2-factor authentication
The University of Oldenburg introduces 2FA
2FA (2-factor authentication) is gradually being introduced at the university of Oldenburg. Most people are probably already familiar with this procedure from online banking, for example. Essentially, this means that in addition to entering the user name and password, a further factor must be added, either another 'one-time password' (TOTP=Timebased One Time Password) or a special hardware key (e.g. Yubikey) must be 'presented'.
This is added to the login process because there are more and more fraudulent emails on the Internet that are designed to trick you into entering your login details on fake sites. These attempts are frighteningly successful - so even valid university login details are still in circulation. And thanks to 2FA, the bad guys can get past the first two stages - but fail to finally login because of the one-time password!
Does that solve the problem? Almost, but not quite! This procedure can also be circumvented (e.g. 'Man in the Middle', when logging in to a fake page mentioned above, this OTP can of course also be read and used for a one-time login). However, this is more relevant for banks where a lot of critical data can be tapped in seconds - it is not worthwhile for access to the university. And of course it is still possible to introduce Trojans via emails or other downloads, for example. But the problem of lost passwords has been minimised as far as possible.
Do I have to use this now?
No, at least not yet. Its use in individual systems will become mandatory from March 2025. Essentially, this will be webmail and VPN - this is also where the main attacks take place. It doesn't matter which system you use (Yubikey or similar or TOTP on a mobile phone, tablet or computer), you can (and should) use different systems in parallel.
What is the procedure
- First of all, some systems will be converted for the new login system, but the second factor is not yet required, but can already be used
- In the course of this, the login mask will change, but the data to be entered will be as before
- In the next few weeks, Yubikeys will be issued to employees
- In parallel, other systems (e.g. Stud-IP) will be converted.e.g. Stud-IP), applications such as Thunderbird or Outlook (not in the browser), computer login are planned but not in the near future
- At some point this year, the use of hardware tokens or apps will be mandatory for the applications that have been converted by then
- In the long term, all relevant systems will be converted
It makes sense to set up and use the authentication procedures at the latest when the key is received, and also to set up mobile apps in parallel in order to have more flexibility and also to avoid problems caused by losing/forgetting the mobile phone/key.
Who gets a hardware key
There is a list agreed with Division 1: uol.de/2fa/yubikey_intranet - so there are quite a few.
How does 2FA actually work at the University of Oldenburg
First you have to set up Yubikey and/or the app - you can follow the instructions at uol.de/2fa. In addition to the 2Fas and Aegis apps mentioned above, you can also use Microsoft Authenticator, which some people probably already have on their device for Microsoft Teams, or various other options.
Both methods (one-time password and hardware key) can already be used in the places where central IT has made the switch. (Note: It is not yet mandatory, if you have set up one or more of these procedures on the university pages, you must also enter the second factor in the places provided for this purpose from the time of setup)
During login with hardware token, the hardware token is queried in addition to the username and password previously used, e.g. at a USB port. This a) exchanges some secrets/challenges in the background and b) checks whether the user is "on site".
The hardware token (Yubikey) must be registered once at https://2fa.uol.de before use.
When logging in with One Time Password, an on-time password is requested in addition to the user name and password as previously known. This is only generated offline, e.g. in a mobile app, depending on the time and is only valid for a few seconds.
The mobile app must be registered once on the university website https://2fa.uol.de before use.