For functions (e.g. institute email address, projects), it is advisable not to link authorizations directly to a person's personal account, but to create separate function accounts. These accounts are separate from the personal accounts, but the person for whom the request is made is responsible for the functional account.

Function accounts can be used by more than one person. The person responsible for the function account should change the password regularly (at the latest when a person should no longer have access).

For information on two-factor authentication for shared function accounts, see the FAQs.

The login data for the account will be delivered to your department or to your private address. If you have not received aa account, please contact zid-benutzerverwaltung@uibk.ac.at.

The login data for function accounts are sent to the personal university e-mail address of the person responsible.

As a rule, personal accounts are valid until the end of the person's employment, function accounts are valid for two years from the date of permit.

In order to simplify the administration and to provide the heads of the organizational units with a more precise overview, the ZID sends out a collective application ("Sammelantrag") once a year. All valid function accounts are recorded on the collective application and shall be transmitted to the ZID for further renewal or deregistration.

If an account is provided for expiration, the ZID gives the affected users deadline to secure data. To inform users about the imminent expiry of their account, the ZID sends two or, for personal accounts, three expiry warnings by e-mail.

After the account has expired, the data (e-mails, documents) are retained for one year, after which they are deleted.

Rules for expiration of accounts after termination of employment

Employees will receive a notification via e-mail one month after the termination of the employment, stating the exact date of the expiration of the account. The deadline is seven months after the end of the employment for permanent staff and external lecturers. It is not possible to extend the use permit for the account beyond the stated date.

Emeritus university professors and retired academic staff may continue to use the personal account and apply for an extension after five years.

For personal accounts, an automatic reply email will be sent for one year from the time the account has expired, stating that the email address no longer exists. Staff members have the option of entering a reference to an alternative mail address there. This can either be another personal email address or a reference to an institute address.
In the information mail about the expiration of the account, a link for activating this function is provided.
https://lfuonline.uibk.ac.at/public/pvs_public.mail_fwd
This link is only available in the period between the sending of the first expiration warning and the expiration of the account. The activation of the automatic reply will take place when the account is expired. Mail forwarding to other mail addresses is not possible after the account has expired.

If the employment is renewed, the period of use of the account can be extended or reactivated either via the entry workflow or via the application form.

If the employment takes place within the expiration period, a corresponding notification for the extension of the use permit is usually sent, a separate application is then not necessary.

Important personal messages from the university (e.g. appointments, notifications of exam results, etc.) will be sent to your mail address. You can read the mails via webmail for students, in a mail client or in the university app.

The account expires at the end of the admission to studies. Admission to studies expires if no continuation notification is made.

After the end of the admission period (October 31 for the winter semester or March 31 for the summer semester, plus a processing period), a check is made to determine which students are no longer admitted. Students who are no longer admitted will receive an expiration warning by e-mail to the university e-mail address at least 10 days before expiration with the exact expiration date. On this date, the account will be automatically deactivated, an extension beyond this date is not possible.

Access to LFU:online remains active even after the account has expired. You can still log in with your ID and the corresponding password and retrieve your examination data, etc.

If you are admitted to the program again, the account will be reactivated in the course of the admission procedure in the Admissions Office. In this case, the ID, initial password and e-mail address remain unchanged. The password will be reset to the original initial password during reactivation. If this automatic reactivation has not taken place, please contact zid-benutzerverwaltung@uibk.ac.at.

Further information

• Admission to Study Programmes
• Studying costs & financial support
• Leave of absence from studies

You will receive an initial password from ZID. Change this as soon as possible and replace it with a suitable password of your own.

Please note the following requirements for a suitable password

The password must have at least eight characters; umlauts (ä, ö, and ü) must not be used.

It must contain at least one uppercase letter, ideally not at the beginning of the password

It must contain at least one digit

We also recommend the use of special characters; suitable are dot, comma, semicolon, question mark, exclamation mark, minus, underscore; special characters must not be used at the beginning of the password.

A simple method to create a secure password: think of a sentence and construct the password from it. An example is the sentence "This is a secure password, right?".

This results in the following password:

Ti1sPw,r?

The password becomes even more secure if you change the case of singular letters or take several letters from one word (without making it difficult for you to remember), for example:

Tis1siPW,r?

Ideally, choose a password that you can remember and don't have to write down. If you are unsure if you can remember the password, write it down, but store it in a way that is not accessible to anyone else. A common mistake is to have the password written down on a piece of paper that is attached on the computer, monitor or under the keyboard.

So-called password managers are helpful with the secure handling of passwords.

A platform-independent, free password manager is KeePassXC.

Note that there is also an "Administrator" user on your PC. A secure password must also be selected for this user. If you have questions about this or problems with your administrator user, please contact the technical support of your institute.

