Sign in with M365

At some pool PCs, it is possible to log in with your student M365 account. This account is created by voluntarily registering with your student email address.

Sign in with the M365 Account

Further information on re-registering for M365:
EES for students (opens in new tab)

To register (opens in new tab) you will need your student email address in the form firstname.lastname@stud.tu-darmstadt.de.

Data privacy notice

  • The same data privacy notice applies as for the use of M365.
  • The pool PCs are configured in such a way that the transmission of telemetric data is suppressed as far as possible.
  • Login to Microsoft apps takes place in the background.
  • In the case of MS Edge, synchronisation is also enabled.
    If you do not want this, please use a different browser.
  • To ensure that registration for M365 is voluntary, access to study-related content must not be dependent on the use of M365.

On the login screen, click the Guest (Gast) button at the bottom left and then click Login (Anmelden).

Then log in to Citrix Workspace with your TU ID.

Select the key icon on the login screen. The input fields for your username and password will then appear.

Connect the FIDO2 key to your computer's USB port. Then enter your PIN and tap the contact surface of the key once to confirm your login.

The tap simply serves as proof of your presence – it is not a fingerprint. Your password is not required at any time.

Note: As with a conventional front door key, it is advisable to remove the FIDO2 key after logging in.

FAQ

No, the M365 license on your private devices is not affected by use in the PC pool.

A FIDO2 key is a hardware security key that generates and stores passkeys for passwordless authentication.


How do I set up the FIDO2 key?

Open https://aka.ms/mysec (opens in new tab) and add a security key (USB) as the login method. Follow the instructions there. If one isn't already present, a PIN will be created during this process.

Note: If this process stalls, it's likely due to a hidden window waiting for you to enter your PIN.

To ensure that you are not locked out if you lose your key, we recommend registering Microsoft Authenticator as an additional login method.


Why does a Fido2 key make login easier?

When dealing with passwords, we recommend using a password manager to create and store secure passwords. This is convenient and can often even be synchronized across devices – for example, on a smartphone and laptop.

This method doesn't work for logging in to a pool PC. Logging in with a complex password is cumbersome in this case.

However, a FIDO2 key simplifies login and saves time, especially for frequent logins.


What are passkeys?

Passkeys are cryptographic keys that are automatically generated by the system and securely stored on a device (such as a smartphone, laptop, or FIDO2 key). Unlike passwords, passkeys are phishing-proof.

  • FIDO2 keys can store 128 to 300 passkeys.
  • Passkeys are supported by providers such as Apple, Amazon, Google, Microsoft, nextcloud, GitHub, lastpass, among others.
  • Passkeys for multiple M365 accounts can be stored on a single FIDO2 key. However, passwordless login only works for the most recently added M365 login name.


Why does login work without a username?

The passkeys on a FIDO2 key are discoverable – they contain the login name. This information is protected by a PIN and transmitted to the relevant provider when logging in. The passkey itself never leaves the device.

The PIN works similarly to the PIN of a bank card.


  • Choose a PIN that you can easily remember.
  • Avoid repetitions or sequences of numbers.
  • Although the specification allows a minimum length of four characters, we recommend using more than four.
  • After eight failed attempts to enter the PIN, all stored passkeys on the FIDO2 key will become unusable. In this case, the key must be reset.

FIDO2 keys are primarily used to securely store passkeys. Some models also offer the option of generating one-time passwords.



One-time passwords (HOTP and TOTP)

One-time passwords (OTP) are used as the second factor in two-factor authentication (2FA).

You can find further information on our websiteTwo-Factor Authentication (2FA) with the TU-ID (opens in new tab)


There are various ways to generate these keys, such as with Microsoft Authenticator. FIDO2 keys are not required for this, but can be used optionally.

  • HOTP: The one-time password is entered directly from the key connected via USB into the input field for the second factor.
  • TOTP: The TOTP is generated via an app (e.g., the Token2 Companion App) on a smartphone or laptop. The TOTP creation is linked to the FIDO2 key and works independently of the smartphone.



Multi-factor authentication (MFA) vs. two-factor authentication (2FA)

  • There are differences between MFA and 2FA. MFA refers to authentication with two or more factors from different verification categories.
  • 2FA uses exactly two factors.


The three verification categories are:


1. Something you know (e.g. PIN, password)

2. Something you own (e.g. FIDO2 key, laptop, smartphone)

3. Something you are / inherence factor (e.g. fingerprint, facial scan)


2FA typically involves logging in with a username and password, followed by a second factor.

Authentication with a FIDO2 key involves something you know (the PIN) and something you have (the passkey on the FIDO2 key) and is multi-factor authentication. When using a key with a fingerprint sensor, the PIN is replaced by the inherence factor.



Where to order FIDO2 keys?

Note: The following information is general. Whether and in what form login with M365 and FIDO2 keys will be supported is currently unknown.

As of August 2025


Token2 (opens in new tab) offers a Student Discount (opens in new tab). For shipping to Germany, use the €6.90 option.


  • The cheapest option: The cheapest option is the bundle with two USB-A keys for €25. These keys appear robust and are well-suited for passwordless login with M365 and other passkeys. HOTP and TOTP, as well as the Token2 apps, are not supported. These keys allow 4-digit PINs, but a PIN with more characters should be created.
  • PIN+ Dual Release3.2: The key for €24 combines all the options – USB-A, USB-C, HOTP, TOTP, as well as the Companion App and NFC for the smartphone.
  • Fingerprint instead of PIN: The PIN+Bio3 is available for €37. In our test, fingerprint login worked without any problems. It can be unstable on a smartphone with a USB-C port.. TOTP and the Companion App are supported – but HOTP and NFC are not.

Note: In this case, another login method, such as Microsoft Authenticator, is required.

  • After eight incorrect attempts, the key will be locked. Therefore, remove it from the list at https://aka.ms/mysec (opens in new tab) and follow the manufacturer's instructions to perform a reset. This will delete all passkeys on the key. You can then set it up again.
  • If applicable, also remove the key from other providers for which passkeys were stored on the key.
  • If you have lost your key, proceed in the same way.
 
Support

Related Services

Campus-Software

As a student of the TU you receive a variety of free software for installation on your own PC.