last update: 2025-03-10

2FA (2-factor authentication) is gradually being introduced at the university. Most people are probably already familiar with this from online banking, for example. Essentially, this means that in addition to entering the user name and password, another factor must be added, either another 'one-time password' (TOTP=Timebased One Time Password) or a special hardware key (e.g. Yubikey) must be 'presented'.

Why make the login process more complicated now? There are more and more fraudulent emails on the Internet that are designed to trick you into entering your login details on fake sites. These attempts are frighteningly successful - so even valid university login details are still in circulation. And thanks to 2FA, the bad guys can get past the first two stages - but fail because of the one-time password!

Does that solve the problem? Almost, but not quite! This procedure can also be circumvented (e.g. 'Man in the Middle', when logging in to a fake site mentioned above, this OTP can of course also be read and used for a one-time login). However, this is more relevant for banks where a lot of critical data can be tapped in seconds - it is not worthwhile for access to the university. And of course it is still possible to introduce Trojans via emails or other downloads, for example. But the problem of lost passwords has been minimised as far as possible.

Do I have to use it now?

No, at least not yet. It is expected to become mandatory in individual systems from March summer 2025. The login screen for various services will be changed from February and 2FA can be used from then on. Essentially, this will be webmail and VPN - this is also where the main attacks take place. It doesn't matter which system you use (Yubikey or similar or TOTP on a mobile phone, tablet, computer), there can (and should) be different systems in parallel - for example, if the Yubikey is lost or the mobile phone is at home.

What is the procedure

• Firstly, some systems are converted for the new login system, but the second factor is not yet required, although it can already be used
• The login screen will change as part of this process, but the data to be entered will remain the same as before
• In the next few weeks, Yubikeys will be issued to employees - you can find out who is an employee here, students and others will then use TOTP, they are also welcome to use their own hardware tokens
• Other systems (e.g. Stud-IP) will be converted in parallel, applications such as Thunderbird or Outlook (not in the browser), computer login etc. are possible but not planned
• In the summer of this year, the use of hardware tokens or apps will be mandatory for applications that have been converted by then
• In the long term, all relevant systems will be converted

It makes sense to set up and use the authentication procedures at the latest when the key is received, and also to set up mobile apps in parallel in order to have more flexibility and to avoid problems caused by losing/forgetting the mobile phone/key.

Who gets a hardware key

There is a list agreed with Division 1: uol.de/2fa/yubikey_intranet - so there are quite a few - but no students, for example.

How does 2FA work at the University of Oldenburg, what do you have to do

First you have to set up Yubikey and/or the app - you can follow the instructions at uol.de/2fa. In addition to the 2Fas and Aegis apps mentioned above, you can also use the Microsoft Authenticator, which some of you probably already have on your device for Microsoft Teams, or various other options.
Both methods (one-time password and hardware key) can already be used in the places where central IT has made the switch. (Note: It is not yet mandatory, if you have set up one or more of these procedures on the university pages, you must also enter the second factor in the places provided for this purpose from the time of setup)