Multifactor-authentication (MFA) is a procedure in which users have to confirm their login via a separate medium/device.

This increases security and can protect users from data misuse in cases where their login data is lost or compromised.

RWTH Single Sign-On supports two-factor authentication as MFA. The second factor is implemented via tokens.

All service providers (Webservices using RWTH Single Sign-On) decide independently whether or not a second factor is required to log in to their service.

As per usual, the single sign-on login is valid for an entire browser session and across all services accessed during that session.

Which token types are supported?

3 types of tokens are currently supported.

• A TAN-List (one-time security code) token contains a list of codes that are queried as a second factor. Individual security codes become invalid after use. This list must be set up for the use of MFA and saved separately. Single-use security codes also serve as a fallback solution if other tokens are no longer usable (e.g.: loss of the device or mail address). Therefore, a TAN-List token is mandatory to be able to use the other token types.

• When using the e-mail token, a single-use security code will be sent to you via e-mail during login.

• The time-based security code (TOTP - Time-based one-time password) token requires a corresponding app to which the token is linked. Security codes are then generated continuously with the help of this app. Be aware that different TOTP apps support different security code character lengths and hash algorithms.

Login using MFA

After logging in via RWTH Single Sign-On, you can choose a token as the second factor.

You must have created the corresponding tokens in advance.