Make sure no one is watching you when you enter your password. If you are unsure whether someone has seen the password, set a new one immediately.

The password of a personal account may only be known to the owner of the ID in order to avoid misuse.

Passing on the password to third parties violates the ZID's user regulations.

Function-related user authorizations are an exception. You can find more information about this under Function accounts.

Nowadays there are many web services for which you need an account.

For these web services you should in any case use a different password than for the services of the ZID: This password is transmitted over unknown and thus potentially untrusted networks. If possible, you should use a separate password for each of these services.

Modern browsers also offer the possibility to save the passwords for you, so you don't have to remember them. However, the passwords are now stored under your account in the browser profile. If someone gains access to your account, it is easy to learn these passwords. Therefore, if you use this feature of the web browser, you should pay special attention to the security of your account and assign a master password for the browser password safe.

A platform-independent, free password manager is KeePassXC.

To use the security chip on Windows devices as a second factor you first need to set up the Windows Hello PIN. Attention: this factor then only applies to the device on which the security chip has been set up.

Here you will find step-by-step instructions on how to set up Windows Hello.

iCloud Keychain

To use the security chip as a second factor on Apple devices, you must first set up the Apple ID. This variant currently only works with Safari on macOS. Chrome and Firefox are not supported.

Here you will find step-by-step instructions on how to set up the iCloud Keychain.

Security chip - GNU/Linux

GNU/Linux currently lacks an implementation of a FIDO2 platform authenticator, so the TPM chips built into common hardware cannot be used as a second factor. As a result, you can currently only use an authenticator app (TOTP) or a FIDO2 roaming authenticator (e.g. dedicated Security Key) under GNU/Linux.

Proton Pass is a service where the access data is stored in encrypted form on the provider's system. This means that you don't have to worry about ensuring that your access data is available everywhere and doesn't get lost.

We recommend Proton Pass because

• private use is free of charge (including 2FA functionality).
• the access data is automatically synchronized between devices (wherever the app or browser add-on is installed)
• the company specializes in secure communication.
• the source code of the clients and web applications is public.
• The company and server location is in Europe and therefore European data protection standards apply.

Here you will find step-by-step instructions on how to set up Proton Pass.

KeePassXC is an offline password manager that supports two-factor authentication. The application stores access data in an encrypted file on the local hard disk.

ATTENTION: With KeePassXC, you must keep your password file safe yourself and ensure that you have it available on every device you want to use to log in to the university's services.

Installation and use is described in the article Password management.

When logging in, you enter your identifier and password that you received from the university and, if necessary, a mandatory factor.

To make sure that you are logged out from all websites using WebSSO of the University of Innsbruck, please close your browser.

If you want to log in with another account (e.g. function accounts), you have the following options:

• use the private mode of your web browser (Mozilla Firefox; Google Chrome; Microsoft Edge; Internet Explorer).
• use Multi-Account Containers for Firefox.
• disable automatic Windows Desktop login in the login settings.

Please enter your credentials only on trusted devices!

If you log in on a foreign device, we recommend using the private mode of your web browser (Mozilla Firefox; Google Chrome; Microsoft Edge; Internet Explorer). Close the browser windows to log out.

This method allows you to automatically log in to WebSSO as soon as you are logged in to your Windows workstation PC.

If you always want to be logged in automatically, select the "Always use Windows Login" option. You can change this option via your settings.

This method works for PCs that are logged in to the Windows domain of the University of Innsbruck.

Furthermore, your web browser must be configured for Windows Login of the University of Innsbruck. This is the case by default for workstation PCs for Microsoft Internet Explorer as well as Google Chrome. For Mozilla Firefox the WebSSO server (idp.uibk.ac.at) must be entered:

1. Enter about:config in the address bar.
2. On the configuration page, search for negotiate.
3. You should now see the option network.negotiate-auth.trusted-uris. Click on it. A dialog will open. Enter idp.uibk.ac.at here and confirm.

First of all, please make sure that you have entered the ID and password correctly and that the Caps Lock is deactivated.

Please contact the ZID-Benutzerverwaltung@uibk.ac.at. For security reasons, you will be asked to confirm your identity. Therefore, please have a document ready that verifies your identity.

If you are able to log in to some services (e.g. web mail) but not others (e.g. LSA, VPN access, wiki login, etc.), you can synchronize your password in the Account Portal.

You can also change your password via the account portal.

You can change your password via the account portal.

In addition to your user ID and the old access password, the new password must be entered twice. We recommend to use upper and lower case in the password and at least one digit or special character (see also Choosing a suitable password).

If you use network drives (e.g. the home directory I:, in general: network file systems), you must log out of your computer and log in again after changing the password.

If you cannot locate your Second Factor, you should contact the ZID Service Desk immediately.

