Prior notice: The service will be available from 01.08.2024.
Multifactor authentication (MFA) at the University of Ulm
In order to be able to use the entire range of services offered by Ulm University, members of the university must authenticate themselves with their kiz account at various points. This authentication ensures that only authorized persons can access the services offered by the university and their personal data.
As the combination of username and password for authentication only offers sufficient protection as long as these are secret, cyber criminals are increasingly trying to obtain these via phishing emails, among other things. To counteract this, multi-factor authentication (MFA) uses an additional independent factor to prove identity in addition to the known user name and password. This significantly increases access protection. At the University of Ulm, a two-stage process is used to check the username and password and, in a second step, a time-based one-time password (TOTP).
Which logins are protected by MFA?
The roll-out of the MFA at Ulm University will take place in two stages:
Stage 1 (from 01.08.2024 - 31.10.2024):
First, the management of digital identities and access to the university's network will be secured
- IDM (identity management system of the University of Ulm)
- VPN (access to the campus network)
Stage 2 (01.11.2024):
By connecting the central Shibboleth identity provider (IDP), access to various other systems is secured, e.g:
- e-billing
- b-ite applicant portal
- University sports registration
- HPC registration
The kiz is constantly working on connecting further central systems such as the Moodle learning platform.
Who is affected?
According to a decision of the Presidential Board of Ulm University, the use of MFA is mandatory for all members of Ulm University from 31.10.2024.
How can I use the MFA?
Depending on the category of person, the following procedures can be used to generate a second factor:
Category of persons
For employees of the Zentralen Universitätsverwaltung, the use of a hardware token is mandatory for the generation of TOTPs.
The usage of an authenticator app on a business or private smartphone or tablet is generally recommended. If you do not have such a device, hardware tokens can be purchased at the service point "Ausleihe" in the library (Bibliotheks-Zentrale).
The usage of an authenticator app on a business or private smartphone or tablet is generally recommended. If you do not have such a device, hardware tokens can be purchased at the service point "Ausleihe" in the library (Bibliotheks-Zentrale).
The use of an authenticator app on a smartphone or tablet is generally recommended. If you do not have such a device, hardware tokens can be purchased from the service point "Ausleihe" in the Bibliothekszentrale.
If access to the administrative network or the university's GLT network is required, a hardware token must be requested via the responsible supervisor:
FAQ
To reset a lost software / hardware token, you must reset your IDM password. You can do this by yourself with your chip card and the chip card PIN at the known self-service terminals (University East: Entrance South and Entrance North, University West: Foyer Library (Bibliotheks-Zentrale)). If you are unable to reset the password by yourself for important reasons, you can also contact the kiz helpdesk. They will send you a new initial password for logging in to the IDM once your identity has been verified.
Important: After resetting the IDM password, you can log in to IDM once with the initial password assigned without a second factor. In addition to changing the IDM password, you must also assign and activate a new second factor (software/hardware token) in the same session. Without this, you will no longer be able to log in to IDM and will have to perform the password reset again. If you no longer have the hardware token, you must first obtain a replacement.
No, for security reasons, only one active software or hardware token can be used at a time. Activating another token via the IDM automatically deactivates the existing token.
To move software tokens, you can either use the options provided in the Authenticator APP or you can log in to IDM again and generate and activate a new software token on your new device. This new token replaces your existing token, which then loses its validity.
Only tokens generated or managed by kiz can be used for authentication on the MFA platform operated by kiz. It is not possible to import decentrally acquired tokens or tokens from third parties.
Who can I contact if I have problems?
If you have any problems or questions, please contact: helpdesk(at)uni-ulm.de