Two-factor authentication

Authenticator app - Android and iOS

An authenticator app generates one-time passwords that you have to enter as a second factor after logging in with your password. The method used at the university is called TOTP, which stands for time-based one-time password.

If you use several accounts, you can use the same authenticator app for all these accounts. All you need to do is link the relevant account to the authenticator app in the Account Portal.

We recommend the privacyIDEA Authenticator (netKnights GmbH) because

• it is Free Open Source Software (FOSS) and therefore the source code is public.
• the university has a contract with the manufacturer.
• the business model is not based on displaying adverts or selling data.
• it is easy to use.
• the app is identical for Android and iOS.

In principle, you can use any authenticator app that supports the TOTP standard. However, please note that it is not possible for the ZID to provide a detailed analysis of the large number of authenticator apps available on the market. This is because it is not possible to exercise real control over the software or build up the same level of expertise for all applications.

The installation process is explained using the privacyIDEA Authenticator app. However, the process of linking the apps to your university account is similar for all authenticator apps.

Installing the authenticator app

1. Open the Play Store (or App Store) on your mobile phone/mobile device.
2. Search for privacyIDEA Authenticator (NetKnights GmbH).
3. Install the app and open it.

Attention: Do not delete the app or the tokens it contains. You will need both to log in to the university's services in future.

Link the Authenticator app to your account

1. Log in to the Account Portal with the user ID for which you want to set up two-factor authentication.
2. After successfully logging in, activate or manage two-factor authentication.
   • If you have never used two-factor authentication (2FA) before, click on Activate.
   • If you have already activated two-factor authentication (2FA), click on Manage. Your existing tokens will be displayed. Then click on New token.
3. Open the Authenticator app on your mobile device.
4. Tap on the blue circle in the centre of the mobile device. (You may need to authorise the app to take pictures and videos here).
5. Point your mobile phone camera at the QR code on the PC screen to scan it.
6. Then enter the generated one-time password (6 digits) on the PC, which is displayed on the mobile phone/mobile device.
7. Click on Verify. The second factor has been set up successfully.

A security key is a type of special hardware that can be used as a second factor. Please note that the product must support the FIDO2 standard. Successful tests have been carried out at the ZID with the NitroKey FIDO2 and Yubico Security Key product ranges. The security key is connected to a USB port on your device and usually has an activation mechanism, such as touching a contact surface.

If you use several accounts, you can use the same security key for all these accounts. All you have to do is link the relevant account to the security key in the Account Portal.

Please note: if you have already set up the Windows Hello PIN on your device, you must cancel this entry in order to set up the security key.

You should always have the security key with you and attach it to your key ring, for example.

You can find out how to obtain a key from the university in our FAQs.

Set up the security key

1. Log in to the Account Portal with the user ID for which you want to set up two-factor authentication.
2. After successfully logging in, activate or manage two-factor authentication.
   • If you have never used two-factor authentication (2FA) before, click on Activate.
   • If you have already activated two-factor authentication (2FA), click on Manage. Your existing tokens will be displayed. Then click on New token.
3. Click on Security Key, Windows Hello, iCloud Keychain.
4. Connect the security key to your device or hold it to your mobile device (NFC).
5. Enter a personal mnemonic in the Description * field.
6. Click on Set up.
   • If you are using a Windows device and are prompted to set up Windows Hello, click CANCEL.
7. Now follow the instructions on your device. (The instructions differ between Windows, macOS, Android, iOS, Linux and their individual versions).
   • Among other things, you will be instructed to touch the security key. To do this, tap the round logo/the golden area/button with your finger.

To be able to use the security chip built into Windows devices as a second factor, you must first set up the Windows Hello PIN.

Please note: if you activate the built-in security chip as a second factor on the device at your workplace, you cannot use it to log in to your device at home, as this second factor is linked to the workplace device. Please also use an authenticator app or a security key.

Activate Hello PIN on the device (PC/laptop)

1. Enter sign-in options in the Windows search field and open it. If you cannot find a search field, proceed as follows:
   1. Click on the Windows Start icon(window), and here on Settings (cogwheel).
   2. Click on Accounts and then on Logon options in the menu on the left.
2. Click on Windows Hello PIN and then on Add or Set up.
3. Confirm your identity with your password.
4. Set up the PIN.

Information: The next time you start or unlock your PC, you will be asked for this PIN instead of your password.

Please note: this PIN is only valid for the device on which you have set it up. If you would also like to set up a PIN on another device, please follow the necessary procedure for the corresponding operating system.

Link the Hello PIN to your account

1. Log in to the account portal with the user ID for which you want to set up two-factor authentication.
2. After successfully logging in, activate or manage two-factor authentication.
   • If you have never used two-factor authentication (2FA) before, click on Activate.
   • If you have already activated two-factor authentication (2FA), click on Manage. Your existing tokens will be displayed. Then click on New token.
3. Click on Security Key, Windows Hello, iCloud Keychain.
4. Enter a personal mnemonic in the Description * field.
5. Click on Set up.
6. Follow the instructions for your device. (The instructions differ between Windows 10 and Windows 11)

To use the security chip as a second factor on Apple devices, you must first set up the Apple ID. This variant currently only works with Safari on macOS. Chrome and Firefox are not supported. Please note: this factor only applies to the device on which the security chip has been set up.

