Explanation 2FA application
Why is 2-step authentication necessary?
In the General Data Protection Regulation (GDPR), the criteria set for processing special personal data have been tightened. Special personal data is highly sensitive and therefore receives additional protection under the GDPR. Logging in with a username and password is no longer sufficient.
The UT utilises multiple applications within which personal data is processed. The GDPR stipulates that these applications are additionally secured by means of authentication in two steps: 2FA.
Why is logging in with only my ICT account and password insufficiently secure?
Programmes may contain data to which others are not permitted access. This may include research data, examination results, or bank account numbers. Passwords can be found out with relative ease, for example when you:
- use the same password for multiple websites;
- download malicious software from the internet;
- accidentally activate incorrect links in a phishing email;
- provide your password to others.
Thanks to additional authentication, the university can exclude information from unwanted individuals, even when they possess your password. For this reason, your additional authentication is for personal use only.
What is the risk of others knowing my password?
An individual in possession of your password can block access to your account and:
- view or even delete your emails, contacts, and educational or research data;
- masquerade as you and send unsolicited or malicious emails to your contacts;
- use your account to reset the passwords for your other accounts;
- gain access to all information accessible to you, such as student data.
Will all of the university's systems have additional authentication?
Only where necessary. The system's operator will make this decision.
Install and activate
Installing and activating 2FA application
Logging on to the 2FA application, you will be automatically redirected to the MyID registration portal. This portal controls the installation and activation process of the authenticator on your smartphone. At the end of the process, you will receive a recovery key. You need this recovery key to deactivate the authenticator on your old device and to activate it on your new device in case of loss or replacement. It is important to save the recovery key in a safe location. LISA Cyber Safety recommends the LastPass password manager
I don't want to provide the UT with my mobile telephone number. Is it necessary?
The UT does not require your mobile telephone number, and this will not be requested and/or registered.
My mobile telephone doesn't support apps. What should I do?
A smartphone is required to log in with the 2FA.
Why aren't other tokens supported?
Smartphone usage offers many advantages. You usually have your device with you. A smartphone is as a rule linked to a single user and you don't usually give it to others. Nearly everyone has a smartphone. You aren't careless with your smartphone and you aren't likely to misplace it. The use of a low-budget smartphone is a good alternative.
I don't want to use my private telephone for work. How can I log in with 2FA?
If the UT has not provided you with a smartphone and you don't wish to use a private smartphone for the 2FA, you can obtain a low-budget smartphone via the LISA self-service portal. The charges will be covered by the faculty/service department. You will require an OFI number from your organisation for ordering a low-budget telephone.
I don't have internet on my mobile telephone, will the app still work?
A smartphone with an internet connection (WiFi/3G/4G) is required for 2FA usage. An internet connection is only required for app installation/activation.
My mobile phone has no reach. What should I do?
In case of offline use, the NetIQ and Google Authenticator app automatically create an offline code that you enter on your screen. This allows you to use additional authentication offline at any time.
Why does the 2FA app request access to the camera?
The app requires camera access to scan a code during installation and use of additional authentication. The app only activates the camera for these purposes.
Why am I unable to scan the QR code?
Tips for successful QR code scanning:
- Zoom level of PC browser set to minimum 100%
- While scanning:Â do not hold the device too close to the screen! Make sure that the QR code fills approx. 25% of the screen. Hold the device still!
- Hold your smartphone very still while scanning. Your smartphone may need a few moments for scanning, as the camera must first zoom in on the QR code.
- Ensure that only the QR code is in the frame when scanning.
- Keep any objects, such as your finger, from obstructing the camera during scanning.
- Increase the brightness of your computer screen. This increases the contrast of the QR code, making it easier for your camera to scan.
Why isn't the camera working?
- The NetIQ and Google Authenticator apps cannot be used without the camera.
- Is the camera not automatically opening via the app? Close and restart the app.
- Is the camera still not working? Restart your smartphone and try again.
- If you've waited too long, the QR code will no longer be valid. Close the browser on your pc and the app and try again.
I have a new smartphone. What should I do?
If you have a new smartphone due to replacement, loss or theft, you must reconfigure the 2FA app. There are two possibilities:
- Deactivate the authenticator on your old device and activate the authenticator on your new device.
- Use the recovery key to deactivate the authenticator on your old device and then activate the authenticator on your new smartphone.
If you can no longer access a recovery key because your smartphone has been stolen, contact the Service Desk ICT.
My smartphone is at home and I cannot log in to additionally secured systems now. What should I do?
- Collect your smartphone, if possible.
- The organisation has a spare smartphone. You use your recovery key to deactivate your forgotten smartphone and activate the spare smartphone. Once you have your forgotten smartphone in your possession again, you must first deactivate the spare smartphone before reactivating your own smartphone.
Authentication, verification etc.
How can I change my additional authentication?
Go to https://MyID.utwente.nl/ to deactivate and activate the authenticator. You can also exchange the authenticator app. You can also access the MyID portal in the webapps.utwente.nl and employee portal in the My-ICT-resources Two-factor authentication category.
My verification code is no longer working with the Google Authenticator app. What is the problem?
The app refreshes the verification code every 30 seconds. You can use up to three old codes. If too much time has lapsed, you will need to use the subsequent codes.
If the subsequent codes are not working either, return to the MyID portal and deactivate and activate the Google Authenticator app. Note: you do not need to reinstall the app on your smartphone.
Why is a one-time password is being displayed in NetIQ Advanced Authentication?
You can use this verification code if your smartphone is not connected to the internet. If you do have an internet connection you do not need to enter the code, but you can use the Confirm button instead.
How does offline use of additional authentication work?
During offline use, the NetIQ and Google Authenticator app automatically create an offline code which can be entered on your screen. This allows you to use the additional authentication offline at all times.
What is TOTP?
A time-based one-time password (TOTP) is a temporary passcode, generated by an algorithm, for use in authenticating access to computer systems.
TOTP is used in different applications such as: Google authenticator, Microsoft authenticator.
Why are multiple One Time passwords being displayed in the 2FA apps?
You can install an authenticator for multiple applications, including apps which are not managed by the UT. The applications which connect to the UT via Two-Factor Authentication all use the same authorisation code.
Can I remove the verification code in the authenticator without repercussions?
No. You must first ensure that the authenticator is deactivated in the MyID portal. You can then remove the authenticator/verification code without any problems.
If you accidentally removed the authenticator/verification code, you can still deactivate the authenticator with the recovery key.
If you no longer have access to the recovery key, you can have the authenticator deactivated at the LISA IService Desk ICT. In that case, proof of identity is required.
Where can I securely store my recovery key?
It is important to store the recover key in a secure place. LISA Cyber Safety recommends using the LastPass or Keepass password managers.
Can I authorise someone else to log in on my behalf?
No, this is not possible. 2FA is for personal use only and cannot be transferred.
Who can I contact if I have further questions?
Please contact the Service Desk ICT.