Translated with DeepL.com

Options at KIT

Various procedures can be used for secure registration at KIT. These are described below.

Passwordless login with Passkeys

Only Passkeys support passwordless login to our websites. For this purpose, a device (cell phone, notebook, special USB sticks) is registered and a cryptographic key is stored on this device. To log in, this key is released via the device and the login itself is passwordless.

Passwordless login is the most secure method and is therefore recommended.

If you require multi-factor authentication for special VPN configurations, you must also set up one of the other methods, as passwordless login with passkeys is only available for our websites.

Further documentation can be found on the Passkeys setup page.

Authenticator app on the smartphone

With a suitable app (in accordance with RFC 6238), smartphones can generate login codes for two-factor authentication at KIT. No data transmission is required for this, so it can be used without an internet connection, for example in flight mode. A 6-digit code is displayed for login, which is only valid for one minute.

The use of such an app has various advantages over the hardware tokens also on offer.

  • The smartphone's usual protective measures against unauthorized use (PIN, fingerprint, Face ID) take effect, while a lost or stolen hardware token could easily be used by a stranger.
  • As a rule, users are less likely to forget their own smartphone than to carry an additional hardware token with them.
  • It is very easy for users to register themselves, whereas distributing hardware tokens is more logistically complex. This applies not only to the users, who can only obtain suitable tokens at the central service desk of the SCC or, if necessary, at the secretariats of the organizational units, but also in the background due to the effort required for stockpiling and distribution. This is an advantage of the app solution that should not be underestimated, especially when working from home or the understandable desire to minimize contact.
  • The ecological footprint is smaller with an existing smartphone than with an additional hardware token.

We would therefore particularly recommend this option to our users if passwordless login (e.g. for VPN) cannot be used.

However, when changing smartphones, it is important to ensure that the app for two-factor authentication is also set up on the new device before the old device is taken out of service and reset to factory settings, for example.

Apps that implement the RFC 6238 standard are e.g: Google Authenticator, Microsoft Authenticator or FreeOTP.

KIT token with display for employees

Tokens with a display were procured for employees, which display a 6-digit code for logging in at the touch of a button, which is only valid for one minute. These devices offer maximum flexibility and can be used with all operating systems and devices.

The devices are designed to be tamper-proof, which in this case unfortunately means that the built-in battery cannot be replaced. The service life is therefore limited.

USB tokens for employees

Alternatively, devices with a USB connection were also evaluated and procured. These require a freely accessible USB port, but are otherwise compatible as USB keyboards with the usual operating systems without any special driver installation. If a KIT token with display cannot be used in individual cases, the KIT token can be exchanged for a USB token at the SCC service desk.

Printed backup list

Every user of two-factor authentication has the option of printing out a backup list with one-time codes. These can be used in case of need (loss, defect, ... of the regular token). It is recommended to set up such a list, provided that it can be kept protected from unauthorized access (e.g. in your wallet or locked in a roll container). You can create this backup TAN list under "New token" in the "Backup TAN list" tab in your token administration at https://my.scc.kit.edu/token.