Logo Universität Bremen, back to homeZfN
Zentrum für Netze (ZfN)

Two-Factor Authentication

Fundamentals

The university, like many other organizations, has a major problem with so-called phishing. Through cleverly forged emails or phone calls, university user data falls into the hands of criminals and is misused on a large scale for petty crime, data espionage and sabotage. For this reason, the university has decided to gradually introduce two-factor authentication in addition to increased staff training.

When authenticating (logging in) with a second factor, in addition to the user name and password another factor is used to verify your identity. This second factor can be a numerical code generated by a smartphone application or a hardware token (similar to a USB stick), for example. The advantage is that this second factor cannot simply be passed on to a criminal as part of phishing, but is firmly linked to the possession of hardware (smartphone or hardware token).

For organizational reasons and after careful consideration of security and usability, the university initially opted for a simple, inexpensive and widely used method called TOTP (Time-based One Time Password) with a numerical code generated by an app. You may be familiar with this method from other major online service providers such as Amazon or PayPal.

The use of two-factor authentication is voluntary. If you do not wish to use the procedure, nothing will change for you and you can continue to log in to the university services as usual with just your username and password.

Registering an App/Token

If you want to use two-factor authentication, you need to e.g. install a corresponding app on a smartphone and then register it in the university system via self-service - a very simple procedure. After registration, if you log in to a service that has already been converted, you must enter a numerical code generated by the app in addition to your username and password, which changes every 30 seconds.

Step 1: Installing a TOTP-enabled App

The first step is to install a TOTP-enabled app on a smartphone. As the process is very simple, there are many such apps that you can simply download from your preferred app store. Aegis or FreeOTP are widely used. You don't need to worry about data protection. These apps do not store any information in the cloud - they do not require network access.

Alternatively, some desktop applications, such as the password manager KeepassXC, can also manage TOTP access. It is generally possible to use hardware TOTP generators - however, as these devices have problems with the precise time required, we recommend using a smartphone.

Step 2: Registering your Smartphones

Once you have installed the application, go to the onlinetools and select the 'Two-factor authentication' page. Select the item 'Add TOTP token'.  On the following page, you will see a QR code that you scan with the app you installed earlier. This completes the registration process.

Token lost?

If you no longer have access to the access codes, for example because your smartphone has been stolen or broken, you will no longer be able to log in to services that are secured with a second factor and will have to start a comparatively cumbersome process to reset your access.

It is therefore advisable to register two devices as explained above if possible. If one of the devices is lost, you can log in with the second device, block access via the lost device and continue working without interruption.

If there is no second device, you must reset your access by resetting your password. Resetting the password also allows you to log in with a temporary access code. You can then access your settings and add new tokens accordingly.

Supported Services

The services offered by the university will be gradually supplemented by authentication with a second factor where possible. The following have already been converted (not exhaustive):

  • All services secured via the central single sign-on (Shibboleth). This includes, for example, Nextcloud and the central self-service portal (onlinetools), but also all external services within the DFN-AAI (e.g. publisher access).

In the near future, the following services will also be secured with the second factor:

  • Stud.IP (Converted to Shibboleth)
  • VPN
  • Webmail

Services where the login is automated by an accessing program (e.g. e-mail) are more difficult to provide with a second factor due to the principle. We will add these at a later date.

Of course, you can continue to use services that do not yet support 2FA even after registering for the second factor - the second factor will be ignored for these services and you will continue to log in with just your user name and password.

Are you the administrator of your own service at the university and would like to use the central authentication services (and therefore also 2FA)? The best way to do this depends heavily on your application. Ideally, your service supports either OpenId Connect (OIDC) or SAML and can therefore be connected via OpenId or Shibboleth. Contact us at campusserverprotect me ?!uni-bremenprotect me ?!.de, to find the optimal solution and discuss the next steps.

Data protection

No additional personal data is stored for the procedure.

As part of the registration process, a random character string (so-called shared secret) is generated and stored both in your smartphone app and in the central user database. By linking this shared secret and the current time, a mathematical procedure generates the numerical code that you enter when you log in.

There are no additional monitoring opportunities resulting from the use of this system.

Updated by: Campusserver-Team
RSS
Print page