Available for:

Employees, Students

Main features:

VPN access to our campus network is secured with an additional one-time password that changes every minute. So log in to VPN is only possible after you have generated a so-called token via a self-service portal and transferred it to a smartphone app for daily use.

In the future, the second factor will also be extended to various other services that are accessible from the Internet.

Advantages:

Phishing the password is no longer sufficient for a potential attacker and therefore offers additional protection for each individual and the university.

Requirement:

A smartphone is currently a prerequisite for generating the one-time password.

Once you have installed an app for two-factor authentication (2FA), you can secure all possible services on the Internet (including private ones) with a second factor.

This is how it works:

You can only log in to the VPN once you have generated a so-called token on the 2FA system.

For security reasons, this is only possible on the HS campus or in exceptional cases via our helpdesk.

When logging in to the VPN access, the one-time password must be added to the usual password.

1. Install an app for two-factor authentication (2FA) such as freeOTP on your smartphone.

2. Go to https://mfa.hs-harz.de on a computer in the LAN/WLAN of the university and log in with the usual user/password.

If you cannot come to the university, the system can only be accessed from the Internet via VPN and a virtual PC in VMware. In this case, please contact our helpdesk, who can set up a temporary 2nd factor for the VPN for you.

3. When you log in for the first time, you will be asked to generate your first token.

Enter a short name in the description field, e.g. "HSH 1".

After clicking on "Roll out token", a QR code will appear in the next step.

4. Take a photo of the QR code on the smartphone with the app to accept the token.

In the freeOTP app, tap the "+" and then the QR code icon - proceed in the same way with other apps.

5. You can now transfer the QR code to other devices or create a separate token for each device.

You can generate a maximum of 3 tokens.

6. In the future You have to append the one-time password to the password during VPN login.

To do this, generate the one-time password by tapping the token in the app - a 6-digit number appears, which you append to your password.

Example: Your user name is "m5678". Your password is "ggeheimm". After tapping the token, your smartphone app displays "314159" as a one-time password. Then enter "m5678" as the user name and "ggeheimm314159" as the password in the Forticlient as usual.

0. I don't have a smartphone or can't use it - what should I do?

If you are an employee of the university, we can issue you with a hardware token, but this can only be used for university services.

The more convenient solution, which would also be suitable for your private services, is to use a smartphone - as always, it's not as difficult as it sounds :)

1. I can't cope with these technical things, what can i do?

If you have any questions, students are welcome to contact the CH!P and employees are welcome to contact the helpdesk.

2. I don't have my smartphone with me at the moment, what can I do?

Call the helpdesk, who can generate a temporary token for you.

3. I have lost my smartphone or it has been stolen, what now?

To be on the safe side, delete all your tokens at https://mfa.hs-harz.de. You can then create a new token and transfer it to your replacement device. It is important to start completely with new tokens, even if you have other tokens on other devices.

If you are not on site, please contact our HelpDesk.

4. I have entered the one-time password incorrectly a few times and now i get a strange error message. Why is the login not working?

After 5 failed login attempts, your account will be blocked for half an hour. After that you will be able to log in again.

If you are in the university network, you can also go directly to https://mfa.hs-harz.de and reset the error counter on your token yourself.

5. I would like to generate a one-time password with several devices, is that possible?

Yes, simply generate several tokens. A maximum of 3 tokens are allowed. You can also photograph a token with different devices if this is not enough.

6. I would like to scan the token again later, is that possible?

No, this is not possible for security reasons. Simply create a new token (and delete the old one).

7. I have generated a token but am not using the SSL VPN ("Forticlient"), what use is it to me now?

If you have already installed an app, you can also use it for all your private services on the Internet that offer a second factor to increase security. Each service will offer you its own secret token to photograph.

8. I would prefer to use the Google Authenticator instead of freeOTP, why doesn't that work?

The Google Authenticator is no longer maintained and only supports the SHA-1 algorithm, which is classified as insecure. Our one-time passwords use secure hash algorithms.

The use of other current 2FA apps is of course possible on our system without any problems.

9. Which 2FA apps are recommended?

In principle, all current applications meet the requirements.

From a data protection perspective, freeOTP, freeOTP+, Aegis Authenticator and 2FAS are recommended.

Microsoft Authenticator and Authy are NOT recommended. Authy also seems to have the problem that Apple ignores the validity period of our tokens.