Due to the growing digitalization in the private and professional environment, the risk of cyberattacks and phishing attacks is also constantly increasing. Universities are also becoming an increasingly frequent target of such attacks. This is why IT security is a key issue at RWTH Aachen University.
On February 1, 2024, multifactor-authentication (MFA) will be introduced for the VPN service at RWTH. This will significantly improve the protection of the IT services you use. The following blog post will explain what you need to do now.
What is Multifactor-Authentication?
MFA is a security procedure that requires a security code in addition to your usual login details. This is generated by a separate device or app, as is the case with online banking, for example. You can find more detailed explanations of MFA mechanisms in our blog post Security Mechanisms Unravelled: MFA.
What Will Change For You?
The introductory phase of MFA for VPN will start on February 1, 2024. From this date, the VPN system will be protected with a second factor, as it is one of the most important and security-relevant systems at RWTH Aachen University. During this introductory phase, you will have the opportunity to practise using the second factor when logging into the VPN.
After entering your known login details in the VPN client, you will be asked for this second factor. During the introductory phase, you can also log in without a self-created token by entering the current date as the second factor. Simply follow the instructions in the login screen when you log in to the VPN client.
From March 19, 2024, the use of the second factor for VPN login will be mandatory. This means that from this date, you will no longer be able to log into the VPN without a second factor that you have set yourself.
How Do You Use MFA?
In the Selfservice, you can create and manage your tokens yourself by using the Token Manager. You can currently set up hardware tokens, app tokens (e.g. via authenticator apps), TAN lists, and email tokens. Please note that the first two tokens mentioned are the most secure options. You can find instructions on how to set up the tokens on the IT Center Help pages.
MFA for VPN
You can currently use hardware tokens, app tokens, and the TAN list for VPN. As a first step, you have to create a TAN list. At this point, it is not yet possible to select other tokens. Please note that the TAN list should only be used for backup tokens. This will also protect you in case your preferred token type fails (e.g. your smartphone battery runs out or you lose your hardware key).
In a second step, you then create your preferred token. You can choose between the hardware token or the app token. The use of the e-mail token is not supported with the VPN service. (*)
Your Assistance is Required
During the introductory phase, the IT Center needs your help. A survey will be conducted to gather your feedback on understanding, documentation and operation, which will help us to simplify the use of the MFA services. Thank you for your support!
Outlook
In the future, other IT services of RWTH will also be protected with MFA. A process for distributing official hardware keys is currently being prepared by the IT Center. You will be informed about both topics in due course. If you already have a YubiKey as a hardware key, you will find suitable instructions for setting up the YubiKey on IT Center Help.
If you have any questions or encounter problems, you can contact the IT Service Desk by phone on +49 241 80 24680, by email at servicedesk@itc.rwth-aachen.de or via chat.
Responsible for the content of this article are Nicole Wießner and Corinna Hausberg.
Sehr geehrte Frau Wießner, sehr geehrte Frau Hausberg,
ich habe die Rundmail zur Einführung der MFA für VPN erhalten. Ist es richtig, dass wir erst ab Donnerstag das Einrichten eines Token üben können, augenblicklich ist über den Selfservice nur die Möglichkeit “TAN Liste…” zum Anklicken gegeben. Für die sichere Variante Hardwaretoken f. VPN und RWTH Single Sign-On ist ein Hardwareschlüssel erforderlich. Die Ausgabe solcher ist scheinbar noch in Vorbereitung. Selbst beim Anklicken der einzigen Funktion zum sogenannten “Üben” erscheint nur eine Fehlermeldung. Beim Anruf im IT-Center wurde ich von einer unwissenden Person in eine Warteschleife gesetzt. In einer Teamsitzung heute möchte ich zumindest auf diese neue “Sicherheit” hinweisen, kann aber dazu nichts weiter erklären. Ich besitze zudem kein Smartphone, werde mich dazu auch nicht zwingen lassen. Ich bitte um Rückruf von kompetenten Menschen, die sich dieses neue Sicherheitsverfahren ausgedacht haben. T.: 93645 (vormittags) 96400 (nachmittags) MO-Do. Vielen Dank.
Hallo Eva-Maria,
vielen Dank für deinen Kommentar.
Im Blogbeitrag haben wir den Abschnitt “MFA für VPN” entsprechend deiner Frage zur TAN-Liste angepasst.
Wir bedauern, dass dir beim Telefonat nicht direkt weitergeholfen werden konnte. Im Supportticket konnten wir allerdings einsehen, dass bereits ein reger E-Mail-Austausch zu deinen Rückfragen mit unserem Support-Team stattgefunden hat. Wir hoffen, deine offenen Fragen wurden dort abschließend beantwortet. Falls das nicht der Fall sein sollte, hast du natürlich auch weiterhin die Möglichkeit, den IT-ServiceDesk zu kontaktieren.
Viele Grüße
das IT Center Blog Team