Multi-factor Authentication

Note: A video tutorial on how to setup this token type can be found in the FAQ section of the URZ website under 12. Multi-Factor-Authentication.

This token type is a software-based token that generates a 6-digit numerical code every 30 seconds. To be able to use this token type you need to install an authenticator app on your smartphone first. There are a lot of different apps available in the Google Playstore and the Apple Appstore. As we use PrivacyIDEA we recommend to use the corresponding authenticator app:

• PrivacyIDEA Authenticator in the Google Playstore
• PrivacyIDEA Authenticator in the Apple Appstore

After successful installation on your smartphone, you can create a new token in the IdM-Portal by clicking on Add new Software Token (TOTP). Enter a description in the corresponding input field, e.g. the name of the smartphone on which you use the token. Especially when using multiple tokens, this will help you to keep the overview:

When clicking Submit a QR code will be shown. You need to scan this code with the previously installed authenticator app. If you create the token using your smartphone, then you can click on the button below the QR code to add the token to your authenticator app directly:

Now the app will generate a new 6-digit numerical code every 30 seconds. During the validity period you have to provide this code when logging into the Web-Trust-Center. To ensure the correct configuration of your smartphone you can test the just generated token by clicking on the button Test token.

Note: You can now go back to the overview page or close this window. After scanning the QR code it is not needed anymore and should not be saved elsewhere. Someone with access to the QR code (e.g. an attacker) would be able to generate valid one-time passwords, too.

A YubiKey is a special USB stick with security features. Employees can order a YubiKey from the URZ (via "ME-Schein").

In order to be able to use a YubiKey as second factor, you have to initialize it in advance. This can be done using the tool YubiKey Manager. Maybe you need to install it manually on your PC (all systems, that are managed by the URZ, have the YubiKey Manager already installed):

• Windows: Download page of the company yubico
• Linux (e.g. Debian since version 12): $ sudo apt-get install yubikey-manager-qt

After successful installation you can start the tool and connect your YubiKey to an empty USB port of your PC. In the tool select Applications and then OTP:

The Yubikey contains two configuration slots, that can be used for different features. You need to select the slot you want to use. Based on the selected slot, the duration of how long you have to press the physical button of the YubiKey when using it differs:

• Slot 1: 0.3 to 1.5 seconds
• Slot 2: 2.0 to 5.0 seconds

In the following example slot 1 is configured.

In the next step you have to select Yubico OTP.

Afterwards, you generate a random configuration by enabling Use serial and clicking the two Generate buttons:

Before clicking on Finish to write the configuration to the YubiKey, you have to switch to the IdM-Portal and select Add new Hardware Token (Yubikey). In the input field Secret Key you have to copy the Secret Key from the YubiKey Manager. In the input field below you have to enter a suitable Description:

To finish the configuration, you have to click on Submit. Afterwards, you have to go back to the YubiKey Manager and click the Finish button. When you are now asked for a one-time password, you can insert it into the corresponding input field by clicking on the button of your YubiKey. To ensure the correct configuration of your Yubikey you can test the just generated token by clicking on the button Test token.

Note: The YubiKey simulates a keyboard. After entering the string (one-time password), the YubiKey "automatically" confirms it by simulating the ENTER key.

A YubiKey is a special USB stick with security features. Employees can order a YubiKey from the URZ (via "ME-Schein").

In order to be able to use a YubiKey as second factor, you have to initialize it in advance. Next to the above mentioned tool YubiKey Manager, you can also use the tool YubiKey Personalization Tool. As this tool is not under development anymore, we recommend using the YubiKey Manager. On systems where the YubiKey Manager is not available until now, you can still use the YubiKey Personalization Tool. Maybe you need to install it manually on your PC (all systems, that are managed by the URZ, where the YubiKey Manager is not available until now, already have the YubiKey Personalization Tool installed):

• Windows: Download page of the company yubico
• Linux (e.g. Debian until version 11): $ sudo apt-get install yubikey-personalization-gui

After successful installation you can start the tool and connect your YubiKey to an empty USB port of your PC. In the tool select Yubico OTP and then Advanced:

The Yubikey contains two configuration slots, that can be used for different features. You need to select the slot you want to use. Based on the selected slot, the duration of how long you have to press the physical button of the YubiKey when using it differs:

• Slot 1: 0.3 to 1.5 seconds
• Slot 2: 2.0 to 5.0 seconds

In the following example slot 1 is configured. Select it in the tool and generate a random configuration by clicking the three Generate buttons:

By clicking on Write Configuration the YubiKey is configured. The tool will offer you to save a log file, which will contain the configuration.

Note: We recommend to cancel this saving process. Just like the QR code for TOTP tokens, an attacker could use this configuration to set up his own YubiKey which then could generate valid one-time passwords, too.

Now you can switch to the IdM-Portal and select Add new Hardware Token (Yubikey). In the input field Secret Key you have to copy the Secret Key from the YubiKey Personalization Tool. In the input field below you have to enter a suitable Description:

By clicking Submit you enable your new token. When you are now asked for a one-time password, you can insert it into the corresponding input field by clicking on the button of your YubiKey. To ensure the correct configuration of your Yubikey you can test the just generated token by clicking on the button Test token.

Note: The YubiKey simulates a keyboard. After entering the string, the YubiKey "automatically" confirms it by simulating the ENTER key.

This is a list with 100 valid one-time passwords. In general this list should only be used as backup. In case you have a malfunction with your smartphone or you lose your Yubikey, you can use a password from your TAN list to log into your account and setup a new token. Nevertheless, the TAN list is also suitable for users, that do not have a smartphone or Yubikey or do not want to use them as token.

To generate a new TAN list you have to go to the IdM-Portal and select Add new TAN list. Then type a meaningful Description into the corresponding input field, e.g. the location where you will keep the TAN list:

By clicking Submit you enable your new token and the list with the one-time passwords will be shown. With the button Print you can print your list directly on a sheet of paper:

When you are now asked for a one-time password, you can select an arbitrary password from the list. To keep the overview about not used password, we recommend to use the passwords one after another and to cross out already used passwords. If you want you can test your generated TAN list by clicking on Test token. Keep in mind that you have to cross out the used TAN afterwards as it will not be valid anymore.

When you already have set up one or more tokens, they will be shown on the overview page in the IdM-Portal. If e.g. your smartphone is broken or you have lost your YubiKey, then you can delete the corresponding token from the list. Afterwards the token can not be used as second factor when logging into the Web-Trust-Center or to establish a VPN connection. The Serial Number as well as the Description will help you to distinguish the different tokens. If you are still not sure, you can test the different tokens via "verify":