Activate iCloud keychain on the device (PC/laptop)

This variant currently only works with Safari under macOS. Chrome and Firefox are not supported.

You can find out how to set up the Apple ID at macOS User Manual.

Link the iCloud keychain to your account

1. Log in to Account Portal with the user ID for which you want to set up two-factor authentication.
2. After successfully logging in, activate or manage two-factor authentication.
   1. If you have never used two-factor authentication (2FA) before , click on Activate.
   2. If you have already activated two-factor authentication (2FA), click on Manage. Your existing tokens will be displayed. Then click on New token.
3. Click on Security Key, Windows Hello, iCloud Keychain.
4. Enter a personal mnemonic in the Description * field.
5. Click on Set up.
6. Follow the instructions on your device. (The instructions differ between iOS, iPadOS, macOS and their individual versions).

Many password managers offer the option of generating tokens for two-factor authentication (TOTP support). This token can be used to log in to the university's services. If you already use a password manager, please find out whether it enables two-factor authentication. Two password managers that offer this function are presented below.

When using a password manager for two-factor authentication, the second factor (something you own) is derived from accessing the password manager. Therefore, the second factor should be stored independently of the first factor (the password).

Proton Pass

Proton Pass is a service where the access data is stored in encrypted form on the provider's system. This means that you do not have to worry about ensuring that your access data is available everywhere and does not get lost.

We recommend Proton Pass because

• private use is free of charge (including 2FA functionality).
• the access data is automatically synchronised between devices (wherever the app or browser add-on is installed)
• the company specialises in secure communication.
• the source code of the clients and the web applications is public.
• the company and server location is in Europe and therefore European data protection standards apply.

KeePassXC

KeePassXC is an offline password manager that supports two-factor authentication. The application stores access data in an encrypted file on the local hard drive.

ATTENTION: With KeePassXC, you must keep your password file secure and ensure that you have it available on every device you use to log in to university services.

The installation and use is described in the article Password management.

Registering and installing Proton Pass

1. Open https://pass.proton.me/ and click on Create Proton account.
2. Select the Proton Free option.
3. Enter your e-mail address and choose a password (note: please do NOT use the same password as for your university account).
4. Click on Start using Proton Pass now. A new window will open.
5. Enter the verification code you received by email and click on Verify.
6. In the Secure your account window, click Download PDF to get the recovery kit. Keep this file safe! Follow the Safe storage tips on the PDF.
7. Select I understand that if I lose my recovery data, I may permanently lose access to my account and click Continue.
8. You can now log in to your Proton Pass account.

For more information on using Proton Pass, visit https://proton.me/support/use-pass-web.

Linking Proton Pass with your university account

1. Log in to Account Portal with the user ID for which you want to set up two-factor authentication.
2. After successfully logging in, activate or manage two-factor authentication.
   1. If you have never used two-factor authentication (2FA) before, click on Activate.
   2. If you have already activated two-factor authentication (2FA), click on Manage. Your existing tokens will be displayed. Then click on New token.
3. Click here under the QR code to copy the secret key*.
4. Log in to https://pass.proton.me.
5. Click on the plus symbol at the top right.
6. Click on Create access data.
7. Enter the following data:
   • Title: give the factor a name that is meaningful to you.
   • Username or email address: leave this field empty.
   • Password: leave this field empty.
   • *2FA secret (TOTP): enter the secret key from your account portal.
   • Website: https://idp.uibk.ac.at/
   • Note: if desired.
8. Click on Create login to save your details.
9. Then enter the generated one-time password (6 digits) in the 2FA token field in Proton Pass in the account portal.

Detailed information on your specific operating system (macOS or Windows) and browser can be found at https://proton.me/support/pass-2fa.

1. Open the service (VIS:online, OpenOlat, LFU:online, ...) for which you want to log in.
2. Enter your user ID and the corresponding password as usual.
3. Click on Login.
4. Open the app on your mobile device. The available tokens will be displayed. The one-time password of a token consists of 6 digits that are updated every 30 seconds.
5. Enter these 6 digits in the corresponding field on your login page.
6. Click on Verify. You are now successfully logged in.

If you are unable to log in with an Authenticator app, you can find possible sources of error in our FAQs.

1. Open the service (VIS:online, OpenOlat, LFU:online, ...) for which you want to log in.
2. Enter your user ID and the corresponding password as usual.
3. Click on Login.
4. Click on Start under Security Key. A new window opens.
5. Choose whether you want to use the Windows Hello PIN, the security key or the iCloud keychain.
6. Follow the instructions on the screen. (The instructions differ between Windows, macOS, Linux and their individual versions).

1. Open the service (VIS:online, OpenOlat, LFU:online, ...) for which you want to log in.
2. Enter your user ID and the corresponding password as usual.
3. Click on Login.
4. Open https://pass.proton.me/ in another browser tab and log in with your Proton account.
5. Copy the 6-digit code that is displayed under 2FA Token in Proton Pass.
6. Enter this code in the university login window and click on Verify.

