Two-factor authentication (2FA) is available for all TU-IDs and TU-TechIDs. You can register via the 2FA administration portal and secure your account right away.

Even TU-IDs in the follow-up period are supported.

• In addition to an active TU-ID, you will need a device that generates one-time passwords. This can either be a dedicated device (hardware token) or software installed on a PC, smartphone, or similar device (software token). A software token can be used on both work and personal devices. Such software is available for all major operating systems — for example, the Privacy Identity Authenticator for Android and iOS, or KeePassXC for Windows. Instructions for setting up KeePassXC can be found on the right under Links and Downloads.
• To log in to the SSO, you need an Internet connection.

You can enable basic protection for your TU-ID at any time by registering a second factor yourself.

Please follow these steps:

1. Visit the website of the 2FA administration.
2. Log in to the system with your account name and password.
3. First, a so-called TAN token is created for you. This is used as backup access to the 2FA administration.
4. Afterwards, click on “Roll out token” on the left.
5. You can either roll out a TOTP (software) or Webauthn (hardware) token.

There are also detailed step-by-step instructions (opens in new tab) (German only) with screenshots for this process.

Once activated, the second factor will be required for every login to the login server. This significantly increases the security of your account and makes it much harder for attackers to gain access. It also helps you become familiar with using the second factor in everyday use.

With normal usage, you will typically log in around once or twice per day.

A token is a security component and offers the technical possibility of proving your own identity (TU-ID) with a second factor.

A token is available in both software and hardware versions.

You can assign multiple tokens to your account.

For security reasons, services offered at TU Darmstadt may require users to authenticate with a specific type of token. This approach is similar to what is already common in online banking, where specific tokens are required for access.

• TOTP – Time-based one-time password
  A regularly changing sequence of numbers based on a secret shared between the server and the client. Users can register this themselves via the 2FA administration.
• HOTP – HMAC-based one-time password
  Similar to TOTP, but based on a counter rather than the current time. This makes it easier to implement in hardware devices.
• WebAuthn
  A modern method for implementing second factors, supported natively by many operating systems. It often allows the use of built-in biometric features, such as fingerprint or facial recognition. Hardware implementations are also available. However, this protocol is optimised for web authentication and is only partially compatible with login methods such as RADIUS or LDAP, commonly used for server access.
• TAN
  As a backup access method for the 2FA administration, a TAN token is created when you first register. These one-time codes are only valid for logging into the 2FA administration and serve as a fallback in case your other tokens are lost.

Depending on the security level, tokens are classified into different levels. A token is always valid for the lower levels as well.

Connected applications may require tokens of a specific level.

• Level 1 “basic”: Self-registered software tokens
  The TOTP method is currently supported.
• Level 2 “medium”: Self-registered hardware tokens The WebAuthn method is currently supported.
• Level 3 “high”: A hardware token assigned by the HRZ after identification of the person. Currently, the TOTP, HTOP and WebAuthn methods are supported.

Currently, the HRZ does not issue hardware tokens. However, the HRZ has tested several hardware tokens, and you can find our experiences in the following FAQ entry.

If you wish to secure your account with a hardware token, you will need to obtain one independently. You can link these hardware tokens to your account through the 2FA administration portal.

For certain high-security applications, it may be necessary for the HRZ to confirm the assignment of a token to your account. In such cases, please contact us.

Choosing the right hardware token largely depends on your specific requirements. We have tested several tokens available on the market and would like to share our experiences here.

I only use 2FA for TU Darmstadt services, mainly for SSO.

This scenario primarily applies to administrative staff, for example, who only need to use their second factor occasionally. As such, manual entry of the second factor is acceptable.

In this case, we recommend a TOTP token with a display. This type of token requires no hardware modification and can also be used on the go.

For example, we have successfully tested the Token2 C302-i (from approx. 22€) and the Feitian i34 C200 TOTP (from approx. 13€).

I also use 2FA with external services (e.g. github) or more frequently.

This scenario primarily applies to administrators or developers, for example.

External services are increasingly adopting WebAuthn/Passkeys, so a token with this feature is recommended in such cases. The disadvantage is that these tokens need to be connected to the end device. Therefore, you must choose a token compatible with your device (USB-A, USB-C, NFC). Additionally, your working environment may need to be adjusted (for instance, a USB extension and/or a lanyard/keyring may be helpful in some situations).

