FAQ about 2-factor authentication for students
FAQ about . . .
General questions
When does the requirement for 2FA start?
The 2FA was introduced for staff and student employees in 2023. It will be introduced for students from mid-August 2024.
It will be implemented in steps, meaning access to 2FA will be activated for students, and a group by group basis. When your turn comes, you will receive a personal email with all the important information.
I am a student employee at the University of Hamburg. What do I need to know?
If you are a student employee at the University of Hamburg, you have already registered for the 2FA and do not need to do anything further.
What do first-semester students need to know?
First, students in higher semesters will be able to register for the 2FA. If you are in your first semester, you can continue to use the services without 2FA; when the transition to the 2FA begins for first-semester students, you will receive the necessary information.
How do I set up the 2FA?
For details on how to set up 2-factor authentication, please refer to the instructions published specifically for this purpose.
Which services can no longer be used if I activate the 2FA?
Once you activate the 2FA, the authentication will protect many services for which you use your uni username. These include:
- OpenOlat
- Moodle
- VPN
To continue using these services, you must comply with these instructions.
There are plans to protect further services and to continually expand protection.
Why does the service I want to sign up with not recognize that I have already registered my device?
If you regularly delete cookies (or the local storage) in your browser or use your browser in private mode, the information that your device is already registered cannot be saved.
How does the 2FA work with public computers at the University, e.g., in libraries, PC pools, and computer rooms?
Public PCs cannot and should not be set up as 2FA devices. When working at a public PC, you have the following options for logging in:
- If you have already registered your smart phone for 2FA, you can use that. See instructions
- You can use a FIDO stick as a 2FA if you have one. See instructions
- You can use your 2FA code list as a 2FA.
I have a need for digital accessibility. What options are there for me?
You can request a free FIDO stick for barrier-free 2FA from the Office for Students with Disabilities. We will also help you set up the FIDO stick. Contact:
2FA code list
What is a 2FA code list?
The personalized 2FA code list contains 240 codes and can be used as the second factor in a 2FA authentication. Using the list, you can also register further devices as 2FA.
Important: The 2FA code list validity is unlimited and non-transferable.
How do I get the 2FA code list?
Your personal code list will be sent by email to your student email account. This mail will also clarify that your specific password must be 2FA. In addition to the code list, you will receive a description of the necessary steps and helpful links.
See the respective pages of the Regional Computing Center for information about using your student email account.
Why should I deactivate my first code list and not use it long-term for authentication?
A third party can potentially see your 2FA code list without you noticing. 2FA devices are safer because they need to actually be stolen physically, which, generally, you would notice immediately. Therefore, use your 2FA devices to increase accounts safety.
You can deactivate your the 2FA code list initially sent to you in the 2FA device registration.
Can I create my own new 2FA code list?
You can create your own new list. Important: You can only create your own 2FA list if you have registered at least one device as a second factor before deactivating the first list.
If the criteria is met, create a new list after registering on this page under “request a new 2FA code list.” To be on the safe side, the list should not be stored on your computer— so print the list out.
Windows devices
What is Windows Hello?
Windows Hello is a more secure way to instantly access your Windows 10 devices using a PIN, facial recognition, or fingerprint. You also need to set up a PIN if you want to set up a fingerprint or facial recognition. Whether fingerprint and facial recognition are possible depends on the hardware you are using.
How can I set up Windows Hello?
See the instructions for the 2FA to set up Windows Hello.
Do I have to set up a Windows Hello PIN?
No. Setting up the Windows Hello PIN facilitates authentication with a second factor, because the Hello PIN acts as a second factor. If you do not set up the Hello PIN, you will need to use another second factor (code combination from the 2FA code list, mobile device, FIDO2 stick) to log in to UHH services that require a second factor.
How long should my Windows Hello PIN be?
You need at least 4 characters for the PIN. The more characters you use, the more difficult it is to guess the PIN. Windows does not accept obvious or easy PINs (e.g., 1234, 0000, 5678). The maximum character count for PINs is 127.
