No, a 2nd token is not absolutely necessary, but if you lose or
forget your token or if you get a new cell phone and no longer have access
to your old one, for example, it makes sense to have a
2nd token.
The 2nd token can then also be installed on a non-mobile device,
as you normally only need it to activate a new token on a new mobile device.
If you then do not have a 2nd token, you cannot solve the problem
yourself, but must contact IT support.
If you do not have a 2nd device, you can print the displayed QR
code and keep it safe. You can use the printed QR code to activate a
new token later.
I have activated the 2nd factor, but I am not asked about it?
It can take up to 1 hour until the systems are synchronized, but on the
privacyIDEA page
you can check immediately after activation if your token is working.
However, if the 2nd factor in the SSO systems is not queried after
24 hours, please contact IT support.
My token does not work, what can I do?
Did you perform the last step,
the verification,
in the course of the activation?
If no, then call the IT support on extension 7000 and give the code that
your token shows, then the verification can be done for you afterwards.
If yes (or your token was already working), then check if the time (and
timezone) is set correctly on your device:
If that is also correct, then use our support page to
report the problem. We also advise to set up a 2nd token in any case!
Do you need the 2nd factor also on site at TU Graz?
If you want to log in to systems that are connected to the SSO system, you
also need a 2nd factor on site at TU Graz, but this can also be
the ID Austria or the desktop app.
I already use the ID Austria, do I really need another 2FA solution?
If you do not use
VPN
but only need to log in via
SSO,
then the ID Austria is sufficient, which
is integrated with our SSO systems.
However, it makes sense to additionally activate the 2FA solution of TU Graz
in case there are availability problems with ID Austria.
Will data be transferred to TU Graz if I use my private smartphone?
No, at no time will data be transferred to TU Graz, also the phone number is
not relevant for the 2-factor authentication.
In the course of activation, data is transferred from the server to the
smartphone when the QR code is scanned, so that the smartphone can calculate
your individual code based on time. This calculation then takes place locally
on the smartphone, i. e. an Internet connection is not even required.
Are there any costs for using the app (on a private mobile phone)?
No, the recommended apps are free and there are no costs when using them,
because there is no data transfer, the calculation of the one-time password
is done locally on the smartphone, tablet etc..
This also means that the smartphone, tablet, etc. does not need an Internet
connection, only the time must be synchronized with the time of the server
(different time zones are taken into account):
Of course, the app requires some storage space and minimal power is consumed
during use.
How often do you have to log in?
The introduction of the 2nd factor does not change how often you
have to log in, this remains exactly the same as before, only in the course
of each logon in the SSO system, the second factor must also be entered in
another window.
Since this is a one-time password (OTP), the 2nd factor cannot be
saved in the browser.
Which app can be used?
All apps that support the methods used at TU Graz
are suitable.
We recommend (and support) the following apps:
(Simply scan the relevant QR code with your smartphone or tablet)
It is important that you either obtain the time automatically or only
change the time zone and not the time manually, then the app will also
work abroad in a different time zone.
How to protect a token in the app?
You should protect tokens in the app to prevent someone from gaining access
if the phone is unlocked.
To do this in the app privayIdea, swipe the corresponding token to the
left and then activate 🔒 Sperren.
Now your token is secured by fingerprint etc. and thus becomes a
multi-factor authentication (MFA).
Instead of the code now only 6 dots are displayed:
Only when you click on the token and unlock it e.g. with fingerprint,
the code will be displayed:
How do you ensure that you (always) have access to a one-time password?
We recommend that, if possible, you use at least two devices (2nd
smartphone, smartwatch, tablet, etc.) as a backup and activate at least a
second token on these devices. For information:
There are 4 tokens available for each user.
All tokens can be used as a 2nd factor.
Important to know:
As long as you still have access to one of your tokens, you can use it to
log in to the privacyIDEA website and generate a new QR code to activate a
2FA app (see next point).
How many tokens can users create themselves?
Users have 4 TOTP tokens at their disposal.
These can be active at the same time and can be used at any time during a
login.
Can you as a user delete a token yourself?
No, deletion of tokens by the user is not possible because after (erroneous)
deletion of the last token, access to all systems secured with 2nd
factor is also lost.
A deletion of tokens can be requested via the website
https://mfa.tugraz.at
in the Support tab.
You already have 4 tokens, but you want to exchange one of them?
If you already have 4 tokens and now want to swap the hardware (e. g.
the smartphone) for one of them, you must first delete the token that belongs
to this hardware:
Precondition:
You have another active token.
Have the existing token (please specify the serial number)
deleted.
All tokens are assigned to you and you can use any of them, even alternately.
What do you do if you do not have access to a token?
If you have forgotten your smartphone at home, for example, and do not have
access to a token, you can proceed as follows:
Within TU Graz you normally do not use VPN or RDS but only SSO and in all
systems connected with SSO you can also use ID
Austria to log in if you have access to it (e.g. on another
smartphone).
Obtain a hardware token on loan from IT Support at the ZID service point
in the BMT building upon presentation of an official photo ID or employee ID.
A deposit of 10 Euros is required for this.
The so-called pairing - i. e. the binding of the hardware token to
you as a person - is set up directly by IT Support.
Once pairing is complete, you can immediately use the hardware token
for 2FA.
Does the 2nd factor always protect me?
No, the 2nd factor does not protect against a man-in-the-middle
(MitM)
attack. This means that if someone manipulates you to enter your username,
password and 2nd factor on a fake site, the attacker has a few
seconds to log in with this data and thus gains access to all your emails,
for example, and this can also happen fully automatically.
It is therefore still absolutely necessary that you pay close attention
to where you enter your data!
Is there related support?
IT Support can assist with questions and problems.