However, WebAuthn is not supported by all services (e.g. VPN), meaning the token must also support TOTP or HOTP.

For example, we have successfully tested the Token2 PIN+ Release2 series (from approx. €23) and YubiKey 5 series (from approx. €60). Both are also available in a USB-C version, among other options.

I already have a token, or none of the above recommendations suit my needs.

In principle, all tokens that support WebAuthn and either TOTP or HOTP are compatible with our implementation. We do not recommend pure WebAuthn tokens, as it would not be possible to log in to services connected via LDAP, for instance. We have gained experience with models beyond those mentioned. Please feel free to contact us.

If you have chosen a hardware token, you can register it in the system yourself.

To do this, you will need a supported hardware token, which we assume supports both WebAuthn and HOTP, in line with our recommendation.

You will also need a manufacturer-specific application to configure the HOTP functionality, such as the Yubikey Manager or the TOKEN2 T2F2 Companion app. Please consult the manufacturer of your hardware token for instructions on how to configure it.

• First, activate 2FA on your account according to the instructions above.
• After that, it is recommended to roll out the hardware token with WebAuthn.
• If you are using this token on a website for the first time, you will also need to set a PIN. This is required, for instance, when registering on certain websites.
• Next, roll out a HOTP token. After entering the description, you will receive a private key.
• Using the manufacturer-specific application, you can configure your hardware token with this private key.
• If successful, you must confirm the configuration by entering the OTP. This is typically done by touching the hardware token. Depending on the configuration, you may also need to touch the token for a longer period (approximately 5 seconds).

Currently, the second factor is requested after registration for all login processes at TU Darmstadt Single Sign-On (SSO) .

This automatically protects all services connected to the SSO, e.g. Gitlab, the IDM portal or SAP Fiori.

For some applications (Jabber, VPN, Radius), authentication is only possible with TOTP or HOTP. If only other tokens are available, the login fails.

Services that are connected to the Active Directory (e.g. computer login and Exchange/Outlook) do not currently check the second factor. The same applies to Microsoft 365.

Yes, you can also secure your TU-TechID with a second factor.

Please note that a token can only be assigned to one account.

If you have multiple tokens, the description determines their order. The token that comes first in alphabetical order will be selected by default.

You can change the description at any time in the 2FA administration to adjust the preselection.

For example, you can add “01” at the beginning of the description of the desired token.

If a HOTP or TOTP token no longer works, even though it previously functioned without issue, one possible reason is that the shared information between the server and token is no longer in sync.

In addition to the private key, the server and token must align on the current status. For TOTP tokens, this is the current time, while for HOTP tokens, it is the number of uses.

Although there is some leeway, if the clock on the TOTP token is faulty or the HOTP token has been activated too frequently between authentications, it’s possible that these states no longer match sufficiently.

To resolve this, you will need to resynchronise the token. Please follow these steps:

• Log in to the 2FA administration. If necessary, use one of your recovery codes.
• Select the faulty token.
• Enter two consecutive OTP values in the fields next to the “Resynchronise token” button. For TOTP tokens, you may need to wait a few seconds until the next value is displayed.
• Click “Resynchronise token.”
• If the process is successful, you will see the message “Token was successfully resynchronised.” Your token should now work again.

It’s possible to lose your token. A hardware token could be lost or damaged, for instance, while a software token may be lost if the device is lost or the operating system is reset.

In such cases, you can log in to the 2FA administration using the recovery code you created during registration and remove the old token.

You can also register a new token from there.

If 2FA has been activated for an account, it cannot currently be deactivated by users.

If you wish to completely deactivate 2FA on your account, please contact us.

As part of the deactivation process, we will verify your identity using an ID document to ensure the security of your account.

If your service is connected via SSO , it already benefits from the 2FA implementation. All users who have activated 2FA will be prompted for the second factor each time they log in.

It is also possible to restrict access to your service to users with a second factor. You can also specify, for example, whether all types of tokens are permitted or only hardware-based tokens. This configuration is best carried out in close consultation with us. Please feel free to contact us.

If you have another token, you can independently generate new recovery codes in the 2FA administration.

However, if you no longer have access to a token, 2FA must be deactivated for your account.

You can find information about deactivation in the section “How do I deactivate 2FA for my account?”.