Email
Main Content

Terms of Use for Two-Factor Authentication

(As of January 23, 2017)

At the Philipps-Universität Marburg, access to IT services can be protected by a stronger authentication method, known as two-factor authentication (2FA). In two-factor authentication, an additional and notably independent component, the so-called token (e.g., a one-time password token), is requested to verify a user's identity, in addition to their personal user credentials consisting of username and user password.

1. A user is authorized to use a token if they are a member, partner, service provider, or guest of the university, and a service they intend to use requires two-factor authentication. The user obtains the token by means of

(a) Issuance by the University Computer Center (hardware token)

(b) Retrieval via the self-service portal of the University Computer Center (software token)

2. The token supplements the user credentials. It must not be made accessible to other persons. Transferring or passing it on to a third party is not permitted.

3. The user should always carry their token with them, much like an official university service key. The token may be stored in a locked location. The user must ensure that no access data (credentials) is stored together with the token.

4. Under the following conditions, the user is obliged to immediately disable the token or have it disabled by the University Computer Center:

(a) The user suspects that their token has been lost, stolen, disclosed, or otherwise compromised or misused.

(b) The token has been lost, stolen, disclosed, or otherwise compromised or misused.

(c) The user is no longer authorized to use the token. A hardware token must be returned to the issuing office within 14 days at the latest.

5. The issuing office is authorized to demand the return of the token from the user, provided that it is no longer required by the user (e.g., in the event of a lack of authorization or when exchanging the token).

6. Any device on which the user operates the token (for both hardware and software tokens) or stores it (for software tokens) must be adequately protected (e.g., through regular security updates and the use of anti-virus software).

7. Violations of these regulations may be sanctioned by the university under service or employment law. In the event of a grossly negligent or intentional violation by the user – particularly through transferring it to a third party or failing to disable the token – whereby the security of data, information, ICT systems, or the network is endangered and damage is caused to the university, claims for damages against the university may furthermore arise.