Two-factor authentication (2FA)
Instructions

Setting up two-factor authentication

The HRZ offers two-factor authentication (2FA) as an additional security measure for your TU ID by combining a password with a second security feature (token). On this page, you will find instructions on how to set up and use 2FA.

Please note: Complete all steps carefully and without interruption. After checking the requirements, please allow approximately 30 minutes for the process to complete.

We strongly recommend setting up at least two tokens. The optimal setup is a TOTP on your mobile phone, along with a TOTP in your password manager.
As an alternative, you can use a hardware token as a second factor, especially if you prefer not to rely on a mobile phone. This setup helps ensure secure access even if one token is lost or becomes unavailable.

Important note for Cisco Jabber users: Please note that a TOTP or HOTP token is required for use, as Cisco Jabber does not support WebAuthn.

For employees with managed computers, a second token that is independent of the computer is mandatory in order to continue logging in via ‘VPN before log-in’. Important: If you decide to use a hardware token, you must activate a TOTP or HOTP token with it. WebAuthn can also be registered, but should not be used on its own, as WebAuthn is not yet available for VPN dial-in (see instructions below).

To successfully set up 2FA, you need at least one of the following devices:

  • Mobile phone with an authenticator app installed, e.g. privacyIDEA Authenticator or Google Authenticator. Alternatively, you can also use the TUDa app.
    Note: Private mobile phones may also be used for this purpose.
  • Computer with a password manager installed, e.g. KeePassXC or KeePass, or another authenticator application, e.g. 2fast for Windows systems.
  • Hardware token (physical device for two-factor authentication)

The Nitro Key is currently incompatible and is therefore not recommended.

Instructional video

Step by step: From activation in the IDM portal to use with an authenticator app on your mobile phone (8:08 min)

Two-factor authentication (2FA) is activated in the 2FA management section of the IDM portal (Identity management portal: the central platform where you can manage your TU ID).

Instructions for activating 2FA in the IDM portal (opens in new tab)

You can also see how to activate it in the explanatory video 2FA with smartphone via Authenticator app (4:08 min). The video is in German with English subtitles.

After enabling two-factor authentication (2FA), you must set up at least one token. A token is an additional security measure, such as an authenticator app or a hardware device that generates one-time codes for logging in. It is recommended that you configure two tokens so that you can still access your account if you lose your device or switch to a new one. To do this, follow the instructions for the option you choose.

Use a smartphone with an authenticator app, such as privacyIDEA Authenticator or Google Authenticator. You must install this app on your mobile phone. Alternatively, you can also use the TUDa app. Private mobile phones may also be used for this purpose.

The app continuously generates time-based one-time passwords (TOTP), which you enter in addition to your password when logging in.

Instructions for using the authenticator app (opens in new tab)

You can also see how to set it up in our video 2FA with smartphone via Authenticator app (4:05 min). The video is in German with English subtitles.

Using the TUDa app

If you have installed the TUDa app on your mobile phone, you can generate one-time passwords (TOTP) directly there. Open the ‘My TUDa’ menu in the app, select ‘One-Time Password’ and scan the QR code from the 2FA administration.

Use a computer with a password manager already set up, such as KeePassXC or KeePass. The software continuously generates time-based one-time passwords (TOTP), which you can enter in addition to your password when logging in or have entered automatically.

Instructions for installing and using the KeePassXC password manager (opens in new tab)
Note: Chapter 3.4 describes two-factor authentication (2FA) with KeePassXC, while Chapter 4.1 explains the auto-type function and the extension for 2FA to simplify the login process.

A hardware token is a physical device for two-factor authentication that provides an additional security factor during login. It generates unique codes to clearly confirm the identity of the user.

First, decide on a hardware token. In principle, all tokens that support WebAuthn and either TOTP or HOTP are compatible, although TOTP or HOTP must be available for VPN dial-in.

Recommendation: We recommend a TOTP token with a display. This does not require any additional hardware adjustments and can also be used on mobile devices.

We have tested the following models successfully:

  • Token2 C302-i (from approx. 22€)
  • Feitian i34 C200 TOTP (from approx. 13€)
    Please note: You cannot set up this token yourself; you will need assistance from the HRZ. Further information on the procedure will be available here shortly.

In our FAQ, you will find information about the hardware tokens tested by the HRZ (question ‘Which hardware tokens were tested by the HRZ?’).

You will also need a manufacturer-specific application to configure the HOTP functionality, such as the Yubico Authenticator or the TOKEN2 T2F2 Companion app. Please consult the manufacturer of your hardware token for instructions on how to configure it.

