Email
Main Content

Service Information: Using 2FA without a Smartphone

At the University of Marburg, two-factor authentication (2FA) is fully supported even without a smartphone app. Whether you prefer analog paper tokens or platform-independent hardware solutions – we support your digital sovereignty and offer flexible alternatives for barrier-free access.

1. The Paper Token

For users who prefer a purely analog solution or are unable to use technical devices, the classic paper token is available.

  • Capacity: One token contains 150 one-time passwords. A maximum of two tokens per person will be issued.
  • Scope of Use: It serves as an analog alternative for infrequent logins or as a backup. Due to the high manual effort required, it is not recommended for daily, frequent logins.
  • Obtaining a Token: Tokens are issued exclusively in person upon presentation of a photo ID at the IT Service Desk.

2. Hardware Tokens: Private YubiKeys (HOTP Configuration)

Do you already own a private YubiKey? We can help you set it up as a hardware token for your university services so that its functionality matches that of an official university-issued token.

  • On-Site Initialization: To securely link your YubiKey to your university account, you must hand it in personally at the IT Service Desk. We will configure the key for you with an HOTP token.
  • Configuration Protection (Slot Lock): During setup, the corresponding slot on your YubiKey will be locked with a password. This prevents the university configuration from being accidentally overwritten or deleted.
  • Return / End of Studies: When you leave the university or wish to clear the slot again, the key must be brought back to the IT Service Desk. We will then unlock the slot for you so you can use the device in its factory default state.

3. Desktop Solutions (Windows, macOS, Linux)

You can generate 2FA codes directly on your computer. The following tools are available across multiple platforms and support our security standards (8-digit codes, SHA512):

  • KeePassXC & Proton Authenticator: These programs run natively on Windows, macOS, and Linux. (KeePassXC Guide | Proton Guide)
  • Password Managers (Bitwarden, Passbolt): These services offer high security standards and allow you to manage your TOTP codes directly in your browser or via a desktop application.
  • YubiKey with Yubico Authenticator: If you own a private YubiKey, you can use it with the Yubico Authenticator software. The codes are stored physically on the key itself. (Authenticator Guide)

4. TAN Tokens & Important Change in 2026

Existing paper lists (from the HIS import, 250-item, 40-item, or the new 12-item lists) will remain technically valid, but their use will be restricted for security reasons:

  • Starting Fall 2026: Self-printed TAN tokens will only be valid for logging into the 2FA portal as so-called "backup codes".
  • Security Background: This measure prevents brute-force attacks by limiting the use of these lists strictly to the administration portal.
  • Emergency Reserve: You can still generate 12-item TAN tokens in the 2FA portal as a backup. We strongly recommend printing these out and keeping them in a safe place so that you can issue a new token yourself in an emergency.

5. Outlook: FIDO2 and Passkeys

We are currently working on supporting FIDO2 and Passkeys. This method will simplify the login process, as it eliminates the need to manually type in codes.

Benefits for You: As soon as this feature is enabled, you will be able to use a wide variety of secure devices:

  • Hardware Keys: All FIDO2-compatible devices such as the YubiKey, Nitrokey, or Google Titan Key.
  • Browser Integration: Utilizing modern standards such as Windows Hello or macOS Touch ID.

We will update this page as soon as registering FIDO2 devices becomes available in the portal.