Security

 

Change the password

Das CIM-Portal

Since user accounts for the CAU Cloud are managed centrally in the User Services, the password for CAU Cloud accounts cannot be changed in CAU Cloud! Use the CIM-Service-Portal for this purpose. For more information on changing passwords, please refer to the documentation of the User Service.

 

Two-factor authentication

Two-factor authentication is one of the most important methods to be able to secure online access against unauthorized access. The idea is that a login always involves two different factors from the categories of knowledge, possession and being. Knowledge is usually a password, while possession is proven in the form of an object. Being is mapped via biometric procedures.
The possession factor can be offered in different forms, for example, via the possession of a SIM card in the cell phone in the case of SMS-Tan procedures, via the possession of a hardware token or a smart card, or, as in the case of the CAU Cloud, via the possession of a cell phone that has been taught as a second device for authentication via software.

Teaching an Authenticator app for TOTP

Hinzufügen eines zweiten Faktors per TOTP Verfahren

In this process, a secret is initially exchanged between the CAU cloud and the cell phone, and a time-based one-time password (TOTP) can then be generated using an algorithm known to both parties. This one-time password is valid for a period of 30 seconds, which ensures greater security even if a single one-time password is lost.

In the Settings, open the section security and there the section Two-Factor Authentication. Check the box next to the entry Enable TOTP to start the exchange of the secret. Now the above mentioned secret is generated and displayed on the screen. Depending on the used software, you may have to type this secret into your authentication application, or you may have the option of scanning the displayed QR code with your cell phone's camera.

After you have exchanged the secret for the second factor of the CAU cloud, you will now see the second factor as a six-digit numerical code in your application, as well as usually a small animation that indicates how long the code is still valid until a new factor is generated. Up to this point, you have exchanged the secret, but the two-factor authentication is not yet activated. To do this, you must enter a valid second factor in the CAU Cloud window to prove that you have successfully exchanged the secret.

Austausch des Geheimnisses mit dem Google Authenticator via QR-Code

A common application for the TOTP method is Google Authenticator. However, you can also use other applications that support the TOTP standard. You can find the Google Authenticator in the  Google Play Store as well as in the Apple App Store. After starting the Authenticator, a welcome process awaits you when you use it for the first time. In this, click Get started or select the +-button at the bottom of the main menu to exchange a new secret. You have the choice of scanning a QR code or typing the secret by hand. If you want to scan the QR code, you need to allow the application to access the camera. Now scan the QR code generated above to exchange the secret and get your first one-time password, which you can use to complete the activation in the previous step.

 

Teaching a WebAuthn device

Anlernen und Login mit einem WebAuthn-Gerät

This method uses a WebAuthn-enabled device as a second factor. This device can be a USB security token, such as the YubiKey, but such a device may already be built into your end device, usually in the form of biometric devices such as fingerprint sensors or cameras with facial recognition. So this method targets possession as the second factor. If the sensor is permanently built into your device, it is recommended to enroll more than one method as a second factor, or at least to generate backup codes so that you can still access the CAU cloud even if you lose your device.

In the Settings, open the section Security and there the section Two-factor authentication. In the section WebAuthn Device (WebAuthn Gerät), select the button Add WebAuthn Device (WebAuthn-Gerät hinzufügen) to enroll a WebAuthn-enabled device. Your browser will now prompt you to use the device. This can be the fingerprint sensor or a button attached to the USB stick that has to be pressed or touched. If the device is successfully detected, the browser popup will disappear and a text field will appear in the web interface where you can enter a name for the device. This name has no other function than to allow you to identify the device in the list of learned devices. Complete the configuration by clicking Add. Now the device is successfully trained, you can teach as many devices as you like.

At the next login, after entering the password, you will be prompted to select one of the learned methods of 2-factor authentications. Select WebAuthn device (WebAuthn Gerät) from the list and then Use a WebAuthn device to start the authentication. Now you need to activate the device again, either by fingerprint, facial recognition or keystroke to complete the login.

 

Creation of backup codes

Erstellung von Backup-Tokens und Login mit diesen

In case you do not have the second factor at hand, either due to a defect or loss of the device, you have the possibility to create so-called backup codes that you can use instead of the second factor.

In the Settings, open the section Security and there the section Two-factor authentication. In the section Backup-Code, select the button Renew backup codes to generate 10 new codes. You can print these out, or save them securely. It also doesn't hurt to have a backup code in your wallet in case you need to securely log into the CAU Cloud while traveling.

Later, under this menu item you will also have the option of checking how many of the backup codes have already been used. This can be helpful if you are not sure whether you have lost these backup codes and thus an equivalent second factor. You can also create new backup codes here at any time, the old ones will become invalid.

At the next login, after entering the password, you will be prompted to choose one of the trained methods of 2-factor authentications. Select Use backup code from the list and then enter one of the codes in the text field and confirm the entry with Enter or Submit to complete the login.

 

Creation of app passwords

Erstellung eines App-Passworts

The CAU Cloud offers the option of generating application-specific passwords. This may be desired for two reasons, firstly to be able to deactivate the access of individual applications later in the web interface, and secondly when using two-factor authentication if the application itself does not support this. Because the application-specific passwords are always valid without a second factor!

In the Settings, open the section Security and there the section Devices & sessions. At the end of the list of logged-in devices and clients you can enter the name of the application in the text field and generate an app password using the button Create new app password.

The generated app password is now displayed once in your browser. If you want to use the app password again later, please save it in a safe place. As a rule, however, it makes more sense to generate additional passwords for further applications, whose access can also be blocked again individually. You can then use this password to log in to your application.

Some programs also offer the option to transfer the app password by scanning a QR code, so you don't have to type it out. After clicking on Show QR code for mobile apps, you can scan the QR code.