MFA – Multi-factor authentication
To increase IT security at the University of Vienna, the ZID provides multi-factor authentication (MFA) for some services.
VPN: form Zweiten Faktor ändern (changing second factor, in German)
Understanding the basics
Multi-factor authentication is an effective method to protect against unauthorised persons gaining access to services through phishing or otherwise stolen or lost access data (user name and password).
If you log on to a service without multi-factor authentication, you only need to know the user name and password. However, unauthorised persons can obtain access data via phishing e-mails, for example: In these e-mails, users are asked to register on linked websites or online forms. These pretend to be a legitimate website or form.
Multi-factor authentication counteracts this by requiring additional login components(factors) for a successful login. These factors must be physically accessible to users who log in. This prevents them from being lost electronically.
Multi-factor authentication means that at least two factors are required when logging in to a service:
- Knowledge, such as a password
- Possession, such as a smartphone
- Biometrics, such as a fingerprint
Example: If you have activated multi-factor authentication for the VPN service, you must type in the following data to log in:
- First factor: u:account access data
- Second factor: one-time password, generated by an app on your smartphone or by a security key (YubiKey)
Authentication app
The authentication app is installed on the smartphone and generates one-time passwords. Only apps that generate time-based passwords through TOTP procedure (time-based one-time passwords) are supported.
The ZID recommends the following apps:
- Free OTP: available for Android: Google Play, for iOS: App Store; open source app, can also be used with Android via an alternative app store without a Google account
- Google Authenticator: available for Android: Google Play, for iOS: App Store
- Microsoft Authenticator: available for Android: Google Play, for iOS: App Store
Notes
The TOTP method
- is compliant with the GDPR according to an audit by the Data Protection Officer of the University of Vienna, provided that synchronisation with cloud services, such as in Google Authenticator, is deactivated. To use the GDPR-compliant TOTP procedure in Microsoft Authenticator, select the option Other or Scan a QR code when adding the account.
- works independently of the mobile phone number. The ZID therefore does not record this.
Alternatives
Free authentication apps are available. In addition to products from Google and Microsoft, there is also an open source solution, FreeOTP, recommended by the ZID.
If employees are not able to use one of these apps, especially because they do not have a smartphone, a series 5 YubiKey can be provided as an alternative via the Hardware for employees service after consultation with the superior and at the expense of the relevant organisational unit.
- Security key (YubiKey): Connect the series 5 YubiKey to your computer, smartphone or tablet via USB (or NFC).
- For Microsoft 365 only: Phone call or text message from Microsoft to a number you have registered in advance.
Choosing the right device
Avoid using authentication apps on the same device on which you log in to the service. If the device on which you log in to the service is stolen or lost and the authentication app is also on that device, the additional security of the second factor is not provided.
Instead, use a separate device for creating the one-time password via the authentication app (e.g. smartphone) and for logging in to the service (e.g. computer).
Saving QR code
When setting up the second factor, you can save the QR code via screenshot, for example, and then store it in a safe place. This way, you can set up the second factor on several smartphones at the same time or transfer it to a new smartphone. The additional security provided by MFA is only given if the QR code cannot be accessed by other people.
Lost smartphone
- Report the loss to the IT Security team of the ZID using the form Gerät verloren (lost device, in German).
- Use the form Zweiten Faktor ändern (changing second factor, in German) (user guide), to set up the second factor on another smartphone.
Security key (YubiKey)
Users must set up the YubiKey themselves. This must not be done by a colleague or organisational unit as a substitute, as it is necessary to enter the u:account access details for setting up a YubiKey as a second factor.
The ZID recommends not to pass on already used YubiKeys to other users.
VPN
- Form Setting up second factor
- Form Zweiten Faktor ändern (changing second factor, in German)
- More information
Microsoft 365, Microsoft Azure
- The set-up takes place during the first access of Microsoft 365
- Change and add other factors via the Microsoft 365 account
- More information
User guides
Setting up second factor for VPN
Setting up second factor for Microsoft 365
- Microsoft Authenticator
- Authentification app
- Phone number
- Security key (YubiKey)
- Managing security key (YubiKey)
- Setting up another second factor
Changing second factor
Form Zweiten Faktor ändern (Changing second factor, in German)