skip to main contentskip to main menuskip to footer Universität Bielefeld Play Search

Campus support

Two-factor authentication (2FA)

Those who use two-factor authentication (2FA) enter an additional one-time password which changes continuously, each time they register . The second factor is a code that can be regenerated at any time with the support of a smartphone. A potential attacker would therefore have to steal the password AND the smartphone (and be able to access the latter).

For staff in the examination offices, access to the BIS Examination Management is only possible with 2FA, for which we provide a "Security Token". For all other employees, the use is voluntary and happens via smartphone.

Activating 2FA

Apps for the 2FA

In order to use the 2FA, an app must be installed on your smartphone that works with our 2FA ("Authenticator App").

We recommend using the Google Authenticator App, which can be used on Android, iOS or Windows:

An alternative is also the Sophos Intercept X App 

In both apps, you will find a menu in the top right corner that allows you to set up a new account.

For experts:

The 2FA implements the ''Time-based One-time Password (TOTP)'' method according to RFC 6238, so in principle any device or app that supports this standard can be used.

Owners of an OTP-enabled YubiKey - such as the NEO - can also use it with 2FA using both the Yubico Authenticator app (Android) and the ''Authenticator'' app for Windows and other operating systems. If you are planning to use this device and are having trouble configuring it, contact BIS Support.

Set up 2FA for your account

On this page in the PEVZ you can set up your own 2FA (after successful registration):

As long as you have not yet activated the 2FA, you will find a button there that starts the activation. The page will then display a QR code that you scan with a suitable ''Authenticator App'' on your smartphone.

In the ''Google Authenticator App'' you do this by tapping on the three dots in the top right corner and in the menu that follows, tap on 'Set up account' and "Scan barcode".

The app will display a 6-digit number after successful scanning, which will change every 30 seconds from then on. This is your '''security code'''. This completes the department on your smartphone. You will now need this code for the first time to complete the two-factor authentication department: Enter the currently displayed value in your app in the input field below the QR code in the PEVZ and submit the form.

If you have trouble scanning the QR code, or if you are using a device that does not have a camera, you can also manually enter the basic key for setting up the app. To do this, the key will be displayed below the QR code. Entering this long text is error-prone and is therefore only recommended in exceptional cases.

Most apps offer a corresponding option for manual entry in addition to scanning the QR code. You have to enter a name for the account yourself ("Uni Login" is a good choice here) and usually also set which generation method ('time-based') is used.

Afterwards, however, your app will work exactly as if you had scanned the QR code.

Backup codes

When you have successfully completed the activation of 2FA, you will be displayed your '''backup codes'''. You should print out this short list of 8-digit codes immediately and then keep them safe. You can use the replacement codes to log in without a smartphone, which can be a useful alternative if your battery is low, you don't have your smartphone handy, or you've switched to a new device.

The backup codes can be used in place of the security codes generated by the Authenticator app. They '''consume''' themselves in the process, so they can only be used once. You should definitely make sure that you regenerate codes in time - in case of doubt, you will need the last replacement code to generate new ones for yourself, or to turn 2FA off again.

In the page with the 2FA-settings, you will find a link that will take you to the page with your backup codes. There you will display the list of your backup codes that are still valid. As soon as you use a code, it disappears from the list. Once you have used all the codes, the list will be empty.

If you are rejected by the system when registering with a backup code, the only reason for this, apart from a typing error, is that the code has already been used up. You should then use another code on your list. When doing so, make sure that you use a current list of replacement codes.

If you are sure that you have not used a backup code yourself, then be sure to follow these steps:

  • Generate new replacement codes for yourself
  • Remove any trust positions you have set up from other computers
  • Check the My Activities page to see if there are any unexplained logins there
  • Contact the BIS support!

Trusted computers

You can exclude computers that you use every day and that you consider trustworthy from 2FA. This is done using an option that is offered to you when you enter the security code and that is not selected by default. If you select this option, you will only be asked for your security code again after 30 days on this computer. Of course, you still have to enter your password every time you log in.

On computers that you share with other users, you should not use this option. This is even more true for computers that can be used by the public. On computers that you use only rarely, it is usually not worth using the option and a potential security risk is avoided.

The typical use case is therefore your own workstation computer, which you use every day, where approval is protected by a personal password and which is professionally supervised.

You can manage your trusted computers on this page:

 

Deactivating 2FA

In the 2FA management page you will also find a way to disable it. However, you need to have access to your second factor, disabling it with your password alone is not possible, even if it is a trusted computer.

If you are one of the staff, people who received a ''Security Token'' - a special device for generating security codes - from us, you cannot deactivate the 2FA yourself, because special configurations are still necessary on the system side and the token must be returned. In this case, please contact BIS support.

 

Change your 2FA to another smartphone

Switch off 2FA once with your old smartphone and set it up again on the new device.

Since deactivating 2FA also removes all trust positions from computers, you must first log back in to all computers with the second factor after the changeover. In doing so, you can re-establish the desired trust positions. Your backup codes will also be recreated.

When you are locked out

If you have lost your smartphone, used up your last backup code or if you do not have your phone with you  and do not have a backup code available, please contact BIS Support.

back to top