Two-factor authentication (2FA)
Instructions

Setting up two-factor authentication

The HRZ offers two-factor authentication (2FA) as an additional security measure for your TU ID by combining a password with a second security feature (token). On this page, you will find instructions on how to set up and use 2FA.

Please note: Complete all steps carefully and without interruption. After completing step 1, please allow approximately 30 minutes for the process to complete.

We recommend setting up at least two tokens. The optimal setup is a TOTP on your mobile phone, along with a TOTP in your password manager.
As an alternative, you can use a hardware token as a second factor, especially if you prefer not to rely on a mobile phone. This setup helps ensure secure access even if one token is lost or becomes unavailable.

For employees with managed computers, a second token that is independent of the computer is mandatory in order to continue logging in via ‘VPN before log-in’. Important: If you decide to use a hardware token, you must activate a TOTP or HOTP token with it. WebAuthn can also be registered, but should not be used on its own, as WebAuthn is not yet available for VPN dial-in (see instructions below).

To successfully set up 2FA, you need at least one of the following devices:

  • Mobile phone with an authenticator app installed, e.g. privacyIDEA Authenticator or Google Authenticator.
    Note: Private mobile phones may also be used for this purpose.
  • Computer with a password manager installed, e.g. KeePassXC or KeePass
    Note: If you have not yet installed a password manager and decide to use KeePassXC, please follow the installation and usage instructions (opens in new tab) in chapters 1 to 3.2.
  • Hardware token (physical device for two-factor authentication)

Two-factor authentication (2FA) is activated in the 2FA management section of the IDM portal.

Instructions for activating 2FA in the IDM portal (opens in new tab)

You can also see how to activate it in the explanatory video 2FA with smartphone via Authenticator app (4:08 min). The video is in German with English subtitles.

After enabling two-factor authentication (2FA), you must set up at least one token. It is recommended that you configure two tokens so that you can still access your account if you lose your device or switch to a new one. To do this, follow the instructions for the option you choose.

Use a smartphone with an authenticator app, such as privacyIDEA Authenticator or Google Authenticator. You must install this app on your mobile phone. Private mobile phones may also be used for this purpose.

The app continuously generates time-based one-time passwords (TOTP), which you enter in addition to your password when logging in.

Instructions for using the authenticator app (opens in new tab)

You can also see how to set it up in our video 2FA with smartphone via Authenticator app (4:05 min). The video is in German with English subtitles.

Use a computer with a password manager already set up, such as KeePassXC or KeePass. The software continuously generates time-based one-time passwords (TOTP), which you can enter in addition to your password when logging in or have entered automatically.

Instructions for installing and using the KeePassXC password manager (opens in new tab)
Note: Chapter 3.4 describes two-factor authentication (2FA) with KeePassXC, while Chapter 4.1 explains the auto-type function and the extension for 2FA to simplify the login process.

A hardware token is a physical device for two-factor authentication that provides an additional security factor during login. It generates unique codes to clearly confirm the identity of the user.

First, decide on a hardware token. In principle, all tokens that support WebAuthn and either TOTP or HOTP are compatible, although TOTP or HOTP must be available for VPN dial-in. In our FAQ, you will find information about the hardware tokens tested by the HRZ (question ‘Which hardware tokens were tested by the HRZ?’).

You will also need a manufacturer-specific application to configure the HOTP functionality, such as the Yubico Authenticator or the TOKEN2 T2F2 Companion app. Please consult the manufacturer of your hardware token for instructions on how to configure it.

  • After that, it is recommended to roll out the hardware token with WebAuthn.
  • If you are using this token on a website for the first time, you will also need to set a PIN. This is required, for instance, when registering on certain websites.
  • Next, roll out a HOTP token. After entering the description, you will receive a private key.
    Important note: If you use VPN dial-in, you must set up a TOTP or HOTP token in addition to the WebAuth token. This feature is not yet supported with the WebAuth token.
  • Using the manufacturer-specific application, you can configure your hardware token with this private key.
  • If successful, you must confirm the configuration by entering the OTP. This is typically done by touching the hardware token. Depending on the configuration, you may also need to touch the token for a longer period (approximately 5 seconds).

A WebAuthn token can be rolled out and used, for example in conjunction with Windows Hello. This allows the second factor to be conveniently used via fingerprint or facial recognition. Instructions on how to do this will be provided in the coming weeks.

