The tokens used at KIT
Within the scope of two-factor authentication, various devices can be used at KIT. These are described in the following.
App on the smartphone
With a suitable app (according to RFC 6238), smartphones can generate login codes for two-factor authentication at KIT. No data transmission is required for this, so it can be used without an Internet connection, for example in flight mode. A 6-digit code for logging in is displayed, which is only valid for one minute.
The use of such an app has several advantages
- The usual protective measures of the smartphone against unauthorized use (PIN, fingerprint, Face ID) take effect, while a lost or stolen hardware token could be used by a stranger without further ado.
- As a rule, users are less likely to forget their own smartphone than they are to forget an additional hardware token.
- It is very easy for users to register themselves, while distributing the hardware tokens requires more logistical effort. This applies not only to users, who can only obtain suitable tokens from the SCC's central service desk or, if necessary, from the secretariats of the organizational units, but also to the background due to the effort required for stockpiling and distribution. This is an advantage of the app solution that should not be underestimated, especially when working in a home office or with the understandable desire to minimize contact.
- The ecological footprint is smaller with an already existing smartphone than with an additional hardware token.
That is why we would particularly like to recommend this variant to our users.
However, if you change your smartphone, make sure that you also set up the app for two-factor authentication on the new device before taking the old device out of service and resetting it to factory settings, for example.
Apps that implement the RFC 6238 standard include: Google Authenticator, Microsoft Authenticator, FreeOTP or Sophos Authenticator.
KIT tokens with display for employees
Tokens with a display were procured for employees, which display a 6-digit code for logging in at the push of a button, which is only valid for one minute. These devices offer maximum flexibility and can be used with all operating systems and devices. The KIT tokens are blue in color and bear the KIT logo.
Against the background of contact avoidance, the issuance of hardware tokens should be avoided as much as possible at this time; the use of an app on a smartphone is therefore preferable.
The devices are designed to be tamper-proof, which in this case unfortunately means that the built-in battery cannot be replaced. Therefore, the service life is limited.
USB tokens for employees
Alternatively, devices with a USB connection were also evaluated and procured. These require a freely accessible USB port, but are otherwise compatible with the usual operating systems as USB keyboards without special driver installation. If in individual cases a KIT token with display cannot be used, the KIT token can be exchanged for a USB token at the SCC service desk.
Printed backup list
Each user of two-factor authentication has the option of printing out a backup list of one-time codes. These can be used in case of need (loss, defect,... of the regular token). It is recommended to set up such a list, provided that the list can be kept protected from unauthorized access (e.g. in the wallet or locked in the roller container). You can create this backup TAN list under "New token" in the "Backup TAN list" tab in your token administration athttps://my.scc.kit.edu/token.