What should I do if I forget my Windows Hello PIN?
The Hello PIN is simply an alternative log-in option for a specific computer. It does not completely replace your password. If you cannot remember your Hello PIN, you can reset it using the existing Windows-10 password.
Note:
After you change your Hello PIN, your device must be re-registered as 2FA, in the same way you first registered your device.
To reset your PIN, go to “Settings” -> “Accounts” -> “Sign-in options” “I forgot my PIN.”
What is the difference between the Windows Hello PIN and the password for my device?
The Hello PIN is simply an alternative log-in option for a specific computer. It does not completely replace your password. If you cannot recall your Hello PIN, you can reset it using the existing Windows-10 password.
What happens with the 2FA if I remove the Windows Hello PIN?
The need to authenticate with a second factor is unaffected. If you do not set up the Hello PIN or remove it again, you will need to use another second factor (code combination from the 2FA code list, mobile device) to log in to UHH services that require a second factor.
Is the Windows Hello Pin as secure or more secure than my previous log-in (local authentication or network authentication?)
An important difference between an online password and a Windows Hello PIN is that the PIN is connected to the particular device on which it has been installed. Without this hardware, the PIN is useless for third parties. Someone who gets hold of your online password can log into your account from anywhere, but this person gets hold of your PIN, he or she must also have access to your device. The PIN can be used only on this device. If you want to log in to several devices, you need to install Hello on each of them.
PINs are saved locally on the device.
An online password is transmitted to the server. The password can be intercepted or recalled by the server. A PIN is transmitted locally to the device, never to a random place and never saved on the server. When the PIN has been created, it establishes a trustworthy connection to the identity provider and an asymmetric pair of keys that are used for authentication. When you type in your PIN, the authentication key that is used to sign the prompt is unlocked, and sent to the authentication server. Although local passwords for the device are local, they are less secure than a PIN, as described below. PINS are hardware-supported.
The Windows Hello PIN is supported by a Trusted Platform Module (TPM) chip. This is a secure cryptoprocessor that performs cryptographic procedures. The chip encompasses multiple physical security mechanisms that protect it from manipulation and malware cannot manipulate the TPM safety features. Windows does not connect local passwords with the TPM, which is why PINs are considered safer than local passwords.
User key material is generated and made available in the device’s TPM. The TPM protects the key material from attackers who want to record and reuse it. Because Windows Hello uses asymmetric key pairs, user log-in information cannot be stolen if the identity provider or the websites accessed by users have been compromised.
The TPM protects you from different well-known and potential attacks, including PIN brute-force attacks. The device will be blocked after too many erroneous attempts. PINS can be complex.
The Windows Hello PIN is subject to the same statute of IT administrative bylaws as a password, e.g., with regard to complexity, length, expiry, and processing. Even if we normally envision a simple 4-character code for PINS, you can create more complex ones comparable to those of passwords. You can use the following characters: special characters, capitals, lower-cased, and numbers.
Why do I need a PIN to use biometry?
Windows Hello facilitates the biometric log-in for Windows: finger print or eye or facial recognition. If you set up Windows Hello, you will first be prompted to create a PIN. With this, you can continue to log in if you cannot use your preferred biometric data due to an injury, or the sensor not being available or functioning properly.
If you have configured only a biometric log-in but cannot use this method to log in for whatever reason, you have to log in with your account and password. This will not provide the same protection as Hello.
Why do I receive an error message with WIN11 when I try to use my VPN connection?
In a few cases, there is currently an error message when trying to establish a VPN connection and authenticate with a second factor for this purpose.
Error message:
Authentication failed due to problem navigating to the sigle sing-on URL
Solution:
Please set the Microsoft Edge browser as the default browser.
Why do I have a problem with my Win10 end device after it has been in sleep mode?
In a few cases, there is a problem with the 2FA when you restart your end device with a Windows 10 operating system.
After you have chosen “Authenticate using this device” and put in your PIN, you will be prompted to plug in a security key contained in a flash drive / memory stick.
