====== Multi-factor authentication ======= The Academiccloud customer portal offers the option of activating multi-factor authentication. This will be necessary in the future to log in to GWDG services. =====What is this?===== In general, a combination of username or email address and individual password is used to verify a user's identity. Multi-factor authentication (MFA) provides an additional layer of security beyond traditional passwords. ====Manage multi-factor authentication in the customer portal===== In the [[https://id.academiccloud.de/|Academiccloud customer portal]], various factors can be set up and managed. The following options are available: * Security keys (FIDO2/Passkeys) * eduMFA Authenticator App * TOTP Authenticator App The GWDG recommends using a FIDO2/Passkey or the eduMFA app. Important: After setting up the new factor, a recovery token will be created for you. This must be stored in a safe place. It is particularly important to store this code securely and consciously, as: * If you lose access to your second factors, you can only reset access with this token. * If the code falls into the hands of an unauthorized third party, they can use the code to overcome the additional security layer of the second factor. Are you having problems with the second factor? Perhaps you will find your question answered in our chapter: [[#Troubleshoot/FAQ]] \\ If your questions are not answered, please contact sso-support@gwdg.de with your question. =====Instructions:===== * [[#How do I set up an additional factor?| How do I set up an additional factor?]]\\ * Setting up the individual factors: \\ * [[en:services:general_services:customer_portal:security:two_factor_authentication:fido2| Security keys such as FIDO2 or passkeys]] * [[en:services:general_services:customer_portal:security:two_factor_authentication:edupush| eduMFA authenticator app]] * [[en:services:general_services:customer_portal:security:two_factor_authentication:totp| TOTP Authenticator Apps]] * [[en:services:general_services:customer_portal:security:two_factor_authentication:keepass|KeePassXC: TOTP-MFA without a Smartphone ]] * [[en:services:general_services:customer_portal:security:two_factor_Authentication:yubikey|Hardware tokens such as Yubikey]] * [[#Login with two-step verification|Login with two-step verification]] \\ * [[#Resetting the factors| Resetting the factors]] \\ =====How do I set up an additional factor?===== The various factors are displayed after logging in to the Academiccloud customer portal and switching to the “Security” tab on the left-hand side of the window. They can be set up by clicking on “Mein Konto absichern”. {{ :de:services:general_services:customer_portal:security:two_factor_authentication:methods:bizs.png?direct&400 |}} =====Login with two-factor confirmation===== After successfully setting up an additional factor, a second factor is now required when logging in to single sign-on services. The login process then involves the following steps: 1. First, the email address or username and password must be entered as usual. If you wish, you can check the “ANGEMELDET BLEIBEN” box to remember your login credentials before confirming your username to shorten the process the next time you use the service. {{ :de:services:general_services:customer_portal:security:two_factor_authentication:methods:ac1.png?direct&600 |}} {{ :de:services:general_services:customer_portal:security:two_factor_Authentication:methods:ac2.png?direct&600 |}} 2. Now one of the configured factors must be selected. {{ :de:services:general_services:customer_portal:security:two_factor_authentication:methods:ac3.png?direct&600 |}} 3. The begin of the authentication process varies depending on the selected factor. {{ :de:services:general_services:customer_portal:security:two_factor_Authentication:methods:ac4.png?direct&600 |}} {{ :de:services:general_services:customer_portal:security:two_factor_Authentication:methods:ac5.png?direct&400 |}} 4. After successful authentication, you will be logged in automatically. \\ =====Resetting the factors===== If other authentication services (TOTP, FIDO2/Passkeys, eduMFA) are no longer available to restore the account, e.g. if the smartphone is lost or broken, the recovery code generated when the second factor was first set up must be used to reset the MFA. The token can only be used once. Therefore, a new recovery token must be created after each use. Go to: [[https://id.academiccloud.de/mfareset|id.academiccloud.de/mfareset]] Use the recovery code to reset your factors. Set up a new second factor. =====Troubleshoot/FAQ===== ==Login after setting up an MFA== * ** Although I have activated Stay signed in ("ANGEMELDET BLEIBEN"), I have to re-enter my user data or my MFA. ** * GWDG services are subject to different security levels. These different security levels also affect the frequency with which the credentials are queried. This means that for some services all credentials are remembered, while for other services only the username and password are remembered, but the second factor must be used again for each login. == Deleting factors == * ** I have deleted the token in the eduMFA app and now I want to delete it in the account portal as well, but I cannot. ** * When deleting a factor, one of the configured factors (if available) is used for verification. If the token on the mobile phone has already been deleted and only eduMFA is set up, you will still be asked for the token because it is not possible to check whether the token still exists on your device or not. * To still be able to delete the factor in the account portal, please use the recovery token and follow the instructions under the heading “Resetting the factors” == FIDO2 / Passkeys == * ** I want to set up a passkey, but the setup process is interrupted or does not work. ** * When using FIDO2/Passkeys security keys, there are still some flaws in the operation that may be due to incompatibility between the devices or browsers used. Some of the known issues are listed below: * When using Firefox, there may be problems setting up a FIDO2/Passkey security key. However, once set up, it will work on Firefox if you use it on another browser. * When using Apple devices (both macOS and iOS), iCloud must be activated. Without this feature, FIDO2/Passkeys cannot be used or may cause problems. * ** My passkey does not work on all my devices. ** * On certain systems (for example, when using Apple or Google's own passkey functionality), the FIDO2/Passkeys tokens are synchronized on all your devices that are connected to your Apple or Google account. * Example: You have created a FIDO2/Passkey token on your MacBook. This token will also be synchronized to your iPhone, provided that the same account is used for both devices. This means that the same FIDO2/Passkey can be used on both devices. However, if you also use a Windows laptop or a smartphone from a different manufacturer, these devices are logically not connected to your Apple account and so your Windows laptop will need to have its own FIDO2/Passkey security key set up. * Problems arise when setting up a Yubikey as a Passkey. * A common problem when setting up a Yubikey as a FIDO2 Passkey is that the reconfirmation after configuration fails or gets stuck. {{ :de:services:general_services:customer_portal:security:yubikey_troubleshoot.png?direct&600 |}} * The problem is that the necessary pop-up window cannot be opened. Therefore, check your browser settings or manually allow the pop-up window. * After allowing the pop-up window, the setup can be completed. === Data protection === To generate the code, only the token transmitted to the mobile phone via QR code and the current system time of the phone are required. A data connection to an external service is not necessary - the generation can therefore also take place when “airplane mode” is activated. The transfer of the username in connection with the domain “gwdg.de” (included in the QR code) is used exclusively to distinguish the different entries in the app.