Main Content

Terms of use for two-factor authentication

(as of 23 January 2017)

At Philipps-Universität Marburg, access to IT services can be protected by a stronger authentication procedure, so-called two-factor authentication (2FA). With two-factor authentication, in addition to the personal user ID, consisting of user name and user password, a further and in particular independent component, the so-called token (e.g. one-time password token), is requested to prove a user's identity.

1. the authorisation to use a token exists if the user is a member, partner, service provider or guest of the university and a service to be used by the user requires two-factor authentication. The user receives the token via

(a) Issue by the university computer centre (hardware token)

(b) Retrieval in the self-service portal of the university computer centre (software token)

2. the token supplements the user ID. It must not be made accessible to other persons. It may not be passed on to a third party.

3. the user should always carry their token with them like a service key. The token can be stored in a locked location. The user must ensure that no access data is stored together with the token.

4. the user is obliged to block the token immediately or have it blocked by the University Computer Centre under the following conditions:

(a) The user suspects that their token has been lost, stolen, disclosed or otherwise compromised or misused.

(b) The token has been lost, stolen, disclosed or otherwise compromised or misused.

(c) The user is no longer authorised to use the token. A hardware token must be returned to the issuing organisation within 14 days at the latest.

5. the issuing body is entitled to reclaim the token from the user if it is no longer required by the user (e.g. if authorisation is lost or the token is replaced).

6. each device on which the user uses the token (for hardware and software tokens) or stores it (for software tokens) must be adequately protected (e.g. by regular security updates and the use of anti-virus software).

7 Violations of these regulations may be sanctioned by the university under employment or labour law. In the event of a grossly negligent or wilful breach by the user, in particular by passing on the token to a third party or not blocking it, which jeopardises the security of data, information, ICT systems or the network and causes damage to the university, the university may also be liable for damages.