Main Content

How the two-factor authentication service (2FA) works

Passwords are easy for attackers to crack. Two-factor authentication offers stronger and better protection by adding another component to the password. The University Computer Center (HRZ) at Philipps-Universität Marburg (UMR) offers this service, too. In this newsletter you can read why 2FA is important and how it works at the UMR.

2FA works like a bank card plus PIN

Banks have been using two-factor authentication for decades: Anyone who wants to withdraw money from ATMs needs their PIN (personal identification number) in addition to their personal bank card. This combination of two independent factors - knowledge (PIN) plus possession (card) - offers significantly increased protection against misuse. At UMR, we have been using 2FA to secure important IT services since 2018. Many of you got to know this service for the first time with the 2FA protection of the VPN in May 2022.

More and more HRZ services are being converted to 2FA. You can find a list of services that already use 2FA on our website.

2FA procedure of the UMR at a glance

A maximum of ten tokens can be created and managed simultaneously per account. Therefore, it is advisable to generate additional tokens to the one initially issued, which is possible via the HRZ 2FA portal. To use further tokens, it is necessary to delete old ones to free up their slots first.

Note: Please note at this point that HRZ IT support can only block tokens, not delete them. To avoid delays in support, it is advisable to delete deactivated tokens as soon as you no longer need them.

2FA via transaction number (TAN token)

A simple and widespread procedure is the use of so-called TAN tokens, i.e. paper lists with a number of one-time passwords. The TAN tokens issued by the HRZ can be downloaded as PDF via the 2FA portal and printed out by yourself. Each of these lists contains 280 six-digit numbers.

When/Once a service requires you to enter the second factor, enter a number from the list. As each number is valid once only, you should cross them off after usage to avoid accidential re-use.

2FA via smartphone (APP token)

The useage of one-time passwords (OTPs) is also very common. When generating one of these, a QR-code will be created, which you use by photographing them with your smartphone camera and a special “Authenticator” app. The app then generates six-digit codes at regular intervals, which can be used the same way as the TANs described above. The procedure is standardized and can therefore be used with all common apps, such as those offered by Microsoft or Google. The HRZ recommends the 2FAS app, which is open source.

2FA via USB stick (employees only)

The use of personal USB tokens is particularly secure. These are special USB sticks on which a digital security key is programmed. As an employee of the university, you may know these as “YubiKeys”, currently in version 5 with USB-A connection.

With contract start, your YubiKey will be sent to your university address. To initialize the stick, insert it into the USB port of the computer and, after entering your user name and password, press the button on the stick - usually marked with a Y. This automatically enters the security key. The security key is then entered automatically. Similar to TANs or OTPs, the YubiKey has to be inserted into the computer and pressed for every use. Alternatively, it can be linked to a smartphone using NFC short-range radio technology.

Please note: The YubiKey is a piece of equipment, like a key or transponder, with a value of €50. Please remember to return it when your contract ends.

A final word: two are better than one

Secure passwords in combination with an additional, second security feature provide very effective protection against misuse by criminals. Even if you happen to fall for a phishing attack and reveal your password, strangers will not be able to access the protected online service because they lack the necessary second factor for a successful login.