  • After that, it is recommended to roll out the hardware token with WebAuthn.
  • If you are using this token on a website for the first time, you will also need to set a PIN. This is required, for instance, when registering on certain websites.
  • Next, roll out a HOTP token. After entering the description, you will receive a private key.
    Important note: If you use Cisco Jabber or VPN dial-in, you must set up a TOTP or HOTP token in addition to the WebAuth token. These features are not yet supported with the WebAuth token.
  • Using the manufacturer-specific application, you can configure your hardware token with this private key.
  • If successful, you must confirm the configuration by entering the OTP. This is typically done by touching the hardware token. Depending on the configuration, you may also need to touch the token for a longer period (approximately 5 seconds).

Prerequisite: Windows Hello must be enabled and set up on the computer (Configuring Windows Hello (opens in new tab)).

  • Create a new token in the 2FA management. To do this, click “Roll out token” in the menu.
  • Select “WebAuthn”.
  • Enter a description for the token.
  • A Windows Security window will be opened automatically.
    • Choose where the key should be stored: “Your Windows device”.
    • Windows Security will then prompt for confirmation via Windows Hello.
  • In the 2FA management window, you will receive a message indicating that the token has been successfully rolled out.

2fast – Two Factor Authenticator is an application for generating time-based one-time passwords (TOTP). The application runs on Windows systems and generates the time-dependent codes that are requested in addition to the password when two-factor authentication is activated. For computers managed by the HRZ, the software is available in the software repository.

Instructions 2fast – Two Factor Authenticator (opens in new tab)

Note: In addition to 2fast, there are numerous other authenticator solutions with comparable functionality.

Login with 2FA

After setting up a token, you must always provide the second factor when logging in.

Instructions for logging in to a service with 2FA (opens in new tab)

FAQ

General Questions

Two-factor authentication (2FA) is available for all TU-IDs and TU-TechIDs. You can register via the 2FA administration portal and secure your account right away.

Even TU-IDs in the follow-up period are supported.

Instructions for setting up 2FA can be found on the website Setting up two-factor authentication.

Yes, you can also secure your TU-TechID with a second factor.

Please note that a token can only be assigned to one account.

  • In addition to an active TU-ID, you will need a device that generates one-time passwords. This can either be a dedicated device (hardware token) or software installed on a PC, smartphone, or similar device (software token). A software token can be used on both work and personal devices. Such software is available for all major operating systems — for example, the Privacy Identity Authenticator for Android and iOS, or KeePassXC for Windows.
  • Instructions for setting up 2FA can be found on the website Setting up two-factor authentication.
  • To log in to the SSO, you need an Internet connection.

Once activated, the second factor will be required for every login to the login server. This significantly increases the security of your account and makes it much harder for attackers to gain access. It also helps you become familiar with using the second factor in everyday use.

With normal usage, you will typically log in around once or twice per day.

You can enable basic protection for your TU-ID at any time by registering a second factor yourself.

Instructions for setting up 2FA can be found on the website Setting up two-factor authentication.

There is no general answer to this question, as it depends on your personal skills and circumstances. If you already use a password manager and have a mobile phone with an authenticator app installed, setup will take approximately 5–10 minutes. If this is not the case, you should allow approximately 30 minutes for setup.

Yes, it is recommended to activate two independent 2FA tokens. The best combination is an app on your mobile phone and a token stored in your password manager. A hardware token is not usually necessary, but can serve as an alternative to a mobile phone if no work mobile phone is available or you do not want to use your private mobile phone.

No, but a private smartphone may be used (which suits many users for reasons of convenience). Those who do not want to do so and do not have a work phone can obtain a hardware token. Procurement is carried out as for all work equipment.

If you have another token, you can independently generate new recovery codes in the 2FA administration.

However, if you no longer have access to a token, 2FA must be deactivated for your account.

You can find information about deactivation in the section “How do I deactivate 2FA for my account?”.

If 2FA has been activated for an account, it cannot currently be deactivated by users.

If you wish to completely deactivate 2FA on your account, please contact .

As part of the deactivation process, we will verify your identity using an ID document to ensure the security of your account.

Under certain circumstances, you may then no longer be able to log in to the services of TU Darmstadt. For this reason, it is always recommended that you set up at least one additional independent factor. It is also possible to register as many tokens as you wish.

Token

A token is a security component and offers the technical possibility of proving your own identity (TU-ID) with a second factor.

A token is available in both software and hardware versions.

You can assign multiple tokens to your account.