Users can set up 4 tokens, either on the same device in one or more
apps or on different devices (e. g. smartphone and tablet).
This makes it possible to intercept the loss of a token/device by users
themselves.
Is stable operation guaranteed?
The servers of the privacyIDEA 2-factor solution are designed to be
highly available and are operated in a virtual infrastructure that is also
highly available.
All systems that use the 2nd factor (these are the VPN access, the
remote desktop access RDS and the single sign-on systems) are also executed
in a highly available setup.
What about the availability of the tokens?
Registration codes for tokens are rolled out once. During 2FA activation,
a binding of the token to a user is established - this process is called
pairing.
Once pairing is complete, the responsibility for the availability of the token
lies with the user, as the user now has a device (smartphone, hardware token)
in his/her possession that generates the required code.
If the user loses or destroys this device, availability is no longer given and
access to the connected IT systems is no longer possible without a second
active token.
What method is used for the tokens?
At TU Graz, time-based one-time passwords (TOTP) are used, 6 digits, which are
regenerated every 30 seconds.
How can you tell which software token on the smartphone is associated with which service?
Each token has a unique serial number, this is displayed both in the app on
the smartphone or tablet and in the user's token overview on the privacyIDEA
website.
In the course of activation (but also afterwards), you can set
labels/descriptions for the tokens so that you can assign them uniquely,
e. g. phone, tablet, PC in the office, etc.
In addition, you can recognize each token that you use for TU Graz by the
designation ZID TU Graz.
Do you need a separate token for each device?
No, in principle a single token is sufficient for all devices.
However, you should get at least a 2nd token so that you can
still work if you lose the first token.
Can the registration code be used more than once?
No, the registration code you received by email or which was displayed in
the Account Status in TUGRAZonline allows only a one-time registration
on the privacyIDEA website.
If the 2FA activation is not completed, you will not have a token available.
You will then need to request a new registration code from the ZID service
point. To do so, you must present an official photo ID.
How many failed attempts do I have?
The 2FA is blocked after 10 failed attempts, after which you have to have
it reactivated via IT Support.
I don't have a smartphone, how do I get to the 2nd factor?
Although it is recommended to use a smartphone, there is also the possibility
to install a program on the desktop/notebook
that calculates the codes.
In addition, there is also the possibility to use a hardware
token.
My smartphone camera is broken, how do I get to the 2nd factor?
In principle, no camera is required, this only facilitates the setting up of
the token: via QR code, a secret is shared between the server and the token and information about the type of token, but you can also enter this yourself.
When you see the QR code on the privacyIDEA page, you will also see a link
"here", which contains the secret:
otpauth://totp/…?secret=xxx…xxx&algorithm=….
Launch the privacyIDEA app, tap on the corresponding icon
and then enter the secret and the corresponding parameters:
How do I get a hardware token?
Staff members of TU Graz
can pick up hardware tokens at the
ZID service point (Stremayrgasse 16) on Tuesdays and Thursdays, from
08:00-16:00, upon presentation of a photo ID (employee ID or official photo
ID).
If you have a smartphone as a "business cell phone", you cannot get a free
hardware token, but are obliged to use an app on your business cell phone
to manage your tokens.
If you want to buy a token, you can deposit the money at the main cash desk
(OU Finance and Accounting) on Tuesdays or Thursdays, on Thursdays also at
the ZID service point.
(Regulated by the "Richtlinie zur Führung von Kassen".)
Students and
staff members of rentals
can purchase hardware tokens at HTU's
"Copyshop"
in Strehmayrgasse 16.
How long does the battery in the hardware token last?
Depending on the frequency of use, 3 - 5 years.
Can I share hardware tokens with colleagues?
No, hardware tokens are also assigned to you individually (pairing).
Can I use my existing hardware token?
If the token meets the conditions and you know
the "secret" (seed), we can integrate the
token into our system.
Can I use my FIDO token?
If the FIDO2 token is compatible with ID Austria and has been activated for it, you can use it to access our SSO systems via the "ID Austria" link (but this doesn't work for VPN).
Does the code work in both SSO systems?
TU Graz currently uses 2 different SSO systems:
sso.tugraz.at and auth.tugraz.at.
The codes are valid in both systems, but since they are one-time passwords,
you have to wait for a new code in the 2nd system if you want to
log in to both systems.
Does anything change when creating a TUGRAZonline account?
No. The new users get a hint in the welcome email, where they can find their
registration code in TUGRAZonline (in the Account Status in the area
2FA). In order to be able to enter TUGRAZonline, new users can login via SSO
without 2nd factor for 7 days.
How do guests get access to the 2nd factor?
Guests normally do not get access to the systems of TU Graz, which are
protected by the 2nd factor.
Employees of partner companies who need e. g. maintenance access
have to register and can then request VPN access.
You are an employee of a rental, have activated the 2FA, but are not asked for the 2nd factor?
Currently, all persons with employee accounts are equipped with 2FA,
employees of rentals who still have an employee account, but only an
assignment to the rental in TUGRAZonline, do not have to use 2FA yet
(exception: VPN).
Before these accounts are converted to mandatory use for SSO, they will be
contacted by ZID.
Why do I get to the German version of privacyidea.tugraz.at?
Because this is defined in your browser in the language settings.
Do I need the 2nd factor with OAuth2?
Yes, we will also secure the upcoming login options with OAuth2,
which we are planning mainly where no 2nd factor is possible
and the use of VPN seems too complicated, with the 2nd factor.
What does "passwordless login" mean?
The next step in securing accounts is passwordless access. For this purpose,
a new standard Passkeys has been defined, which is based on the
FIDO standard and automatically
(in the background) sets up a kind of public key authentication.
It is to be expected that more and more providers will implement this new
standard and we are also observing this.
FAQ