skip to main contentskip to main menuskip to footer Universität Bielefeld Play Search

Campus support

Campus Support Map
© Bielefeld University

Two-factor authentication (2FA)

Those who use two-factor authentication (2FA) enter an additional one-time password each time they register with BIS, which changes continuously. The second factor used in BIS is a code that can be regenerated at any time with the support of a smartphone. A potential attacker would therefore have to steal the BIS password AND the smartphone (and be able to access the latter).

For staff in the examination offices, work in the BIS Examination Management is only possible with 2FA, for which we issue a "Security Token". For all other employees, the use is voluntary and takes place via smartphone.

Activating 2FA

Apps for the 2FA

In order to use the 2FA, an app must be installed on your smartphone that works with the BIS 2FA ("Authenticator App").

We recommend using the Google Authenticator App, which can be used on Android, iOS or Windows:

An alternative is also the Sophos Intercept X App 

In both apps, you will find a menu in the top right corner that allows you to set up a new account.

For experts:

Two-factor authentication in BIS implements the ''Time-based One-time Password (TOTP)'' method according to RFC 6238, so in principle any device or app that supports this standard can be used.

Owners of an OTP-enabled YubiKey - such as the NEO - can also use it with two-factor authentication in BIS using both the Yubico Authenticator app (Android) and the ''Authenticator'' app for Windows and other operating systems. If you are planning to use this device and are having trouble configuring it, contact BIS Support.

Set up 2FA for own BIS approval

On this page in the PEVZ you can set up your own 2FA (after successful registration):

As long as you have not yet activated the two-factor authentication, you will find a button there that starts the activation. The page will then display a QR code that you scan with a suitable ''Authenticator App'' on your smartphone.

In the ''Google Authenticator App'' you do this by tapping on the three dots in the top right corner and in the menu that follows, tap on 'Set up account' and "Scan barcode".

The app will display a 6-digit number after successful scanning, which will change every 30 seconds from then on. This is your '''security code'''. This completes the department on your smartphone. You will now need this code for the first time to complete the two-factor authentication department: Enter the currently displayed value in your app in the input field below the QR code in the PEVZ and submit the form.

If you have trouble scanning the QR code, or if you are using a device that does not have a camera, you can also manually enter the basic key for setting up the app. To do this, the key will be displayed below the QR code. Entering this long text is error-prone and is therefore only recommended in exceptional cases.

Most apps offer a corresponding option for manual entry in addition to scanning the QR code. You have to enter a name for the account yourself ("BIS Login" is a good choice here) and usually also set which generation method ('time-based') is used.

Afterwards, however, your app will work exactly as if you had scanned the QR code.

Replacement codes

When you have successfully completed the activation of two-factor authentication, you will be displayed your '''replacement codes'''. You should print out this short list of 8-digit codes immediately and then keep them safe. You can use the replacement codes to log in without a smartphone, which can be a useful alternative if your battery is low, you don't have your smartphone handy, or you've switched to a new device.

The replacement codes can be used in place of the security codes generated by the Authenticator app. They '''consume''' themselves in the process, so they can only be used once. You should definitely make sure that you regenerate codes in time - in case of doubt, you will need the last replacement code to generate new ones for yourself, or to turn 2FA off again.

In the two-factor authentication settings page, you will find a link in the right margin that will take you to the replacement codes management page. There you will display the list of your spare codes that are still valid. As soon as you use a code, it disappears from the list. Once you have used all the codes, the list will be empty.

If you are rejected by the system when registering with a substitute code, the only reason for this, apart from a typing error, is that the code has already been used up. You should then use another code on your list. When doing so, make sure that you use a current list of replacement codes.

If you are sure that you have not used a replacement code yourself, then be sure to follow these steps:

  • Generate new replacement codes for yourself
  • Remove any trust positions you have set up from other computers
  • Check the My Activities page to see if there are any unexplained logins there
  • Contact the BIS support!

Trusted computers

You can exclude computers that you use every day and that you consider trustworthy from 2FA. This is done using an option that is offered to you when you enter the security code and that is not selected by default. If you select this option, you will only be asked for your security code again after 30 days on this computer. Of course, you still have to enter your password every time you log in.

On computers that you share with other users, you should not use this option. This is even more true for computers that can be used by the public. On computers that you use only rarely, it is usually not worth using the option and a potential security risk is avoided.

The typical use case is therefore your own workstation computer, which you use every day, where approval is protected by a personal password and which is professionally supervised.

You can manage your trusted computers on this page:

 

Deactivating 2FA

In the 2FA management page you will also find a way to disable it. However, you need to have access to your second factor, disabling it with your BIS password alone is not possible, even if it is a trusted computer.

If you are one of the staff, people who received a ''Security Token'' - a special device for generating security codes - from us, you cannot deactivate the two-factor authentication yourself, because special configurations are still necessary on the system side and the token must be returned. In this case, please contact BIS support.

 

Change your 2FA to another smartphone

Switch off 2FA once with your old smartphone and set it up again on the new device.

Since deactivating two-factor authentication also removes all trust positions from computers, you must first log back in to all computers with the second factor after the changeover. In doing so, you can re-establish the desired trust positions. Your replacement codes will also be recreated.

When you are locked out

If you have lost your smartphone, used up your last replacement code or if you do not have your phone with you but urgently need to access the BIS applications and do not have a replacement code available, please contact BIS Support.

back to top