If you have set up several two-factor authentication methods, please use the one that is still available to you.

If you do not have another second factor, please contact the ZID Service Desk.

To ensure that you retain access to your account and resources even if you lose or forget your current device, we strongly recommend that you set up additional factors. By having several second factors, you minimise the risk of access problems and ensure reliable and flexible authentication.

Please note that when setting up additional security keys, you should ensure that they support the FIDO2 standard to ensure the highest possible level of security. If you have any questions or require support, please contact the ZID Service Desk.

It is important to report the loss or absence of the second factor immediately to minimise potential security risks and restore access to your digital services. Contact the ZID Service Desk for support.

Download the authenticator app on your new mobile phone and link the app to your account at Account Portal. Please note that you still need your old mobile phone with the corresponding app to log in to the account portal with 2FA. (If you have set up a security key, Windows Hello pin or Apple ID, you can also use these to log in).

If you no longer have access to your old mobile phone, this should be treated like a lost token. Contact the ZID Service Desk.

TOTP in the app and the login window do not match.

A TOTP code should be displayed both in your app and in your university login window. This is the "name" of your password, so to speak (6-digit code). The "name" of the token must match in the app and in the university login window. If this is not the case, something went wrong when setting up the app/token, or you have accidentally deleted the token in the app. Please log in with a different authentication method and link the app again in your Account Portal. If you do not have another authentication method, please contact the ZID Service Desk.

The time and date on the mobile phone are not set correctly.

The app uses the so-called TOTP method for two-factor authentication. TOTP stands for Time-based one-time password. The procedure generates a one-time password (OTP) using the current time as the source of uniqueness. Therefore, please ensure that the time and date on your mobile phone are set to "automatic". This means that the time and date are regularly synchronised with the Internet down to the second.

Code has already expired

The 6-digit code displayed in the app is only valid for 30 seconds. Please ensure that you always use the current code to log in.

If you have set up the Windows Hello PIN on your device and are now having difficulties adding a security key, please follow the steps below:

• If the setup of a Windows Hello PIN was started before you were able to add a security key, cancel the setup.
• After you have cancelled the Windows Hello PIN setup, you can now add a security key.

Please note that the shared use of accounts is only permitted for function accounts. See also Sharing account data/user data.

We recommend storing separate 2FA tokens for the functional account for each person authorised to access it. Ideally, the tokens are created together in a personal appointment. The person responsible for the account logs on to a device at Account portal with the user data of the function account. All persons involved can then create a second factor there using their own authenticator app or security key. In order to be able to assign the factors more easily, it is advisable to note the name of the corresponding person in the token description. In future, each person can then log in to the function account with the user data of the function account + their own second factor.

You do not have to install the app recommended by us. You can also use another app that supports the TOTP standard.

For Android devices, for example, we have had good experiences with Aegis. On iOS, the password manager of the operating system also supports TOTP and can therefore be used. Please understand that the Service Desk can only provide support for problems with the app that we recommend.

To generate the login codes, the application does not require any authorisations (internet access, address book access, access to files on the device, ...), apart from camera access to scan the QR code. A critical look at the authorisations required by the respective app can help when selecting a trustworthy app.

During setup, only a so-called secret is exchanged via the QR code. An authenticator app can use this secret and an algorithm to generate one-time passwords. This means that no personal or sensitive data is exchanged.

The second factor should represent physical possession. We therefore recommend generating the login codes on a mobile device that you usually carry with you.

For special use cases, it may be useful to (also) install an authenticator app on a desktop computer/notebook. We recommend the following solutions for the various operating systems.

1. Many password managers support the generation of login codes (TOTP) on different operating systems. We have created a guide for KeePassXC.
2. The password manager integrated in macOS supports TOTP, but we recommend using the security chip on this platform.
3. Under GNU/Linux we recommend GNOME Authenticator.
4. On systems with Microsoft Windows, 2fast can be obtained from the Microsoft Store. If possible, however, we recommend using the Windows hello PIN.

(This list is to be understood as a recommendation. Unfortunately, the Information Technology Services cannot provide specialised support for these applications).

The Information Technology Services department provides all university employees with a hardware security key for two-factor authentication on request. The Security Key NFC (USB A) model from the manufacturer Yubico is currently being issued.

Employees who cannot or do not want to install an authenticator app for two-factor authentication (e.g. because they do not have a mobile phone) can obtain a security key from responsible technical support and use this USB hardware as a second factor (something they physically own).

In principle, one security key is issued per employee and can be used for both personal and function accounts. In the event of loss or damage, we reserve the right to demand reimbursement for the replacement.

The Information Technology Services (ZID) issues security keys to students at cost price (cash only!). Until further notice, sales are conducted every Tuesday from 10:00 to 12:00 and every Thursday from 14:00 to 16:00. The distribution point ist he Secretariat of the ZID at Campus Technik. (Technikerstraße 23, 1st floor)

It is generally recommended to scan the QR code with/via an authenticator app, not via the mobile phone camera app.

The token scanned on an iPhone via the mobile phone camera app can be found in the settings under Passwords. The corresponding token is labelled with the university logo.