For security reasons, services offered at TU Darmstadt may require users to authenticate with a specific type of token. This approach is similar to what is already common in online banking, where specific tokens are required for access.

Depending on the security level, tokens are classified into different levels. A token is always valid for the lower levels as well.

Connected applications may require tokens of a specific level.

  • Level 1 “basic”: Self-registered software tokens
    The TOTP method is currently supported.
  • Level 2 “medium”: Self-registered hardware tokens The WebAuthn method is currently supported.
  • Level 3 “high”: A hardware token assigned by the HRZ after identification of the person. Currently, the TOTP, HTOP and WebAuthn methods are supported.

This depends on the security requirements of the respective services and the data they handle, and is determined by the individual service providers.

The token levels are a preparatory measure for future developments. At present, there is no requirement to use a higher token level for general services.

  • TOTP – Time-based one-time password
    A regularly changing sequence of numbers based on a secret shared between the server and the client. Users can register this themselves via the 2FA administration.
  • HOTP – HMAC-based one-time password
    Similar to TOTP, but based on a counter rather than the current time. This makes it easier to implement in hardware devices.
  • WebAuthn
    A modern method for implementing second factors, supported natively by many operating systems. It often allows the use of built-in biometric features, such as fingerprint or facial recognition. Hardware implementations are also available. However, this protocol is optimised for web authentication and is only partially compatible with login methods such as RADIUS or LDAP, commonly used for server access.
  • TAN
    As a backup access method for the 2FA administration, a TAN token is created when you first register. These one-time codes are only valid for logging into the 2FA administration and serve as a fallback in case your other tokens are lost.

Currently, the HRZ does not issue hardware tokens. However, the HRZ has tested several hardware tokens, and you can find our experiences in the following FAQ entry.

If you wish to secure your account with a hardware token, you will need to obtain one independently. You can link these hardware tokens to your account through the 2FA administration portal.

For certain high-security applications, it may be necessary for the HRZ to confirm the assignment of a token to your account. In such cases, please contact .

Choosing the right hardware token largely depends on your specific requirements. We have tested several tokens available on the market and would like to share our experiences here.


I only use 2FA for TU Darmstadt services, mainly for SSO

This scenario primarily applies to administrative staff, for example, who only need to use their second factor occasionally. As such, manual entry of the second factor is acceptable.

In this case, we recommend a TOTP token with a display. This type of token requires no hardware modification and can also be used on the go.


We have tested the following models successfully:

  • Token2 C302-i (from approx. 22€)
  • Feitian i34 C200 TOTP (from approx. 13€)
    Please note: You cannot set up this token yourself; you will need assistance from the HRZ. Further information on the procedure will be available here shortly.


I also use 2FA with external services (e.g. github) or more frequently

This scenario primarily applies to administrators or developers, for example.

External services are increasingly adopting WebAuthn/Passkeys, so a token with this feature is recommended in such cases. The disadvantage is that these tokens need to be connected to the end device. Therefore, you must choose a token compatible with your device (USB-A, USB-C, NFC). Additionally, your working environment may need to be adjusted (for instance, a USB extension and/or a lanyard/keyring may be helpful in some situations).

However, WebAuthn is not supported by all services (e.g. VPN), meaning the token must also support TOTP or HOTP.


We have tested the following models successfully. Both are also available in a USB-C version, among other options:


I already have a token, or none of the above recommendations suit my needs.

In principle, all tokens that support WebAuthn and either TOTP or HOTP are compatible with our implementation. We do not recommend pure WebAuthn tokens, as it would not be possible to log in to services connected via LDAP, for instance. We have gained experience with models beyond those mentioned. Please feel free to contact us.

If you have chosen a hardware token, you can register it in the system yourself.

To do this, you will need a supported hardware token, which we assume supports both WebAuthn and HOTP, in line with our recommendation.

You will also need a manufacturer-specific application to configure the HOTP functionality, such as the Yubico Authenticator or the TOKEN2 T2F2 Companion app. Please consult the manufacturer of your hardware token for instructions on how to configure it.

  • First, activate 2FA on your account according to the instructions above.
  • After that, it is recommended to roll out the hardware token with WebAuthn.
  • If you are using this token on a website for the first time, you will also need to set a PIN. This is required, for instance, when registering on certain websites.
  • Next, roll out a HOTP token. After entering the description, you will receive a private key.
  • Using the manufacturer-specific application, you can configure your hardware token with this private key.
  • If successful, you must confirm the configuration by entering the OTP. This is typically done by touching the hardware token. Depending on the configuration, you may also need to touch the token for a longer period (approximately 5 seconds).

