking on "Register". Please note that not all browsers support this feature and if in doubt, use another browser (e.g. Chrome, Edge, Firefox).

To set up your hardware token, please follow the on-screen instructions.

Whether a PIN is required depends on whether and how the hardware key was previously set up.

Important: When assigning the security key PIN, make sure that it cannot be seen by unauthorized third parties. 

If your operating system does not have its own credential manager, such as that of Windows, the tokens are set up by your web browser:

Firefox

Do not anonymize your data in the first step, otherwise the token setup will fail:

Now the hardware key can be connected to the system. You may be asked for the PIN of the key:

Complete the process by tapping the key:

Chrome

If there is no key connected to the system yet, you will be asked for the type of device to be used. Please select "USB security key":

Then follow the instructions on your screen.

TOTP (Smartphone-Token)

A TOTP token (time-based one-time password) is associated with a TOTP app of your choice. Add a description (e.g. the name of your app) and select a security code length and hash algorithm.

Note: Please check in advance which character length and hash algorithms are supported by your app. All TOTP apps support the SHA1 algorithm. More secure methods like SHA256 or SHA512 are not necessarily supported by all apps.

You can then register the token in your TOTP app using the QR code (or by manually entering the TOTP key). At this point, you can test the functionality of the token using the "Test TOTP" box.

2FAS App (2 factor authenticator) is an example of a TOTP App. It can be used on Android and iOS and provides a plug-in for Firefox.

You can find a guide for connecting the app to the token manager here.

1. Download the app from the App Store or Google Play app.
2. Open the app and click on "pair new device".
3. Create a new smartphone-token (TOTP) in the Token Manager.
4. Scan the QR-code from the Token Manager with the app.
5. Enter the code from the app into the field in your browser and click on "Confirm" and "Finish".

You can now use the app as a smartphone-token. A new code is generated every 30 seconds.

      Important: Ensure that no unauthorized third parties are able to access the app.

Please contact the manufacturer directly for further support.

TAN list (one-time security codes)

All users must create the token "TAN list (one-time security codes), download it, and save it locally.

Assign a self-selected description to the token and download it.

The TAN list token generates a list of one-time security codes. Please store this list securely, as it is used as a fallback in case your other tokens are lost or otherwise unavailable, as long as there are still unused codes.

Each individual code can only be used once.

Please use codes in order, as any codes that are skipped over will also be invalidated.

Make sure to generate a new TAN list before using the last code on your current list.

Note: The TAN list token cannot be deactivated or deleted as long as another token is still active. This ensures account access in cases where any other assigned tokens are lost. 
It is recommended that you use the TAN list primarily as backup to reset lost further tokens. Always generate a new TAN list before you have used up the last of the ten one-time security codes. 

If you wish to completely disable the MFA feature, you can delete the "TAN list (one-time security code)" token after all other tokens have been deleted.

E-mail

Enter the e-mail address to which the one-time valid security code should be sent and add a description of your choice (e.g. "work e-mail address").

If you encounter any problems with the creation or use of your tokens, please feel free to contact the IT-ServiceDesk.