Multi-factor authentication

MFA stands for multi-factor authentication. A special case is 2-factor authentication. In addition to the username and password, a token value is also required to log in to a service. As a rule, the second factor is subject to a dynamic value (e.g., a time-based, 6-digit number).

Instructions for the 2FAS app for iOS/iPadOS and Android and for KeePassXC for PC (Windows, Linux and MacOS) can be found at the top right of this website. The instructions also include an example of VPN access on Windows at the end. You can find detailed instructions for VPN here.

It is not possible to receive the second factor by text message or email.

Only one token can be used per user. With the soft token, the QR code or the secret key can be stored in the recommended 2FAS app as well as in another app. It can also be used to equip multiple devices. This is not possible with the hardware token. There is only one of those.

A token (more precisely a security token) is a software- or hardware-based option for generating a value for 2-factor authentication. Apps are used as a software-based option for smartphones. Hardware-based tokens are usually TAN generators. The procedure is similar to how banks and savings banks secure access to online banking. You can find more information on Wikipedia, for example.

Please log in here with your Hohenheim user ID. Please note: Once the soft token has been provided, you cannot delete or change the soft token yourself. In the 2FAS app, you have the option of reading out the secret key after setting a PIN and using it to send to another app or another device.

Currently, only one token can be assigned to the Hohenheim user account. This can be a soft token or a TAN generator. With the soft token, however, it is possible to use several devices with the same soft token. The QR code can be scanned into the various apps or devices for this purpose. With the recommended app 2FAS, it is also possible to copy and use the secret key later.

An existing hardware token can only be used if it was provided by the KIM. Employees of decentralized institutions can obtain a hardware token from the IT small parts store (simple hardware token or a hardware token with the option of changing the battery). In both cases, the costs are borne by the using institution. Employees of the university administration can use the existing hardware token for the Parallels environment upon request.

Other or personal hardware tokens cannot be entered into the system. They can only be used if the hardware token offers the option of scanning the QR code or entering it manually. These devices are usually a little more expensive to purchase.

The soft token is referred to as a TOTP token. TOTP stands for time-based one-time password.

The following parameters are important:

To use an app or program to generate a soft token, you need these parameters and the secret key.

This is a “silent” crash of the program in the current version 2.7.9. This can easily be fixed by downloading and installing the latest version of Microsoft Visual Studio C++ Redistributables. After restarting the computer, the program should start properly.

The error message appears when the token was not verified during rollout. This can be done later. Log in with your Hohenheim user data here. Then click on your Token. For Rollout Status, please enter the current 2nd factor from the 2FAS app or KeePassXC. Then click on Verrify Token. After the token has been verified, a VPN connection can now be established with it.

The secret key can be downloaded at the same time as the QR code when applying for the second factor. It is hidden in the link for the password manager and must be extracted from it. If only the QR code is available, you can read and evaluate it with a QR scanner. In both cases, the secret key is located between “secret=” and the next “&”. In the 2FAS app, it is possible to display and copy the secret key. The prerequisite for this is that a password has been set for the app.

The value of the soft token changes every 30 seconds. To ensure that the entry can be made quickly, it is best to open the app first and activate the entry for the corresponding soft token. If this changes while you are entering the username and password, you can enter the new value of the soft token straight away.

You can set up several devices with this token when you first generate the token. The QR code can also be saved. With the recommended app 2FAS, you can also save the secret key after setting up a PIN code and read it in again at a later time. Please keep the QR code or secret key safe and separate from the access data for your Hohenheim user account.

For IT security reasons, the soft token cannot be changed or renewed by the user. The 2FAS app first deletes the soft token in the recycle bin, from which it can be restored. If someone else has access to the soft token, please block it here immediately. Please contact the IT Service Desk on site with your state-issued ID card or passport to obtain a new soft token.

If it is not possible to replace the battery or if it is defective, the hardware token must be replaced with a new one. The opportunity should be taken to examine whether a soft token could be used in future.

Please deactivate the hardware token here and contact the IT Service Desk.

The FreeOTP app is also suitable, but is very rudimentary. Accidentally deleted soft tokens cannot be restored and the secret key cannot be displayed again afterwards.

The Yubico Authenticator app requires a hardware token from YubiKey. This is then very secure, but involves additional costs for the YubiKey. It is possible to use this app.

The Google Authenticator app can be used.

The Microsoft Authenticator currently does not work with the SHA512 encryption algorithm. Although the QR code of the soft token can be read, it returns incorrect values. This means that it cannot be used.

Like Microsoft Authenticator, the Authy app does not currently work with the SHA512 encryption algorithm. The QR code of the soft token can be read, but provides incorrect values. It is therefore not possible to use the app.