FAQ about 2-factor authentication
FAQ on the topic...
General questions
How do I set up 2-factor authentication?
For details on how to set up 2-factor authentication, please refer to the instructions published specifically for this purpose. Anleitungen.
What services can I no longer use when 2FA is enabled?
After activation, all services protected by the so-called “Shibboleth login” are protected by another factor during authentication. These include
- KUS portal
- RRZ service portal
- Fiona
- UHHCloud
- VPN
In order to continue using these services, it is imperative that you follow the instructions published specifically for this purpose and act accordingly.
The protection of further services is being planned and will be continuously expanded.
Why doesn't the app recognize that I have already registered my device?
If you regularly delete cookies (or the local storage) in your browser or use your browser in private mode, the information that your device is already registered cannot be saved.
How does 2FA work on public PCs at the university (in libraries or computer pools / labs)?
Public PCs cannot and should not be set up as a second factor. If you are working on such a PC, you have the following options for logging in:
- You can use your smartphone as a second factor, provided you have registered it in advance. To the instructions
- You can use a FIDO stick as a second factor if you have one. To the instructions
- You can use your 2FA code list as a second factor.
Is it possible to use private devices for 2FA?
From a technical point of view, there is nothing to be said against the voluntary use of private end devices to register and use them as a second factor. The minimum requirements for the respective system specifications must be met here. These are named in the respective instructions for preparing the respective device class. Please understand that we cannot provide extended support for private devices.
How does 2FA work on PCs that are regularly used by different employees (shared workstations/devices)?
On devices managed by the RRZ, it is theoretically possible for several users to assign an individual Windows Hello pin to a (shared) device.
For security reasons, however, we strongly advise against using the Hello pin on such devices.
- You can use your smartphone as a second factor, provided you have registered it in advance. To the instructions
- You can use a FIDO stick as a second factor if you have one. To the instructions
- You can use your 2FA code list as a second factor.
When does the implementation of 2FA affect me?
The 2FA system at UHH will be implemented gradually. By the end of 2023, all permanent UHH employees will be included in the rollout. This also includes student employees. Newly hired colleagues from ~12/2023 will be contacted directly from around mid 01/24 and then always monthly and included in the rollout. It is planned that new colleagues will receive the 2FA code list together with the identification letter for the user ID as part of the recruitment process.
In 2024, we will continue with the groups of people named below. All members will be provided with further information personally by email at an early stage (at least 4 weeks before the start).
These include:
- Students
- external employees
- Lecturers
2FA code list
What is a 2FA code list?
The personalized 2FA code list contains 240 codes and can be used as a second factor in the context of two-factor authentication. You can also use the list to register additional devices as a second factor.
Important: The 2FA code list is not transferable.
The 2FA code list is valid indefinitely.
How do new students or employees obtain a 2FA code list?
The list will be sent by mail to your postal address on file at UHH. For students, the address data comes from STiNE, for UHH employees from the Digital Personnel Management.
I don't have the code list (anymore), what can I do?
To counteract problems such as a forgotten 2FA code list, it is advised to register multiple devices as a second factor. Please follow the corresponding instructions for this.
If you have not received a 2FA code list, please visit an RRZ-ServiceDesk (bring a valid photo ID).
In case you have lost your 2FA code list and you cannot issue yourself a new list because you have not yet registered a terminal device for two-factor authentication, please also visit an RRZ-ServiceDesk (bring valid photo ID).
If you are not able to visit an RRZ-ServiceDesk, please contact the RRZ-ServiceLine.
Can I create a new 2FA code list for myself?
If you suspect that someone else has spied out your 2FA code list or you have lost your list, you can create a new list for yourself. However, this is only possible if you have your own list, or if you have registered at least one other device as a second factor.
If the above requirements are met, create a new list after logging in on this page using the "Request new 2FA code list" item below.
Why should I not permanently use the code list for authentication?
While 2FA code slips can potentially be spied on or photographed by third parties without you noticing, 2FA devices are more secure as they would have to be physically stolen, which you would usually notice immediately. Please therefore prefer to use 2FA devices for increased security of your accounts. Also consider deactivating your 2FA code slip in the 2FA device registration if you do not need it.
Windows devices
What is Windows Hello?
Windows Hello is a more secure way to instantly access your Windows 10 devices using a PIN, facial recognition, or fingerprint. You also need to set up a PIN if you want to set up a fingerprint or facial recognition. Whether fingerprint and facial recognition are possible depends on the hardware you are using.
How can I set up Windows Hello?
You can find instructions on how to set up Windows Hello here.
Why can't I activate Windows Hello? I cannot activate the option.
