Multi-factor authentication
To increase IT security at the University of Vienna, the ZID provides multi-factor authentication (MFA) for some services.
Understanding the basics
Multi-factor authentication is an effective method to protect against unauthorised persons gaining access to services through phishing or otherwise stolen or lost access data (user name and password).
If you log on to a service without multi-factor authentication, you only need to know the user name and password. However, unauthorised persons can obtain access data via phishing e-mails, for example: In these e-mails, users are asked to register on linked websites or online forms. These pretend to be a legitimate website or form.
Multi-factor authentication counteracts this by requiring additional login components (factors) for a successful login. These factors must be physically accessible to users who log in. This prevents them from being lost electronically.
Multi-factor authentication means that at least two factors are required when logging in to a service:
- Knowledge, such as a password
- Possession, such as a smartphone
- Biometrics, such as a fingerprint
Example: If you have activated multi-factor authentication for the VPN service, you must type in the following data to log in:
- First factor: u:account access data
- Second factor: one-time password (generated by an app on your smartphone or by a YubiKey)
Supported methods
The ZID supports the following methods for the second factor:
Authentication app
The authentication app is installed on the smartphone and generates one-time passwords. Only apps that generate time-based passwords through TOTP procedure (time-based one-time passwords) are supported.
The ZID recommends the following apps:
- Free OTP: available for Android via Google Play, for iOS via App Store; open source app, can also be used with Android via an alternative App store without a Google account
- Google Authenticator: available for Android via Google Play, for iOS via App Store
- Microsoft Authenticator: available for Android via Google Play, for iOS via App Store
Avoid using authentication apps on the same device on which you log in to the service. If the device on which you log in to the service is stolen or lost and the authentication app is also on that device, the additional security of the second factor is not provided.
Instead, use a separate device for creating the one-time password via the authentication app (e.g. smartphone) and for logging in to the service (e.g. computer).
Notes
The TOTP method
- is compliant with the GDPR according to an audit by the Data Protection Officer of the University of Vienna, provided that synchronisation with cloud services, such as in Google Authenticator, is deactivated. To use the GDPR-compliant TOTP procedure in Microsoft Authenticator, select the option Other or Scan a QR code when adding the account.
- works independently of the mobile phone number. The ZID therefore does not record this.
Alternatives
Employees
Free authentication apps are available. In addition to products from Google and Microsoft, there is also an open source solution, FreeOTP, recommended by the ZID.
If employees are not able to use one of these apps, especially because they do not have a smartphone, a YubiKey can be provided as an alternative via the Hardware for employees service after consultation with the superior and at the expense of the relevant organisational unit (requirement: registration as u:shop-Hardware Member, in German).
- YubiKey: Connect the YubiKey to your computer, smartphone or tablet via USB (or NFC).
- For Microsoft 365 only: Phone call or text message from Microsoft to a number you have registered in advance.
Using multi-factor authentication
The multi-factor authentication is available for the following services. In the course of 2023, further central IT services of the University of Vienna will be secured by means of MFA.
VPN
The use of MFA for VPN is recommended. From 03.07.2023, 10:00, the use of the VPN service will only be possible with multi-factor authentication (MFA).
- Form Setting up second factor (prerequisite: You are in the data network of the University of Vienna, either on site or via VPN.)
- Form Zweiten Faktor ändern (changing second factor, in German)
- More information
Microsoft 365, Microsoft Azure
Microsoft 365 and Microsoft Azure are secured with multi-factor authentication.
- The set-up takes place during the first access of Microsoft 365
- Change and add other factors via the Microsoft 365 account
- More information