ServiceMulti-factor Authentication (MFA)

Greater security for your login

Every time you log in, an authentication process checks whether the given account really belongs to the user making the request. Typically, a password is used to verify access authorization, and in the context of a login, this is referred to as a factor. However, since a password can easily be obtained along with the username, for example, through phishing, this approach no longer offers state-of-the-art protection against third parties gaining unauthorized access to an account and all of its associated data and rights.

With multi-factor authentication (MFA), your identity is verified during login using other, independent factors in addition to your password. The URZ provides the MFA Token Self Service platform (with the LinOTP software) as a centralized service for Heidelberg university employees and students to set up additional factors. Here, multiple factors are made available, which users can select and set up individually.

If you encounter any obstacles or have any questions when setting up your tokens or using MFA on the VPN, please contact IT Service by video call.

Target Group

University employees
Students
Users with a project number

Use

Additional factors, unlike passwords, are not just static bits of information and cannot be easily copied. As a result, MFA provides a secure login process for the connected services thereby increasing the protection of user accounts and data.
Factors from different categories, such as “knowledge” (e.g. a personal password) and “possession” (e.g. a smartphone with an authenticator app or a hardware token) as well as “inherent” (e.g. individual biometric characteristics such as fingerprint or face), reinforce each other and significantly reduce the risk of attacks.
Account theft is made much more difficult and requires considerably more effort. This means that the data and permissions of all users are better protected.

Access and Requirements

The login for the connected services consists of multiple steps:

using your personal Uni ID or project number and password (factor one - something the user "knows") as well as
an additional token in the second step (factor two - something the user "has").

A token is an additional asset that users must have in their possession as a second factor. This includes, for example, a smartphone with a corresponding authenticator app that generates time-based one-time passwords or a hardware token. These one-time passwords can then be entered when logging in to the MFA protected services.

The following requirements must be met to use MFA:

You must have a Uni-ID or project number.
You must have set up at least one additional factor (e.g. smartphone with authenticator app) using LinOTP (login via Uni ID or project number).
The setup of additional factors must be done from the university network or via VPN.

By default, so-called software tokens are recommended for creating one-time passwords, which can be generated using a smartphone and an Authenticator app. It is also possible to generate the tokens using software (KeePassXC) on a PC or Mac if no smartphone/tablet PC is available.
In addition to software-based tokens, hardware tokens can also be used. All institutions therefore have the option of procuring their own hardware tokens in a decentralized manner, whereby the URZ recommends certain manufacturers and devices. A list of tested tokens can be found in the FAQ.

MFA Token Self Service platform (access limited to the university network or VPN)

How-tos and training courses

How-to

Login Cisco Secure Client - AnyConnect - VPN

The guide describes how to log in to the Cisco Secure Client - AnyConnect - VPN with multi-factor authentication.

event

Introduction to multi-factor authentication: Information presentation

In this online training, you will learn how to set up and use multi-factor authentication.

Frequently Asked Questions

Table filters

Table

Question	Answer

Question	Answer
I am not in Heidelberg, but have not yet set up a token. What can I do?	Please contact the URZ video call service to securely set up a token with our service staff: https://www.urz.uni-heidelberg.de/en/newsroom/it-service-now-offering-video-call-consultations
Which services will be protected with MFA?	Initially, the Virtual Private Network (VPN) will be protected by MFA (mandatory from mid-December 2023). Other services will follow. Other services that support MFA (optional): heiBOX
How many factors should I set up?	We recommend setting up two different tokens (e.g. smartphone and PC). This means that if you lose one of the tokens, you will still have independent access to the Self Service platform and can delete the lost token and set up a new one.
Do you recommend using a smartphone app as a factor?	Yes, this is a secure factor. Concrete recommendations can be found in the MFA how-tos.
If no smartphone is available, can a token also be set up using software on a PC?	Yes, it is possible to create the tokens with the KeePassXC software on a PC or Mac if no smartphone/tablet PC is available. This possibility in no way diminishes the benefits of MFA compared to the main risk - the phishing of account data. Of course, there is the possibility that the end device used has been compromised and access to the token has been granted: In this case, however, the input of a hardware token can also be read. Only the much more complex FIDO2 can mitigate this attack vector.
What do OTP and TOTP mean?	OTP stands for one-time password. TOTP stands for time-based one-time password.
What kinds of factors are supported?	Initially, time-based one-time passwords (TOTP) on a cell phone or as hardware or as hardware tokens as well as Yubikeys are supported. For the MFA Token Self Service platform, the LinOTP software is used. This supports a wide range of tokens. For most purposes, however, only the only the text-based and not protocol-based methods can be used. We therefore recommend TOTP or HOTP according to the standard RFC 6238, which actually includes almost all tokens on the market. FIDO2 could be added after some time, but we will not be able to support it at the start.
How do I connect to the VPN via openconnect?	On the command line: sudo openconnect vpn-ac.uni-heidelberg.de/2fa --useragent='AnyConnect' In the Network Manager, please enter the gateway 'vpn-ac.uni-heidelberg.de/2fa' and the programme ID 'AnyConnect'. The Network Manager Openconnect component version 1.2.10 or higher should be used.
How can hardware tokens be obtained?	In addition to software-based tokens, hardware tokens can also be used. All institutions therefore have the option of procuring their own hardware tokens in a decentralized manner. Procurement must be carried out in compliance with the procurement manual. A nationwide framework agreement for hardware tokens is currently being sought. The URZ currently recommends the following token: Feitian C200 Please contact it-sicherheit@urz.uni-heidelberg.de if you need advice.
I have procured hardware tokens for my department. What do I do next?	Please follow this guide: https://www.urz.uni-heidelberg.de/de/anleitung-import-von-instituts-token
How can I log in to the Token Self Service platform?	Login to the Token Self Service platform is only possible before setting up a token without a second factor. Once a token has been set up, you can only log in with this second factor. Therefore, make sure that you complete the setup completely or delete a partially set up token before logging out of the platform. Otherwise you will no longer be able to log in without the help of the IT service.