If you are using a computer administered by the RRZ (a so-called FMD or Fully Managed Device) and are not on the premises of the UHH, it is necessary that you always establish the VPN connection before logging in to the computer. (Here you can find the instructions for VPN before Login (in German only).)
If problems persist, please contact the RRZ service line.(serviceline"AT"uni-hamburg.de?subject=2FA:%20FMD:%20Windows%20hello%20pin%20nicht%20aktivierbar).
How long should my Windows Hello PIN be?
The minimum number of characters for the PIN is four. The more characters you assign for your PIN, the more difficult it will be to guess the PIN. Trivial PINs (e.g. 1234, 0000, 5678) are not accepted by Windows 10. The maximum PIN length is 127 characters.
Isn't a Hello PIN more insecure than using the previous login (local authentication or network authentication)?
An important difference between an online password and a Hello PIN is that the PIN is tied to the specific device on which it was set up. This PIN is useless for third parties without this particular hardware. Someone who gets your online password can log into your account from anywhere, but if they get your PIN, they must also access your device. The PIN can only be used on that device. If you want to log in to multiple devices, you need to set up Hello on each device.
PINs are stored locally on the device.
An online password is transmitted to the server. The password can be intercepted during transmission or retrieved from a server. A PIN is transferred locally to the device, never transferred to any location, and not stored on the server. When the PIN is created, it establishes a trust relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, you unlock the authentication key that is used to sign the request that is sent to the authentication server. Although local passwords are local to the device, they are less secure than a PIN, as described in the next section. PINs are hardware supported.
The Hello PIN is supported by a Trusted Platform Module (TPM) chip. This is a secure cryptoprocessor that performs cryptographic operations. The chip includes several physical security mechanisms that make it tamper-proof, and malware is not able to tamper with the TPM security features. Windows does not link local passwords to TPM, so PINs are considered more secure than local passwords.
User key material is generated and available in the device's TPM. The TPM protects the key material from attackers who want to capture and reuse it. Because Hello uses asymmetric key pairs, user credentials cannot be stolen if the identity provider or the websites the user is accessing have been compromised.
The TPM protects against various known and potential attacks, including PIN brute force attacks. After too many failed attempts, the device is locked. PINs can be complex.
The Windows Hello for Business PIN is subject to the same set of IT management policies as a password, such as complexity, length, expiration and history. Although we usually think of PINs as a simple four-digit code, you can create a more complex PIN that is comparable to passwords. You can use the following characters: Special characters, upper case letters, lower case letters and digits.
What do I do if I forget my Windows Hello PIN?
The PIN is only an alternative login option for a specific computer and does not completely replace the password. If you don't remember the PIN, you can reset it using the Windows 10 password that still exists.
The "Forgot pin" button can be found in the "Login options" in the "Accounts" section in the "Settings" of the operating system.
- For devices of type "FMD" administered by the RRZ, the "Forgot PIN" option is only active if you have started VPN before the Windows login. Exactly as explained on the background image of the login screen.
- For end devices of the type "library computer" administered by the RRZ, the option "Forgot PIN" is only active if you are on the university campus and the device was started with a connected network cable.
What is the difference between the Windows Hello PIN and my device password?
The PIN is only an alternative login option for a specific computer and does not completely replace the password. If you do not remember the PIN, you can reset it using the Windows 10 password that still exists.
Do I need to set up a Windows Hello PIN?
No. Setting up the Windows Hello PIN facilitates authentication with a second factor, because the Hello PIN acts as a second factor. If you do not set up the Hello PIN, you will need to use another second factor (code combination from the 2FA code list, mobile device, FIDO2 stick) to log in to UHH services that require a second factor.
What happens to 2-factor authentication if I remove the Windows Hello PIN again?
The need to authenticate with a second factor is unaffected. If you do not set up the Hello PIN or remove it again, you will need to use another second factor (code combination from the 2FA code list, mobile device) to log in to UHH services that require a second factor.
Why do you need a PIN when using biometrics?
Windows Hello enables biometric login for Windows: fingerprint, iris or facial recognition. When you set up Windows Hello, you will be prompted to first create a PIN. You can use this PIN to log in if you can't use your preferred biometric due to a breach because the sensor is unavailable or not working properly.
If you only have a biometric login configured and for some reason cannot use that method to log in, you would have to log in with your account and password. This will not give you the same protection as Hello.
Why do I get an error message when I try to establish a VPN connection when using WIN11?
In a few cases, there is currently an error message when trying to establish a VPN connection and authenticate with a second factor for this purpose.
Error message::
Authentication failed due to problem navigating to the sigle sing-on URL
Solution:
Please set the Microsoft Edge browser as the default browser.
Why do I have a problem after using Hibernate with my Win10 device?