If this happens, click “Cancel” to close the message, and then click “OK” in the new window to restart authentication. It should work this second time around.
Why is there suddenly no more authentication Hello PIN in Chrome/Edge?
Due to an update in Chrome and Edge, it may be that after you choose “authenticate using this device,” the Windows Hello PIN and/or other possible options are no longer offered in the window that opens.
In this window, choose:
- for Chrome— “Use external security keys” and
- for Edge— “Use an external security key.”
You will again receive the full range of options.
Apple devices
Error message: This request has been canceled by the user
In a few cases you will receive the above error message on iPhone and iPad devices and it will not be possible to register them.
Currently, efforts are underway to find a solution.
Why do I get a message saying “To secure a pass key, the iCloud Keychain needs to be activated”?
Apple synchronizes the second factor between all Apple devices with the same ID. So if you have registered your iPhone as second factor, automatically also e.g. your iPad or Safari is registered on the Mac - provided that the operating systems are up to date accordingly, see below.
To enable the synchronization of the second factor, the mentioned function must be activated. Apple does not allow usage without synchronization.
Requirement for the operating systems:
- iOS/iPadOS version 14.1 or higher
- macOS 10.15 ("Catalina") or higher
Why doesn’t Chrome work as a second factor on my iMac?
For devices older than 2021, 2FA registration only works with Safari, no other browser.
Why is that?
The Chrome browser needs access to a biometric sensor. The older iMacs do not have this. Chrome only works on the iMac (as of May 2021) with M1 processor.
What needs to be done to register with the Safari browser?
The following requirements must be met:
- macOS 11 (or newer) with current patch level is installed.
- AppleID is used.
- Keychain in the cloud is used.
Linux devices
Why are there no instructions for Linux devices?
Linux devices do not currently support the device-based registration process for two-factor authentication (2FA).
With a Linux device, please use an additional device for authentication, e.g. a smartphone or a FIDO stick.
Please refer to the corresponding instructions for preparation or registration.
FIDO sticks
What is a FIDO stick or YubiKey?
FIDO2 is a new method for registering and logging in to web services. It can be used either instead of a password or as a second factor. To do this, you need an authenticator, which is available, for example, in the form of a USB stick that you can attach to your key ring.
When you log in, you simply insert the stick into the computer and press the button on the stick to authenticate yourself to the service. On Windows, Android and, to a limited extent, macOS, this even works without additional hardware, since the operating systems themselves act as virtual authenticators.
Depending on how the service has implemented FIDO2, the stick is sufficient for logging in (one-factor authentication) or you also have to enter a PIN or password (two-factor). Both variants are considerably more secure than relying on the password alone. YubiKey is a stick family from the manufacturer Yubico.
Can I use my own FIDO stick for the 2FA at the University?
Yes, for the 2FA, you can use your own FIDO stick.
Can I get a FIDO stick from the University?
No, FIDO sticks are for University staff only and only under certain conditions.
Exceptions are made for students with digital accessibility needs. They can apply for a FIDO stick free of charge through the office for the concerns of students with disabilities. Contact:
Does the FIDO stick also work on unknown computers?
In principle, yes. However, depending on the model, the installation of a device driver may be required to use a FIDO2 stick.
What should I do if I forget the FIDO-stick PIN?
With Windows operating system
If you have forgotten the PIN of the Fido stick, you must reset it. This is done in the "Logon options" in the "Settings" of Windows. In the "Security key" section, click on "Manage" and then on "Reset".
It may also be necessary to re-register the stick for 2FA.
With macOS operating system
Please install the "Yubico Authenticator" app from the Apple Store. You can use this app to reset the stick. You can do this in the app at the top right behind the button with the sliders. It may also be necessary to re-register the stick for 2FA.
With Linux operating system
Please use the program "Yubikey Manager", which is available here:
https://www.yubico.com/support/download/yubikey-manager/
If "pcsd" is installed, you only need to start the file and then you can choose whether you only want to use the program or install it.