Login with 2FA

After setting up a token, you must always provide the second factor when logging in.

Instructions for logging in to a service with 2FA (opens in new tab)

FAQ

Two-factor authentication (2FA) is available for all TU-IDs and TU-TechIDs. You can register via the 2FA administration portal and secure your account right away.

Even TU-IDs in the follow-up period are supported.

Instructions for setting up 2FA can be found on the website Setting up two-factor authentication.

  • In addition to an active TU-ID, you will need a device that generates one-time passwords. This can either be a dedicated device (hardware token) or software installed on a PC, smartphone, or similar device (software token). A software token can be used on both work and personal devices. Such software is available for all major operating systems — for example, the Privacy Identity Authenticator for Android and iOS, or KeePassXC for Windows.
  • Instructions for setting up 2FA can be found on the website Setting up two-factor authentication.
  • To log in to the SSO, you need an Internet connection.

You can enable basic protection for your TU-ID at any time by registering a second factor yourself.

Instructions for setting up 2FA can be found on the website Setting up two-factor authentication.

Once activated, the second factor will be required for every login to the login server. This significantly increases the security of your account and makes it much harder for attackers to gain access. It also helps you become familiar with using the second factor in everyday use.

With normal usage, you will typically log in around once or twice per day.

A token is a security component and offers the technical possibility of proving your own identity (TU-ID) with a second factor.

A token is available in both software and hardware versions.

You can assign multiple tokens to your account.

For security reasons, services offered at TU Darmstadt may require users to authenticate with a specific type of token. This approach is similar to what is already common in online banking, where specific tokens are required for access.

  • TOTP – Time-based one-time password
    A regularly changing sequence of numbers based on a secret shared between the server and the client. Users can register this themselves via the 2FA administration.
  • HOTP – HMAC-based one-time password
    Similar to TOTP, but based on a counter rather than the current time. This makes it easier to implement in hardware devices.
  • WebAuthn
    A modern method for implementing second factors, supported natively by many operating systems. It often allows the use of built-in biometric features, such as fingerprint or facial recognition. Hardware implementations are also available. However, this protocol is optimised for web authentication and is only partially compatible with login methods such as RADIUS or LDAP, commonly used for server access.
  • TAN
    As a backup access method for the 2FA administration, a TAN token is created when you first register. These one-time codes are only valid for logging into the 2FA administration and serve as a fallback in case your other tokens are lost.

Depending on the security level, tokens are classified into different levels. A token is always valid for the lower levels as well.

Connected applications may require tokens of a specific level.

  • Level 1 “basic”: Self-registered software tokens
    The TOTP method is currently supported.
  • Level 2 “medium”: Self-registered hardware tokens The WebAuthn method is currently supported.
  • Level 3 “high”: A hardware token assigned by the HRZ after identification of the person. Currently, the TOTP, HTOP and WebAuthn methods are supported.

Currently, the HRZ does not issue hardware tokens. However, the HRZ has tested several hardware tokens, and you can find our experiences in the following FAQ entry.

If you wish to secure your account with a hardware token, you will need to obtain one independently. You can link these hardware tokens to your account through the 2FA administration portal.

For certain high-security applications, it may be necessary for the HRZ to confirm the assignment of a token to your account. In such cases, please contact .

Choosing the right hardware token largely depends on your specific requirements. We have tested several tokens available on the market and would like to share our experiences here.

I only use 2FA for TU Darmstadt services, mainly for SSO.

This scenario primarily applies to administrative staff, for example, who only need to use their second factor occasionally. As such, manual entry of the second factor is acceptable.

In this case, we recommend a TOTP token with a display. This type of token requires no hardware modification and can also be used on the go.

For example, we have successfully tested the Token2 C302-i (from approx. 22€) and the Feitian i34 C200 TOTP (from approx. 13€).

I also use 2FA with external services (e.g. github) or more frequently.

This scenario primarily applies to administrators or developers, for example.

External services are increasingly adopting WebAuthn/Passkeys, so a token with this feature is recommended in such cases. The disadvantage is that these tokens need to be connected to the end device. Therefore, you must choose a token compatible with your device (USB-A, USB-C, NFC). Additionally, your working environment may need to be adjusted (for instance, a USB extension and/or a lanyard/keyring may be helpful in some situations).