To ensure that you retain access to your account and resources even if you lose or forget your current device, we strongly recommend setting up additional factors. By having multiple second factors, you minimize the risk of access issues and ensure reliable and flexible authentication.

Please note that when setting up additional security keyss, you should ensure that they support the FIDO2 standard to ensure the highest possible security. Contact the ZID Service Desk if you have any questions or need assistance.

It is important to report the loss or absence of the Second Factor immediately to minimize potential security risks and restore access to your digital services. Do not hesitate to contact the ZID Service Desk for assistance.

Download the Authenticator app on your new cell phone and link the app to your account in the Account Portal. Please note that you still need your old cell phone with the corresponding app to log in to the Account Portal with 2FA. (If you have set up a security key, Windows Hello pin or Apple ID, you can also use these to log in).

If you no longer have access to your old cell phone, this should be treated like a lost token. Contact the ZID Service Desk.

Possible sources of error

TOTP in the app and the login window do not match.

A TOTP code should be displayed both in your app and in your university login window. This is the "name" of your password, so to speak (6-digit code). The "name" of the token must match in the app and in the university login window. If this is not the case, something went wrong when setting up the app/token, or you have accidentally deleted the token in the app. Please log in with a different authentication method and link the app again in your account portal. If you do not have another authentication method, please contact the ZID Service Desk.

The time and date on the cell phone are not set correctly.

The app uses the so-called TOTP method for two-factor authentication. TOTP stands for Time-based one-time password. The procedure generates a one-time password (OTP) using the current time as the source of uniqueness. Therefore, please ensure that the time and date on your cell phone are set to "automatic". This means that the time and date are regularly synchronized with the Internet down to the second.

Code has already expired

The 6-digit code displayed in the app is only valid for 30 seconds. Please ensure that you always use the current code to log in.

If you have set up the Windows Hello PIN on your device and are now having trouble adding a security key, please follow the steps below:

• If the Windows Hello PIN setup started before you could add a security key, cancel the setup.
• After canceling the Windows Hello PIN setup, you can now add a security key.

Please note that account sharing is only allowed for function accounts. See also Disclosure of user data.

We recommend generating separate 2FA tokens for the function account for each person with access rights. Ideally, the tokens are created together in a personal appointment. The person responsible for the account logs on to a device in the account portal with the user data of the function account. All persons involved can then create a second factor there with their own Authenticator app or their own security key. To be able to assign the factors better, it is recommended to note the name of the associated person in the token description. Each person can then log in to the function account in the future with the user data of the function account + their own second factor.

You don't have to install the app we recommend. You can also use another app that supports the TOTP standard.

For Android devices, we have had good experiences with Aegis, for example. On iOS, the operating system's password manager also supports TOTP and can therefore be used. We ask for your understanding that the Service Desk can only provide support in case of problems with the app we recommend.

To generate the login codes, the app does not need any permissions (Internet access, address book access, access to files on the device, ...), apart from camera access to scan the QR code. A critical look at the permissions desired by the respective can help in choosing a trustworthy app.

During setup, only a so-called secret is exchanged via the QR code. An authenticator app can use this secret and an algorithm to generate one-time passwords. Thus, no personal or sensitive data is exchanged.

The second factor should represent physical possession. We therefore recommend generating the login codes on a mobile device that you usually carry with you.

For special use cases, it may be useful to (also) install an authenticator app on a desktop computer/notebook. We recommend the following solutions for the different operating systems.

1. Many password managers supported the generation of login codes (TOTP) on different operating systems. We have created a guide for KeePassXC.
2. The password manager integrated in macOS supports TOTP, but on this platform we recommend to use the Security Chip.
3. On GNU/Linux we recommend GNOME Authenticator.
4. On systems with Microsoft Windows, 2fast can be obtained from the Microsoft Store. If possible, we recommend to use Windows Hello though.

(This list is to be understood as a recommendation. Unfortunately, the ZID cannot provide specialized support for these applications).

The Central IT Service (ZID) provides a hardware security key for two-factor authentication to every employee of the university on request. The Security Key NFC model from the manufacturer Yubico is currently being issued.

Employees who cannot or do not want to install an authenticator app for two-factor authentication (e.g. because they do not have a cell phone) can obtain a security key from the responsible technical support team and use this USB hardware as a second factor (something they physically possess).

In principle, one security key is issued per employee - this can be used for both personal and functional accounts. In the event of loss or damage, we reserve the right to demand reimbursement of costs for a further issue.

The Central IT Service (ZID) issues security keys to students at cost price (cash only!). Until further notice, the sales windows are every Tuesday from 10:00 to 12:00 and every Thursday from 14:00 to 16:00. The distribution point is the ZID office on the Campus Technik. (Technikerstraße 23, 1st floor)