• Two-factor authentication at KIT

  • Various services at KIT have increased IT security requirements that go beyond a simple login with user name and password. These include in particular the SAP system and various VPN accesses.

Two-factor authentication at KIT

What is two-factor authentication?

Against the background of successful phishing incidents, applications with a special need for protection are to be secured against misuse by third parties by means of two-factor authentication (2FA). For this purpose, a second factor is requested when logging in, usually with user name and password. This second factor is generated dynamically on a separate device, if possible, is protected against unauthorized access and cannot be copied.

Such a two-factor authentication can thus protect against various attack scenarios such as phising.

Known are e.g. TAN lists, one-time passwords sent by SMS, or TAN generators for online banking. It makes sense for this second factor to be generated on a separate device, protected from unauthorized access, and impossible to copy.

Implementation at KIT

Already at the end of 2017, a central two-factor authentication for the SAP web portals was introduced by decision of the KIT Presidium. However, by integrating it into the central single sign-on service (Shibboleth), secure login with second factor can basically be provided for all environments connected to it. In addition to the SAP web portals, central two-factor authentication is used in particular for CAS Campus and individual VPN connections.

The one-time codes used can be generated most easily via a special app on the usual mobile devices. However, hardware tokens were also procured for employees that use the same procedure. In addition, USB tokens were procured to enable use by visually impaired KIT employees in particular.