Table of Contents
The Customer Portal provides the ability to enable a secure two-factor authentication. Each protected area can be individually selected by the user.
What is that?
To proof the identity of a user, a combination of the user name or e-mail address and password is used in general. With the two-factor authentication (2FA) a second component is added. This component should be as independent as possible from the first one and increase the certainty that the current action is performed by the corresponding user.
Manage Second Factor for Authentication in the Account Portal
The administration of second factors is possible in the customer portal. You have the option of registering SMS tokens, TOTP tokens or PUSH tokens. With the SMS Token, you receive a code to your verified telephone number. You enter this code manually in addition to your account password. With the TOTP token, you connect an authenticator app on your smartphone to your account by entering a CR code. This app generates a time-based code that you enter each time you log in, in addition to your password. With the PUSH token, you connect the privacyIDEA Authenticator app on your smartphone to your account using a QR code. Each time you log in to your account, you can conveniently confirm your identity by pressing a button in the app.
To generate the code two components are required. In addition to the QR Code transferred token, the current system time (in the case of the phone) is needed. A data connection to an external service is not necessary - the generation can thus also be carried out with activated “airplane mode”.
The transmission of the user name associated with the domain “gwdg.de” (included in QR Code) is made exclusively to differentiate the various items in the app.
Prerequisites for TOTP and PUSH Token
To use this feature, a mobile phone with a modern operating system and access to the corresponding App Store (or Play Store) is required, e.g.:
- Apple iOS
- Google Android
- Windows Phone
Various developers offers apps to generate a token, the most common apps are from Google and Microsoft:
- Google Authenticator (Play Store)
- Google Authenticator (App Store)
- Microsoft Authenticator (Microsoft Store)
- privacyIdea Authenticator App (Play Store)
To use the PUSH token, the privacyIdea Authenticator App is absolutely necessary. For TOTP it is also possible to use all other common Authenticator Apps.
Once an Authenticator app is installed on the personal mobile phone, the two-factor authentication can be enabled in the security section of Customer Portal (https://id.academiccloud.de/security).
To activate, select Secure My Account.
Enter a description of your device, e.g. device name or smartphone model.
Once the necessary token has been generated, it is displayed as a QR code. This must be scanned with the Authenticator app.
Once this has been done, “QR code scanned” must be clicked.
To activate this token, a code generated by the app must be entered, this is usually 6 characters long and only valid for 30 seconds.
To confirm the identity, another entry of a valid 6-digit code is required, which is generated by the app.
After successful registration of the first token, a file is automatically downloaded that contains the recovery token. If access to the linked mobile phone is no longer possible, the code can be used to deactivate two-factor authentication (function follows). Please store this in a safe place.
All registered tokens should now be listed on the overview page. You can delete the token using the recycle bin next to it. However, this is only possible after entering a valid token.
The installed Authenticator app usually supports the automatic detection of a QR code, a manual input of the token is not necessary.
After setting the QR code, the current token is automatically displayed.
The code is generated from a combination of the token with the current time and is valid for 30 seconds.
Note: For TOTP Token it is crucial that the system time is synchronized.
After successfully setting up a second factor, a second factor is now required when logging on to single sign-on services. After the usual entry of e-mail address or user name and password, the desired second factor must now be selected.
Now type in the 6-digit code generated by the corresponding app and click on “Submit”.
If this was successful, you will be redirected to your desired page or service.
#4 Deactivation (function is still in progress)
If the other available options to recover the account are no longer available (push token, TOTP, SMS token, ..), this token offers the possibility to reset the two-factor authentication once and set it up again.
This token should be stored securely and kept secret. After one-time use, a new token must be issued.