Multi-factor authentication

To increase IT security at the University of Vienna, the ZID provides multi-factor authentication (MFA) for some services.

Understanding the basics

Multi-factor authentication is an effective method to protect against unauthorised persons gaining access to services through phishing or otherwise stolen or lost access data (user name and password).

If you log on to a service without multi-factor authentication, you only need to know the user name and password. However, unauthorised persons can obtain access data via phishing e-mails, for example: In these e-mails, users are asked to register on linked websites or online forms. These pretend to be a legitimate website or form.

Multi-factor authentication counteracts this by requiring additional login components (factors) for a successful login. These factors must be physically accessible to users who log in. This prevents them from being lost electronically.

Multi-factor authentication means that at least two factors are required when logging in to a service:

  • Knowledge, such as a password
  • Possession, such as a smartphone
  • Biometrics, such as a fingerprint

Example: If you have activated multi-factor authentication for the VPN service, you must type in the following data to log in:

  • First factor: u:account access data
  • Second factor: one-time password (generated by an app on your smartphone or by a YubiKey)

Supported methods

The ZID supports the following methods for the second factor:


Authentication app

The authentication app is installed on the smartphone and generates one-time passwords. Only apps that generate time-based passwords through TOTP procedure (time-based one-time passwords) are supported.

The ZID recommends the following apps:

Avoid using authentication apps on the same device on which you log in to the service. If the device on which you log in to the service is stolen or lost and the authentication app is also on that device, the additional security of the second factor is not provided.

Instead, use a separate device for creating the one-time password via the authentication app (e.g. smartphone) and for logging in to the service (e.g. computer).
 

 Notes

The TOTP method

  • is compliant with the GDPR according to an audit by the Data Protection Officer of the University of Vienna, provided that synchronisation with cloud services, such as in Google Authenticator, is deactivated. To use the GDPR-compliant TOTP procedure in Microsoft Authenticator, select the option Other or Scan a QR code when adding the account.
  • works independently of the mobile phone number. The ZID therefore does not record this.



Alternatives

Employees

Free authentication apps are available. In addition to products from Google and Microsoft, there is also an open source solution, FreeOTP, recommended by the ZID.

If employees are not able to use one of these apps, especially because they do not have a smartphone, a YubiKey can be provided as an alternative via the Hardware for employees service after consultation with the superior and at the expense of the relevant organisational unit (requirement: registration as u:shop-Hardware Member, in German).

 

  • YubiKey: Connect the YubiKey to your computer, smartphone or tablet via USB (or NFC).
  • For Microsoft 365 only: Phone call or text message from Microsoft to a number you have registered in advance.

Using multi-factor authentication

The multi-factor authentication is available for the following services. In the course of 2023, further central IT services of the University of Vienna will be secured by means of MFA.


VPN

The use of MFA for VPN is recommended. From 03.07.2023, 10:00, the use of the VPN service will only be possible with multi-factor authentication (MFA).


Microsoft 365, Microsoft Azure

Microsoft 365 and Microsoft Azure are secured with multi-factor authentication.