Multi-factor authentication in ProxyIdP

ProxyIdP offers a more secure way of authentication on top of passwords – the so-called Multi-Factor Authentication (MFA). Once activated, an additional form of authentication is required in addition to the required password, for example in the form of a verification code. This function makes it more difficult for potential attackers to misuse someone else’s account.

Multi-Factor Authentication as described here applies only to services that use ProxyIdP.

About ProxyIdP Multi-Factor Authentication

Within ProxyIdP MFA, the verification code method (TOTP) must be set first.
Subsequently, a security key (WebAuthn) can be used together with the verification codes.

	Passwords	Verification codes (TOTP)	Security keys (WebAuthn)
Protection against misuse of stolen passwords	✗	✔	✔
Protection against guessing of passwords	✗	✔	✔
Protection against simple phishing	✗	✔	✔
Protection against advanced phishing	✗	✗	✔
Availability on all IT devices	✔	✔	✗

Multi-factor authentication	Identity verification using two or more authentication factors (e.g. something I know + something I have).
Security key	Usually a physical or a virtual device used for identity verification based on a secret key.
Verification codes	One-time codes with limited time validity, generated by an authentication app, e.g. Aegis.
Recovery codes	One-time codes which can be generated during initial setup and saved or printed. They can be used to authenticate in case of losing all other authentication devices.
Tokens	Means of authentication other than a password or a PIN, including security keys, verification codes and recovery codes.

Verification codes (TOTP)

Before setting up Multi-Factor Authentication using authentication codes, you need to have a mobile app that generates the codes. We recommend using Aegis Authenticator for Android and Raivo OTP for iOS, also you can check the https://perunaai.atlassian.net/wiki/spaces/PERUN/pages/198213656. You then need to add a token for the authentication codes in the ProxyIdP Multi-Factor Authentication settings and link them together.

Copy and paste the code displayed in the app or copy and paste it when logging in. Every 30 seconds the code is updated and a new one is displayed. The advantage of this authentication method is that you can use the code to log in on any device, such as a computer in the university PC room.

To activate Multi-Factor Authentication, you will need a mobile phone with your preferred app when logging in to selected services and systems on other devices.

Aegis Authenticator for Android	Raivo OTP for iOS

Aegis Authenticator for Android	Raivo OTP for iOS

Security keys (WebAuthn)

Security keys offer maximum levels of security, it authenticates the device using so-called "asymmetric cryptography". A computer or smartphone can be used as a security key if it supports this function. When logging in, depending on the type of your device you need to either confirm a notification, use your fingerprint or facial recognition.

If you are not sure whether your device can be used a security key, you can test it here: https://webauthn.io/?regUserVerification=discouraged&attestation=none&attachment=platform&algES256=true&algRS256=true&discoverableCredential=preferred&authUserVerification=discouraged Enter any username, e.g. “test”, and click register. If the registration is successful, your device has the security key capability and can be used for ProxyIDP MFA.

Another option is to use a key fob that can be connected to both your computer and phone - such as YubiKey, GoTrust Idem Key or SoloKey. Authentication with a key fob usually means just one extra key press.

Adding the first token automatically sets up Multi-Factor Authentication for all IT services under MUNI Unified Login. Managing for which services multi-factor authentication is enabled is possible in the User Profile.

Backup codes for restoring access

As a part of the initial set up of Multi-Factor Authentication, a set of backup codes is generated. These are used in case all registered devices are lost and access has to be restored. The codes can be saved in PDF or printed out.