The tokens used at KIT
Various devices can be used for two-factor authentication at KIT. These are described below.
Authenticator app on the smartphone
With a suitable app (in accordance with RFC 6238), smartphones can generate login codes for two-factor authentication at KIT. No data transmission is required for this, so it can be used without an internet connection, for example in flight mode. A 6-digit code is displayed for login, which is only valid for one minute.
The use of such an app has various advantages
- The usual smartphone protection measures against unauthorized use (PIN, fingerprint, Face ID) take effect, while a lost or stolen hardware token could easily be used by a stranger.
- As a rule, users are less likely to forget their own smartphone than to carry an additional hardware token with them.
- It is very easy for users to register themselves, whereas distributing hardware tokens is more logistically complex. This applies not only to the users, who can only obtain suitable tokens at the central service desk of the SCC or, if necessary, at the secretariats of the organizational units, but also in the background due to the effort required for stockpiling and distribution. This is an advantage of the app solution that should not be underestimated, especially when working from home or the understandable desire to minimize contact.
- The ecological footprint is smaller with an existing smartphone than with an additional hardware token.
We would therefore particularly recommend this option to our users.
However, when changing smartphones, it is important to ensure that the app for two-factor authentication is also set up on the new device before the old device is taken out of service and reset to factory settings, for example.
Apps that implement the RFC 6238 standard are e.g: Google Authenticator, Microsoft Authenticator, FreeOTP or Sophos Authenticator
Passkeys
Passkeys are a newer method and can be used for passwordless login or as a second factor. A passkey is a cryptographic key that is stored in a secure environment. There are various alternatives. The most commonly used are smartphones, certain USB sticks and the TPM chips on laptops.
You can find more information on compatibility on the setup page for passkeys.
KIT tokens with display for employees
Tokens with a display have been procured for employees, which display a 6-digit code for logging in at the touch of a button, which is only valid for one minute. These devices offer maximum flexibility and can be used with all operating systems and devices.
The devices are designed to be tamper-proof, which in this case unfortunately means that the built-in battery cannot be replaced. The service life is therefore limited.
USB token for employees
Alternatively, devices with a USB connection were also evaluated and procured. These require a freely accessible USB port, but are otherwise compatible as USB keyboards with the usual operating systems without any special driver installation. If a KIT token with display cannot be used in individual cases, the KIT token can be exchanged for a USB token at the SCC service desk.
Printed backup list
Every user of two-factor authentication has the option of printing out a backup list with one-time codes. These can be used in case of need (loss, defect, ... of the regular token). It is recommended to set up such a list, provided that it can be kept protected from unauthorized access (e.g. in your wallet or locked in a roll container). You can create this backup TAN list under "New token" in the "Backup TAN list" tab in your token administration at https://my.scc.kit.edu/token.