SAP Token/english

From IMT-Wiki
Jump to navigationJump to search

Two-factor authentication (2FA) at KIT

Various services at the KIT have increased requirements for IT security, which go beyond a simple login with user name and password. This includes in particular the SAP system and various VPN accesses.

What is a two-factor authentication?

A two-factor authentication is intended to improve IT security by adding a further factor to the login and password. Against the background of successful phishing incidents, applications with special protection requirements are to be additionally secured.

Possible second factors are e. g. a TAN list, an SMS-TAN or a TAN generator. It makes sense to create this second factor on a separate device, as it is protected against unauthorized access and cannot be copied.

Current status at the KIT

The KIT Presidium has decided to introduce a two-factor authentication for the SAP web portals. This is due to current security considerations of the SAP environment, which no longer consider the logon with a simple password to be secure. For this purpose, hardware tokens were purchased for use as a "second factor" and can now be issued to the employees. The introduction of two-factor authentication for SAP Web portals is planned for November 13,2017.

Technical implementation

At KIT, two-factor authentication is integrated into the central single sign-on service (Shibboleth). This browser-based approach allows all operating systems to be supported without the need for software installation on the end devices.

Two-factor authentication can also be extended to other services at a later date, provided that a security assessment requires this in the specific case.



The tokens used at KIT

KIT token with display for employees

For employees, tokens with a display were purchased that show a 6-digit registration code that is valid for only one minute at the push of a button. These devices offer maximum flexibility and can be used with all operating systems and devices. The KIT tokens are in blue and carry the KIT logo.

Printed backup list

Every two-factor authentication user has the possibility to print a backup list of TANs that can be used if necessary (loss, defect,... of the regular token). It is recommended that such a list be set up provided the list is kept in a safe place (e. g. in a wallet or in a roll container) and protected from unauthorized access.

Token management

Every employee at the KIT receives an unpersonalized KIT token with a display that indicates a temporarily valid value at the push of a button, which is used in the context of two-factor authentication.

This token must first be linked to the personal KIT account.

Once you have registered a first token, token management can no longer be called without tokens.

The link is made at https://my.scc.kit.edu/token/index_en.php#/new-token

After logging in with your personal KIT account, and selecting English in the top row the Link "New token" dialog will be displayed. Please click "New Token" and then "KIT Token". Please enter the last six digits of the serial number in the Serial Number field. You will find these on the back of the token.

Token seriennummer.jpg

After clicking on "Continue", the current value of the token is queried in the next dialog. Rotate the token so that the button is to the left of the display

Token off.jpg

and press the button.

Token code.jpg

Next, enter the valid value displayed (in the example 464230) in the "Current Token Code" field and click on "Confirm Token". Please note that this value is only valid for one minute. The data entered is then checked and the link is made. You will be forwarded to the Token overview.

This overview can also be accessed later on at any time via https://my.scc.kit.edu/token.

At this point with the button "New Token" you have the possibility to register a KIT business mobile phone in addition to the display token or to create and print a backup list. We recommend that you use one of these options to be prepared for cases such as defect or loss of a token.

Issue and return of the tokens

In the introductory phase, the SCC organizes the distribution of the hardware tokens and distributes them to employees with the support of the organizational units.

After the introduction of two-factor authentication, new employees receive their hardware tokens at the following locations:

Service Desk of the SCC at Campus North Service Desk of the SCC at Campus South

The tokens can also be returned there when leaving the KIT. The tokens are then, depending on their condition, reused or disposed of.

Please note: the issue of a hardware token can be combined with certification by the KIT-CA without any problems, thus saving you unnecessary ways.

Retrieved from "https://www.imt.kit.edu/wiki/index.php?title=SAP_Token/english&oldid=6339"