However, WebAuthn is not supported by all services (e.g. VPN), meaning the token must also support TOTP or HOTP.

For example, we have successfully tested the Token2 PIN+ Release2 series (from approx. €23) and YubiKey 5 series (from approx. €60). Both are also available in a USB-C version, among other options.

I already have a token, or none of the above recommendations suit my needs.

In principle, all tokens that support WebAuthn and either TOTP or HOTP are compatible with our implementation. We do not recommend pure WebAuthn tokens, as it would not be possible to log in to services connected via LDAP, for instance. We have gained experience with models beyond those mentioned. Please feel free to contact us.

If you have chosen a hardware token, you can register it in the system yourself.

To do this, you will need a supported hardware token, which we assume supports both WebAuthn and HOTP, in line with our recommendation.

You will also need a manufacturer-specific application to configure the HOTP functionality, such as the Yubico Authenticator or the TOKEN2 T2F2 Companion app. Please consult the manufacturer of your hardware token for instructions on how to configure it.

  • First, activate 2FA on your account according to the instructions above.
  • After that, it is recommended to roll out the hardware token with WebAuthn.
  • If you are using this token on a website for the first time, you will also need to set a PIN. This is required, for instance, when registering on certain websites.
  • Next, roll out a HOTP token. After entering the description, you will receive a private key.
  • Using the manufacturer-specific application, you can configure your hardware token with this private key.
  • If successful, you must confirm the configuration by entering the OTP. This is typically done by touching the hardware token. Depending on the configuration, you may also need to touch the token for a longer period (approximately 5 seconds).

Currently, the second factor is requested after registration for all login processes at TU Darmstadt Single Sign-On (SSO).

This automatically protects all services connected to the SSO, e.g. Gitlab, the IDM portal or SAP Fiori.

For some applications (Jabber, VPN, Radius), authentication is only possible with TOTP or HOTP. If only other tokens are available, the login fails.

Services that are connected to the Active Directory (e.g. computer login and Exchange/Outlook) do not currently check the second factor. The same applies to Microsoft 365.

Yes, you can also secure your TU-TechID with a second factor.

Please note that a token can only be assigned to one account.

If you have multiple tokens, the description determines their order. The token that comes first in alphabetical order will be selected by default.

You can change the description at any time in the 2FA administration to adjust the preselection.

For example, you can add “01” at the beginning of the description of the desired token.

If a HOTP or TOTP token no longer works, even though it previously functioned without issue, one possible reason is that the shared information between the server and token is no longer in sync.

In addition to the private key, the server and token must align on the current status. For TOTP tokens, this is the current time, while for HOTP tokens, it is the number of uses.

Although there is some leeway, if the clock on the TOTP token is faulty or the HOTP token has been activated too frequently between authentications, it’s possible that these states no longer match sufficiently.

To resolve this, you will need to resynchronise the token. Please follow these steps:

  • Log in to the 2FA administration. If necessary, use one of your recovery codes.
  • Select the faulty token.
  • Enter two consecutive OTP values in the fields next to the “Resynchronise token” button. For TOTP tokens, you may need to wait a few seconds until the next value is displayed.
  • Click “Resynchronise token.”
  • If the process is successful, you will see the message “Token was successfully resynchronised.” Your token should now work again.

It’s possible to lose your token. A hardware token could be lost or damaged, for instance, while a software token may be lost if the device is lost or the operating system is reset.

In such cases, you can log in to the 2FA administration using the recovery code you created during registration and remove the old token.

You can also register a new token from there.

If 2FA has been activated for an account, it cannot currently be deactivated by users.

If you wish to completely deactivate 2FA on your account, please contact .

As part of the deactivation process, we will verify your identity using an ID document to ensure the security of your account.

If your service is connected via SSO, it already benefits from the 2FA implementation. All users who have activated 2FA will be prompted for the second factor each time they log in.

It is also possible to restrict access to your service to users with a second factor. You can also specify, for example, whether all types of tokens are permitted or only hardware-based tokens. This configuration is best carried out in close consultation with us. Please feel free to contact .

If you have another token, you can independently generate new recovery codes in the 2FA administration.

However, if you no longer have access to a token, 2FA must be deactivated for your account.

You can find information about deactivation in the section “How do I deactivate 2FA for my account?”.