Email
Main Content

How the Two-Factor Authentication Service (2FA) Works

Passwords can be compromised by attackers under various circumstances. Two-factor authentication provides additional protection by adding a further component (second factor) to the password. The Computer Center (HRZ) of the Philipps-Universität Marburg (UMR) therefore secures various sensitive IT services using 2FA. On this page, you can read about why 2FA is important and how the entire process works at UMR.

2FA Works Like a Bank Card Plus PIN

Banks have been using two-factor authentication for decades: Anyone wishing to withdraw cash from an ATM requires their personal bank card as well as the corresponding PIN (Personal Identification Number). This combination of two independent factors – knowledge (PIN) plus possession (card) – offers significantly increased protection against misuse. At UMR, we have been using 2FA to secure important IT services since 2018. Many of you first encountered this service in May 2022, with the implementation of 2FA protection for the VPN.

Overview of 2FA Methods at UMR

The second factor is also referred to as a token and can be implemented in various ways.

A maximum of ten tokens can be created and used optionally per university account. It is therefore advisable to issue additional tokens if necessary, alongside the initial token provided at the start. This can be done via the HRZ 2FA Portal. Unused tokens can be deleted within the 2FA Portal.

Please note: At this point, please be aware that HRZ IT Support can only disable tokens, but cannot delete them. To avoid support delays, it is recommended that you delete deactivated tokens yourself as soon as you no longer require them.

2FA via Smartphone (APP Token)

The use of so-called One-Time Passwords (OTPs) or Time-based One-Time Passwords (TOTPs) is equally common. When generating these, a QR code is created which you can scan using your smartphone's camera with a special "Authenticator" app and then use. The app then generates a six-digit code at specific time intervals, which is used in the same way as the TAN described previously. This process is standardized and can therefore be used with various TOTP apps, such as those from Microsoft (Microsoft Authenticator) or Google (Google Authenticator). The HRZ recommends the open-source app 2FAS.

2FA via USB Token (Staff Only)

The use of personal USB tokens is particularly secure. These are special USB flash drives equipped with a crypto-chip. As a university employee, you will know these as "YubiKeys", currently provided as version 5 with a USB-A connector.

YubiKeys are sent to your official university work address at the start of your contract. To initialize it, insert the token into your computer's USB port and, after entering your username and password, press the button on the token – which is typically marked with a "Y". This automatically enters the security key. Just like with TANs or OTPs, the YubiKey must be plugged into the computer and pressed for every subsequent use. Alternatively, it can be paired with a smartphone using Near Field Communication (NFC) technology.

Please note: The YubiKey is work equipment, much like a physical key or an electronic key fob, with a value of €50. Therefore, please be sure to return it at the end of your employment contract.

2FA via Transaction Number (TAN Token) [Phasing Out - Future Use as Backup Token Only]

A simple method is using TAN tokens – these are lists of one-time passwords that you can download as a PDF from the 2FA Portal and print out yourself.

Current Changes and Outlook

Please note that the role and scope of this method are changing as part of system maintenance:

  • Reduction in the Number of TANs: Effective immediately, a newly generated TAN token will only contain twelve eight-digit numbers.
  • Transition in Fall 2026: Expected from Fall 2026, the TAN token will no longer be used as a primary method for daily logins. It will then serve primarily as a backup token. Students without a smartphone should contact the IT Service Desk; employees receive a hardware token automatically upon signing their contract.
  • Intended Purpose: The list remains valid for logging into the 2FA Portal. This is particularly crucial if you lose your primary 2FA device (e.g., a smartphone) and need to set up a new means of access.

A Final Word: Better Safe Than Sorry

Secure passwords combined with an additional, second security feature offer highly effective protection against misuse by criminals. Even if you fall victim to a phishing attack and reveal your password, unauthorized parties cannot access the protected online service because they lack the necessary second factor required for a successful login.