16 October 2023 - IT SecurityIntroduction to Multi-factor Authentication (MFA)
A huge step for security: Heidelberg University is introducing Multi-factor authentication (MFA) as the standard login procedure for certain services. Login processes with multiple factors, such as those seen in online banking, make a significant contribution to increasing the security of accounts and data of its users. The first step will be connecting the virtual private network (VPN) to the central MFA service.
Multi-factor authentication (MFA) is a method by which users identify themselves with another factor in addition to entering a password when logging into an account or a service. The centralized service for employees and students enables a secure login process for the connected university services and thus greatly increases the protection of the IT infrastructure as well as user accounts and data. (See also the linked explanatory video from the BSI: How two-factor authentication works)
The login for the connected services consists of multiple steps:
- using your personal Uni ID or project number and password (factor one - something the user “knows”) as well as
- an additional token in the second step (factor two - something the user "has").
A token is an additional asset that users must have in their possession as a second factor. This includes, for example, a smartphone with a corresponding authenticator app that generates time-based one-time passwords, a desktop application on the computer or a hardware token.
Incremental implementation: MFA becomes standard for VPN login during WS2023/24
At the beginning of the winter semester 2023/24, the Virtual Private Network (VPN) was connected to the central MFA service. From mid-December 2023, login to the VPN will then only be possible with an additional factor for all employees and students.. That means we recommend setting up your additional token now, so you can log in to MFA-enabled services. Additional services will also be successively integrated into the MFA system.
Here's how to set up and manage your tokens:
Setting up multi-factor authentication is easy. The URZ provides the MFA Token Self Service platform (with LinOTP) as a central service for employees and students to set up and manage additional factors.
By default, so-called software tokens are recommended for creating one-time passwords, which can be generated using a smartphone and an Authenticator app.
- You need a current mobile phone as well as an installed authenticator app. These apps are available free of charge in all popular app stores. This ensures that only the person who has access to the smartphone in addition to the normal login data can log in to the MFA-enabled services.
- Register your smartphone with the university's MFA Token Self Service platform, our token management web service, by opening the app and scanning the QR code displayed by the platform.
Once it has been set up, the authenticator app automatically creates time-based one-time passwords that users can simply retrieve and enter each time they log in to connected services.
In addition, it is possible to generate the tokens using software (KeePassXC) on a PC or Mac if a smartphone/tablet PC is not available.
Hardware tokens can also be used, which can be procured decentrally via the facilities, whereby the URZ recommends certain manufacturers and devices.
How-tos, further information, such as recommended apps and FAQs with a list of tested tokens can be found in the linked Service Catalogue.
Already available: Option for MFA in heiBOX
Those who want particularly secure access to heiBOX have had the option of activating multi-factor authentication using a smartphone and authenticator app for the university sync-and-share service for some time. Further information can be found in the linked how-to.