Multi-factor authentication
To increase IT security at the University of Vienna, the ZID provides multi-factor authentication (MFA) for some services.
Direct links
VPN: form Setting up second factor
VPN: form Zweiten Faktor ändern (changing second factor, in German)
Understanding the basics
Multi-factor authentication is an effective method to protect against unauthorised persons gaining access to services through phishing or otherwise stolen or lost access data (user name and password).
If you log on to a service without multi-factor authentication, you only need to know the user name and password. However, unauthorised persons can obtain access data via phishing e-mails, for example: In these e-mails, users are asked to register on linked websites or online forms. These pretend to be a legitimate website or form.
Multi-factor authentication counteracts this by requiring additional login components (factors) for a successful login. These factors must be physically accessible to users who log in. This prevents them from being lost electronically.
Multi-factor authentication means that at least two factors are required when logging in to a service:
- Knowledge, such as a password
- Possession, such as a smartphone
- Biometrics, such as a fingerprint
Example: If you have activated multi-factor authentication for the VPN service, you must type in the following data to log in:
- First factor: u:account access data
- Second factor: one-time password, generated by an app on your smartphone or by a security key (YubiKey)
Supported methods
The ZID supports the following methods for the second factor:
Authentication app
The authentication app is installed on the smartphone and generates one-time passwords. Only apps that generate time-based passwords through TOTP procedure (time-based one-time passwords) are supported.
The ZID recommends the following apps:
- Free OTP: available for Android: Google Play, for iOS: App Store; open source app, can also be used with Android via an alternative App store without a Google account
- Google Authenticator: available for Android: Google Play, for iOS: App Store
- Microsoft Authenticator: available for Android: Google Play, for iOS: App Store
Notes
The TOTP method
- is compliant with the GDPR according to an audit by the Data Protection Officer of the University of Vienna, provided that synchronisation with cloud services, such as in Google Authenticator, is deactivated. To use the GDPR-compliant TOTP procedure in Microsoft Authenticator, select the option Other or Scan a QR code when adding the account.
- works independently of the mobile phone number. The ZID therefore does not record this.
Alternatives
Employees
Free authentication apps are available. In addition to products from Google and Microsoft, there is also an open source solution, FreeOTP, recommended by the ZID.
If employees are not able to use one of these apps, especially because they do not have a smartphone, a series 5 YubiKey can be provided as an alternative via the Hardware for employees service after consultation with the superior and at the expense of the relevant organisational unit.
- Security key (YubiKey): Connect the series 5 YubiKey to your computer, smartphone or tablet via USB (or NFC).
- For Microsoft 365 only: Phone call or text message from Microsoft to a number you have registered in advance.
Handling the second factor safely
Authentication app
Choosing the right device
Avoid using authentication apps on the same device on which you log in to the service. If the device on which you log in to the service is stolen or lost and the authentication app is also on that device, the additional security of the second factor is not provided.
Instead, use a separate device for creating the one-time password via the authentication app (e.g. smartphone) and for logging in to the service (e.g. computer).
Saving QR code
When setting up the second factor, you can save the QR code via screenshot, for example, and then store it in a safe place. This way, you can set up the second factor on several smartphones at the same time or transfer it to a new smartphone. The additional security provided by MFA is only given if the QR code cannot be accessed by other people.
Lost smartphone
- Report the loss to the IT Security team of the ZID using the form Gerät verloren (lost device, in German).
- Use the form Zweiten Faktor ändern (changing second factor, in German) (user guide), to set up the second factor on another smartphone.
Transferring the second factor to a new smartphone
You can export the second factor in most authentication apps on the old device and import it on the new device. To do this, follow the respective instructions in the apps or contact your IT representative.
Security key (YubiKey)
Users must set up the YubiKey themselves. This must not be done by a colleague or organisational unit as a substitute, as it is necessary to enter the u:account access details for setting up a YubiKey as a second factor.
The ZID recommends not to pass on already used YubiKeys to other users.
Using multi-factor authentication
The multi-factor authentication is available for the following services. In the future, further central IT services of the University of Vienna will be secured by means of MFA.
VPN
- Form Setting up second factor
- Form Zweiten Faktor ändern (changing second factor, in German)
- More information
Microsoft 365, Microsoft Azure
- The set-up takes place during the first access of Microsoft 365
- Change and add other factors via the Microsoft 365 account
- More information