In a few isolated cases, there is a problem with 2FA after the end device with Windows 10 operating system has been woken up from "sleep mode".
After selecting "use this device to authenticate" and entering your pin, you are prompted to insert a security key into the USB port.
In these cases, please click away this message via "Cancel" and in the window that then appears click on "Ok" and start the authentication again. The second attempt will be ok.
Why am I suddenly no longer offered a Hello pin for authentication in Chrome / Edge?
Due to an update in the "Chrome" and "Edge" browsers, it may happen that after selecting "Authenticate with this device", you will no longer be offered the Windows Hello pin and / or other options in the window that opens.
Please select in this window:
- For Chrome: "Use an external security key"
- For Edge: "Use an external security key"
You will then be given the full selection again.
Apple devices
Error message: This request has been cancelled by the user
In a few cases, the error message mentioned in the headline currently occurs on iPhone and iPad devices and it is therefore not possible to register the device.
A solution is being worked on.
What does “To secure a passkey, iCloud Keychain must be enabled” mean?
Apple synchronizes the second factor between all Apple devices with the same ID. So if you have registered your iPhone as second factor, automatically also e.g. your iPad or Safari is registered on the Mac - provided that the operating systems are up to date accordingly, see below.
To enable the synchronization of the second factor, the mentioned function must be activated. Apple does not allow usage without synchronization.
Requirement for the operating systems:
- iOS/iPadOS version 14.1 or higher
- macOS 10.15 ("Catalina") or higher
Why doesn't Chrome as a second factor work on my iMac?
For devices older than 2021, 2FA registration only works with Safari, no other browser.
Why is that?
The Chrome browser needs access to a biometric sensor. The older iMacs do not have this. Chrome only works on the iMac (as of May 2021) with M1 processor.
What needs to be done to register with the Safari browser?
The following requirements must be met:
- macOS 11 (or newer) with current patch level is installed.
- AppleID is used.
- Keychain in the cloud is used.
Linux devices
Why are there no instructions for Linux devices?
Linux devices do not currently support the device-based registration process for two-factor authentication (2FA).
With a Linux device, please use an additional device for authentication, e.g. a smartphone or a FIDO stick.
Please refer to the corresponding instructions for preparation or registration.
FIDO sticks
What is a FIDO stick or YubiKey?
FIDO2 is a new method for registering and logging in to web services. It can be used either instead of a password or as a second factor. To do this, you need an authenticator, which is available, for example, in the form of a USB stick that you can attach to your key ring.
When you log in, you simply insert the stick into the computer and press the button on the stick to authenticate yourself to the service. On Windows, Android and, to a limited extent, macOS, this even works without additional hardware, since the operating systems themselves act as virtual authenticators.
Depending on how the service has implemented FIDO2, the stick is sufficient for logging in (one-factor authentication) or you also have to enter a PIN or password (two-factor). Both variants are considerably more secure than relying on the password alone. YubiKey is a stick family from the manufacturer Yubico.
Can I get a FIDO stick?
If you are an employee:r of UHH and neither your computer (e.g. with Linux operating system) nor your cell phone can be configured as a second factor, you can order a FIDO stick in the RRZ-ServicePortal (to access the RRZ-ServicePortal e.g. from your home office, you first have to establish a VPN connection to the university network (if you do not use a terminal device managed by the RRZ). You can find more information about this here).
Does the Fido stick also work on a foreign computer?
In principle, yes. However, depending on the model, the installation of a device driver may be required to use a FIDO2 stick.
What do I do with the Fido stick when I leave the UHH?
The FIDO2 stick is a technical device provided to you that, like all other technical equipment, will be returned to the issuing office if you leave the UHH. Therefore, please send the FIDO2 stick with internal mail to the Regional Computing Center, stating your user ID:
Regional Computer Center
RRZ Service Desk
Schlüterstrasse 70
20146 Hamburg
Alternatively, you can return the FIDO2 stick to one of our RRZ Service Desk locations.
What do I do if I have forgotten the pin of the Fido stick?
With Windows operating system
If you have forgotten the PIN of the Fido stick, you must reset it. This is done in the "Logon options" in the "Settings" of Windows. In the "Security key" section, click on "Manage" and then on "Reset".
It may also be necessary to re-register the stick for 2FA.
With macOS operating system
Please install the "Yubico Authenticator" app from the Apple Store. You can use this app to reset the stick. You can do this in the app at the top right behind the button with the sliders. It may also be necessary to re-register the stick for 2FA.
With Linux operating system
Please use the program "Yubikey Manager", which is available here:
https://www.yubico.com/support/download/yubikey-manager/
If "pcsd" is installed, you only need to start the file and then you can choose whether you only want to use the program or install it.