The requirements for processing sensitive personal data have been increased with the General Data Protection Regulation (GDPR). Sensitive personal data are, of course, sensitive by nature and enjoy extra protection under the GDPR. Using only a user name and password to log in no longer suffices. The UT uses several applications that process sensitive personal data. On the basis of the GDPR, the UT must provide additional security for these applications via authentication in two steps: 2FA.
Second authentication via smartphone
There are several 2FA applications available on the market for smartphones. The UT has opted for NetIQ Advanced Authentication and Google Authenticator (TOTP). To access the additionally secured information systems, one of these two apps must be installed on your smartphone.
If you do not have a UT smartphone and do not wish to use 2FA on your private smartphone, you can purchase a low-budget smartphone at the expense of the faculty/service via the LISA self-service portal.
Both the employee portal and the web apps / employee applications include a link to "Two-Factor Authentication". This portal (MyID portal) controls the installation and activation process of the authenticator on your smartphone. At the end of this process, you will receive a recovery key. You will need this recovery key to deactivate the authenticator on your old device and activate it on your new device in the event of loss or replacement of your smartphone. It is important to save the recovery key in a safe place. To this end, LISA CyberSafety recommends using the password manager LastPass.
Systems that are protected with 2FA
If a system is protected with 2FA (such as VerzuimSignaal), a message will be displayed to inform you that you need to authorise the access via your smartphone. Nothing changes for users of systems that do not use 2FA.
2FA does not need to be requested.
There are no costs.
To make use of 2FA you need a:
- UT ICT-account
For support, use the FAQ (see below) or contact the Service Desk ICT.
Explanation 2FA application
In the General Data Protection Regulation (GDPR), the criteria set for processing special personal data have been tightened. Special personal data is highly sensitive and therefore receives additional protection under the GDPR. Logging in with a username and password is no longer sufficient.
The UT utilises multiple applications within which personal data is processed. The GDPR stipulates that these applications are additionally secured by means of authentication in two steps: 2FA.
Programmes may contain data to which others are not permitted access. This may include research data, examination results, or bank account numbers. Passwords can be found out with relative ease, for example when you:
- use the same password for multiple websites;
- download malicious software from the internet;
- accidentally activate incorrect links in a phishing email;
- provide your password to others.
Thanks to additional authentication, the university can exclude information from unwanted individuals, even when they possess your password. For this reason, your additional authentication is for personal use only.
An individual in possession of your password can block access to your account and:
- view or even delete your emails, contacts, and educational or research data;
- masquerade as you and send unsolicited or malicious emails to your contacts;
- use your account to reset the passwords for your other accounts;
- gain access to all information accessible to you, such as student data.
Only where necessary. The system's operator will make this decision.
Install and ACtivate
Logging on to the 2FA application, you will be automatically redirected to the MyID registration portal. This portal controls the installation and activation process of the authenticator on your smartphone. At the end of the process, you will receive a recovery key. You need this recovery key to deactivate the authenticator on your old device and to activate it on your new device in case of loss or replacement. It is important to save the recovery key in a safe location. LISA Cyber Safety recommends the LastPass password manager
The UT does not require your mobile telephone number, and this will not be requested and/or registered.
A smartphone is required to log in with the 2FA.
Smartphone usage offers many advantages. You usually have your device with you. A smartphone is as a rule linked to a single user and you don't usually give it to others. Nearly everyone has a smartphone. You aren't careless with your smartphone and you aren't likely to misplace it. The use of a low-budget smartphone is a good alternative.
If the UT has not provided you with a smartphone and you don't wish to use a private smartphone for the 2FA, you can obtain a low-budget smartphone via the LISA self-service portal. The charges will be covered by the faculty/service department. You will require an OFI number from your organisation for ordering a low-budget telephone.
A smartphone with an internet connection (WiFi/3G/4G) is required for 2FA usage. An internet connection is only required for app installation/activation.
In case of offline use, the NetIQ and Google Authenticator app automatically create an offline code that you enter on your screen. This allows you to use additional authentication offline at any time.
The app requires camera access to scan a code during installation and use of additional authentication. The app only activates the camera for these purposes.
Tips for successful QR code scanning:
- Zoom level of PC browser set to minimum 100%
- While scanning:Â do not hold the device too close to the screen! Make sure that the QR code fills approx. 25% of the screen. Hold the device still!
- Hold your smartphone very still while scanning. Your smartphone may need a few moments for scanning, as the camera must first zoom in on the QR code.
- Ensure that only the QR code is in the frame when scanning.
- Keep any objects, such as your finger, from obstructing the camera during scanning.
- Increase the brightness of your computer screen. This increases the contrast of the QR code, making it easier for your camera to scan.
- The NetIQ and Google Authenticator apps cannot be used without the camera.
- Is the camera not automatically opening via the app? Close and restart the app.
- Is the camera still not working? Restart your smartphone and try again.
- If you've waited too long, the QR code will no longer be valid. Close the browser on your pc and the app and try again.
If you have a new smartphone due to replacement, loss or theft, you must reconfigure the 2FA app. There are two possibilities:
- Deactivate the authenticator on your old device and activate the authenticator on your new device.
- Use the recovery key to deactivate the authenticator on your old/reset device and then activate the authenticator on your new/reset smartphone.
If you can no longer access a recovery key because your smartphone has been stolen, contact the Service Desk ICT.
- Collect your smartphone, if possible.
- The organisation has a spare smartphone. You use your recovery key to deactivate your forgotten smartphone and activate the spare smartphone. Once you have your forgotten smartphone in your possession again, you must first deactivate the spare smartphone before reactivating your own smartphone.
Authentication, verification, etc.
Go to https://MyID.utwente.nl/ to deactivate and activate the authenticator. You can also exchange the authenticator app. You can also access the MyID portal in the webapps.utwente.nl and employee portal in the My-ICT-resources Two-factor authentication category.
The app refreshes the verification code every 30 seconds. You can use up to three old codes. If too much time has lapsed, you will need to use the subsequent codes.
If the subsequent codes are not working either, return to the MyID portal and deactivate and activate the Google Authenticator app. Note: you do not need to reinstall the app on your smartphone.
You can use this verification code if your smartphone is not connected to the internet. If you do have an internet connection you do not need to enter the code, but you can use the Confirm button instead.
During offline use, the NetIQ and Google Authenticator app automatically create an offline code which can be entered on your screen. This allows you to use the additional authentication offline at all times.
A time-based one-time password (TOTP) is a temporary passcode, generated by an algorithm, for use in authenticating access to computer systems.
TOTP is used in different applications such as: Google authenticator, Microsoft authenticator.
You can install an authenticator for multiple applications, including apps which are not managed by the UT. The applications which connect to the UT via Two-Factor Authentication all use the same authorisation code.
No. You must first ensure that the authenticator is deactivated in the MyID portal. You can then remove the authenticator/verification code without any problems.
If you accidentally removed the authenticator/verification code, you can still deactivate the authenticator with the recovery key.
If you no longer have access to the recovery key, you can have the authenticator deactivated at the LISA Service Desk ICT. In that case, proof of identity is required.
It is important to store the recover key in a secure place. LISA Cyber Safety recommends using the LastPass or Keepass password managers.
No, this is not possible. 2FA is for personal use only and cannot be transferred.
Please contact the Service Desk ICT.