Bielefelder IT-Servicezentrum

Security key / hardware token (FIDO)

Important: This is the standard procedure for university employees.

To use 2FA, physical security keys (hardware tokens) are used via the FIDO procedure. The activation and setup for this must be carried out via the account management.

Employees of Bielefeld University can obtain a YubiKey hardware token from the BITS counselling service in room UHG A0-301.

Instructions:

Generation of security codes via app (TOTP)

As an alternative to the hardware token, 2FA can also be used with security codes via an app ("Authenticator App") on the smartphone using the TOTP method. These "Time-based One-time Password" apps generate a 6-digit number (security code) every 30 seconds, which is used as a second factor.

We recommend using the "2FAS" app, which is available for Android and iOS:

• in the Google Play Store for Android
• in the app store for iOS devices

For experts:
Our 2FA implements the TOTP method in accordance with RFC 6238. In principle, any device or app that supports this standard can therefore be used.

Set up 2FA via TOTP for your own access

You can set up 2FA yourself on this account management page:

• Two-factor authentication

As long as the 2FA via TOTP has not yet been activated, there is a button there that starts the activation. The page then displays a QR code that is scanned with a suitable ''Authenticator App'' on the smartphone.

Instructions:

If 2FA is activated via the FIDO or TOTP procedure, another page for the second factor is displayed after entering the primary, personal access data.

Use of security key / hardware token (FIDO)

If a security key/hardware token is registered, the token is required after clicking on "Login with security key" and must be connected to the device.

This login can be saved on the device or in the browser used by activating the "Remember me for 30 days" option. This means that you will no longer be asked for the second factor for 30 days.

Use Authenticator App (TOTP)

If an Authenticator app is used via TOTP, the current 6-digit code from the app must be entered.

This login can be saved on the device or in the browser used by activating the "Remember me for 30 days" option. This means that you will no longer be asked for the second factor for 30 days.

When FIDO or TOTP are activated

When the activation of two-factor authentication is successfully completed, the '''replacement codes''' are displayed. This short list of 8-digit codes should be printed out immediately or stored in a password manager and kept in a safe place. The replacement codes can also be used to log in without a hardware token or smartphone, which can be a useful alternative if the battery is empty or you do not have a token to hand or have changed to a new device.

The replacement codes can be used instead of FIDO or TOTP. They are '''used up''' and can therefore only be used once. Please ensure that you generate codes in good time - in case of doubt, the last replacement code will be used to generate new codes or switch off 2FA again.

-> Management of replacement codes

The list of valid replacement codes is displayed on this page. As soon as a code has been used, it disappears from the list. As soon as all codes have been used, the list is empty.

If you are rejected by the system when logging in with a replacement code, the only reason for this, apart from a typing error, is that the code has already been used. You should then use another code on your list. Make sure that you are using an up-to-date list of replacement codes.

If you are sure that you have not used a replacement code yourself, then you should definitely carry out these steps:

• Firstly, generate new replacement codes
• Follow the instructions on the page'Logging in from an unknown device - what to do?

You can exclude computers that you use on a daily basis and that you consider trustworthy from 2FA. There is an option for this that is offered to you when you enter the security code and which is not selected by default. If you select this option, you will only be asked for your security code again after 30 days on this computer. Of course, you will still have to enter your password every time you log in.

This option should not be used on computers that are shared with other users. This applies even more to public computers. On computers that are rarely used, it is usually not worth using the option and a potential security risk is avoided.

The typical use case is therefore your own workstation computer, which you use every day, where access is protected by a personal password and which is professionally managed.

You can manage your trusted computers on this page:

• Page for activating two-factor authentication

On the 2FA administration page, you will also find a way to switch it off again. To do this, however, you must have access to your second factor; it is not possible to switch it off with your password alone, even if it is a trusted computer.

If you are one of the people who have received a ''security token'' from us - i.e. a special device for generating security codes - then you cannot deactivate two-factor authentication yourself, as special configurations are still required on the system side and the token must be returned. In this case, please contact BIS support.

Some authenticator apps offer options for exporting a TOTP code and transferring it to a new smartphone. If you do not use such an app or the old smartphone can no longer be used, you can choose this method:

Switch off the 2FA with a replacement code and set it up again on the new device.

As switching off 2FA also cancels all trust settings on computers, you must first log back on to all computers with the second factor after the changeover. You can then re-establish the desired trust settings. Your replacement codes will also be recreated.

The hardware token or smartphone is not at hand or has been lost?
The last replacement code has been used up or is not available?

Students please contact bits@uni-bielefeld.de.

Employees please contact servicedesk@uni-bielefeld.de.