You can influence the preselection by adjusting the description of a token in the 2FA management. For example, add ‘000 ’ to the beginning of the description of the desired token so that it appears at the top of the list and is selected as the default.

A wide range of common methods is supported. Users can choose the method that best suits their preferences and may also combine multiple methods as they wish.

In the future, Passkeys will also be supported, but there is no concrete roadmap for this yet.

Services

Currently, the second factor is requested after registration for all login processes at TU Darmstadt Single Sign-On (SSO).

This automatically protects all services connected to the SSO, e.g. Gitlab, the IDM portal or SAP Fiori.

For some applications (Jabber, VPN, Radius), authentication is only possible with TOTP or HOTP. If only other tokens are available, the login fails.

Services that are connected to the Active Directory (e.g. computer login and Exchange/Outlook) do not currently check the second factor. The same applies to Microsoft 365.

TUCaN is not yet connected to the central SSO procedure. The original plan was to connect TUCaN to the SSO of TU Darmstadt as part of an update to the web portal in November 2025. Due to a delay, the connection is not expected to take place until February 2026. Once connected, you will be able to use the second factor set up in the IDM portal to log in to TUCaN as well.

Yes. The central VPN access (Cisco AnyConnect) will also be secured with two-factor authentication (2FA). No further action is required from users. The 2FA protection will be activated in the new year. The 2FA tokens already registered for your TU-ID will then automatically apply to the VPN access as well.

We are currently evaluating possible implementation options. The IMAP protocol does not technically support two-factor authentication (2FA).

It is likely that a solution based on device-specific passwords will be introduced, similar to the approach used by many commercial email providers. Further information will be provided once the implementation plan has been finalised.

If your service is connected via SSO, it already benefits from the 2FA implementation. All users who have activated 2FA will be prompted for the second factor each time they log in.

It is also possible to restrict access to your service to users with a second factor. You can also specify, for example, whether all types of tokens are permitted or only hardware-based tokens. This configuration is best carried out in close consultation with us. Please feel free to contact .

Further questions

If a HOTP or TOTP token no longer works, even though it previously functioned without issue, one possible reason is that the shared information between the server and token is no longer in sync.

In addition to the private key, the server and token must align on the current status. For TOTP tokens, this is the current time, while for HOTP tokens, it is the number of uses.

Although there is some leeway, if the clock on the TOTP token is faulty or the HOTP token has been activated too frequently between authentications, it’s possible that these states no longer match sufficiently.

To resolve this, you will need to resynchronise the token. Please follow these steps:

  • Log in to the 2FA administration. If necessary, use one of your recovery codes.
  • Select the faulty token.
  • Enter two consecutive OTP values in the fields next to the “Resynchronise token” button. For TOTP tokens, you may need to wait a few seconds until the next value is displayed.
  • Click “Resynchronise token.”
  • If the process is successful, you will see the message “Token was successfully resynchronised.” Your token should now work again.

It’s possible to lose your token. A hardware token could be lost or damaged, for instance, while a software token may be lost if the device is lost or the operating system is reset.

In such cases, you can log in to the 2FA administration using the recovery code you created during registration and remove the old token.

You can also register a new token from there.

No, SSH may continue to be used without 2FA in the future. The public key cryptography used here already ensures that two factors are used for security.

Public systems that do not require authentication also do not require 2FA. If the app tokens are only there for rate limiting, this is unnecessary.

M2M communication is not affected by 2FA. 2FA serves to secure user accounts.

The Nitro Key is currently incompatible and therefore not recommended.

No, that does not meet the definition of two-factor authentication (2FA). The second factor must be uniquely linked to an individual and cannot be only temporarily assigned.

However, it is acceptable that services restricted to access from within the TU Darmstadt network do not require 2FA. This is because access to the TU Darmstadt network itself is generally secured by 2FA or comparable measures (such as device-specific WLAN passwords).

No. The timeout is independent of two-factor authentication (2FA) and is based on other technical and security considerations.

The use of personal devices (such as smartphones) to generate one-time codes for 2FA login is generally permitted.


Students who take electronic examinations (E-Exams) either in the PC pools at TU Darmstadt or on their own devices are requested to have at least one TOTP token available on a second device (e.g. smartphone or hardware token). This token is required to log in before the start of the exam.


If your own token fails during the exam, replacement access is available so that you can continue to participate in the exam.


Further information can be found under Required Credentials on the website of the Center for Educational Development and Technology (HDA).