How-ToSetting up an Android smartphone as a software token
This guide describes how to set up an Android smartphone as a software token for multi-factor authentication.
Multi-factor authentication (MFA) is performed in 3 steps that together secure your logins onto all supported services from now on.
- In the first step, you install an Authenticator app on a smartphone as a so-called token. Once set up, the Authenticator app generates one-time passwords for each login. This ensures that only people who have access to the smartphone in addition to the usual login data can log in to the MFA-enabled services.
- In the second step, register your smartphone with MFA Token Self Service Portal LinOTP, the web service for managing your own tokens for use at university services. LinOTP can be accessed around the clock via the link on the right from within the university network or through a VPN.
- While the first two steps are only carried out once per smartphone, the third step describes the logon to an MFA-enabled service and is thus carried out many times. At first, only the university's VPN is supported here. Other services will follow.
Video Tutorial
In addition to these instructions, you can watch the german video tutorial, which briefly shows you how to set up the token. We recommend that you also read the instructions in text form, as this contains more detailed information.
Installing the Authenticator app on your smartphone
Before setting up your first token, you must install a corresponding app on your mobile phone. Depending on your smartphone, please follow the steps below to ensure the security of your MFA credentials.
1. Installing the Authenticator app.
Open the Play Store on your Android device. There, search for the “Aegis Authenticator - 2FA App” (if you use the Google Play Store) or "Aegis Authenticator" (if you use F-Froid) from the developer "Beem Development" or an alternative of your choice. Install the app on your device.
2. Initial setup
Once the app has been successfully installed, open it on your Android device. As the creation of screenshots in this step is prohibited, we cannot show any examples here.
- On the first screen "Welcome", please tap on the arrow at the bottom right.
- In the following screen “Security” please select “Biometrics” and tap on the arrow at the bottom right (If you do not want to use biometrics please select "Password").
- On the 2nd “Security” screen, enter a secure password and repeat it. The bar under the passwords should be green
be green and show "Secure". Please save this password in a password in a password memory or on a document that you keep safe. Then tap on the arrow at the bottom right. If you have selected "Biometrics", you must authenticate yourself biometrically once. - Complete the “Setup complete” screen by tapping on the arrow at the bottom right.
The next steps will now take place on your PC.
Creating a token
1. Log in to the MFA Token Self Service Platform LinOTP in a browser on a trusted device.
Log in to https://mfa.uni-heidelberg.de on a trusted device other than your Android smartphone with your usual university credentials. Before entering your data, you should check the domain and the shield symbol next to it to ensure that all transmitted data is really exchanged with our MFA solution.
2. Generating a token.
In the section “Set up new authentication method” select the option “Soft token (time-based)” and click on "Set up".
In the window that opens, you can enter a name at the bottom under “Token description” (e.g. “Work mobile phone” or "Private mobile phone"). Then click on “Next”.
You will now be shown a QR code, which you can scan with your smartphone.
Please do not click on "Next" until your smartphone has been successfully set up!
If the setup on your smartphone cannot be completed:
Please press “Cancel” and confirm the cancellation in the dialogue that immediately follows. You will now return to the overview of your tokens. This should be empty. If a token is still listed here, but you have not successfully set up a token, please delete the displayed token.
Setting up a smartphone as a token
To add this token, the following steps are now required depending on the smartphone:
1. Add a token.
Open the authenticator app and tap the plus icon located at the bottom right of the screen to add a new token.
2. Scan the QR code.
Select "Scan QR code".
At the first use, the permission “Take pictures and videos” must only be granted "When using the app". Then point the camera of your Android device at the QR code that is displayed in LinOTP. The app automatically recognises the code and adds the token.
Important: If you do not complete the token setup on your device for any reason, you must also end the process in the Self Service platform by clicking "Cancel" or, if it has already been completed, delete the token BEFORE logging out.
Testing a token
After you have successfully set up the token, you can tap on the corresponding entry in all authenticator apps after you have unlocked your phone again. The time-based one-time password (TOTP) is displayed and you can use it to log in via MFA.
Back on the self-service platform, you can now click on "Continue" and the confirmation of the token setup will appear. Click on "Test" to continue with the test.
In the dialogue that opens, please enter the current one-time password from your token and press "Submit".
It will now be shown whether your test was successful.
Test successful
If possible, set up a second token (e.g. KeePassXC) or log out of the platform.
You can now use MFA in all compatible applications. You can find specific help on this in the instructions for the corresponding services.
Test unsuccessful
If the test was not successful, please try again immediately. If this test is also unsuccessful, please delete the token immediately by clicking on the three dots in the overview and then on "Delete".
In this case, please contact your IT representative or the IT service.
