Main content

Login required

An already active token is required to log in to the 2FA portal.

Please enter your student/staff account here.
Please select your realm here.
Please enter your student/staff password followed directly by your token's one-time password (APP/TAN: 6-8 digits, YubiKey: press button for 48 characters). NOT the serial number!

Frequently asked questions about login

  • To log in to the 2FA portal, first enter your username (student/staff account), the corresponding realm (user group), and your password. Directly after your password comes your 2FA token without any space. You can use one of three tokens: An APP token (e.g. generated via the University of Marburg app), a YubiKey (by pressing the button), or a TAN from your TAN list (paper or TAN token).

  • The 2FA portal accepts three token formats: (1) APP token: 6-8 digit numbers that change every 30 seconds (e.g. via the University of Marburg app). (2) YubiKey: A long character string generated by pressing the YubiKey button. (3) TAN token: A 6-8 digit number from your TAN list (paper token or TAN token). These TANs are consumed after use.

  • The realm selection defines your user group and thus your area in the system. Select "students" if you are a student, "staff" for university employees, or "hrz" for special users of the computing center. The selection is important because each group has different permissions and access options.

  • The most common errors are: (1) Token expired: APP tokens and YubiKey codes are time-bound (valid for approx. 30-60 seconds). Enter the token quickly after your password. (2) Wrong token: You are using an invalid TAN or entering the code incorrectly. (3) Wrong realm: Make sure you have selected the correct realm (students/staff/hrz). (4) Token disabled: If your token has been disabled, contact the IT service desk.

  • Yes, you can have multiple token types registered at the same time. When logging in, simply enter the 2FA code you have available. It is recommended to have at least one APP token as your primary token and one backup token (TAN or YubiKey). If a token is lost or no longer works, you can switch to your backup token.

  • Paper lists that were previously issued by the exam office were migrated to the central 2FA system. During import, these paper lists received a pseudo serial number that begins with the prefix "TAN" for compatibility reasons. This serial number is used exclusively for identification of the token in the system and CANNOT be used for login. To log in, continue to use the printed TANs on your paper list.

FAQ: General 2FA Questions

  • As a student, you will receive your APP-Token during account activation directly in the 2FA Portal. Follow these steps: 1. Log in to the 2FA Portal 2. Select 'Initial Token Issuance' for students 3. Install the compatible app (Uni Marburg App or 2FAS) 4. Scan the QR code with your authenticator app 5. Confirm registration with the 8-digit code from the app

  • Yes! The APP-Token list you received from the examination office or for exam registrations is already a complete APP-Token. You can use this list to log in to the 2FA Portal itself as well. The codes on the list are identical to those that an authenticator app would generate. Important: Keep this list secure and use the codes in sequence. Each code can only be used once.

  • If you received an unactivated QR code by mail or at a support office, follow these steps: 1. Install the compatible authenticator app (Uni Marburg App or 2FAS) 2. Open your app and use the scan function 3. Scan the QR code from the letter 4. Visit the activation page of the 2FA Portal 5. Accept the terms of use 6. Enter your username, realm, and password + 8-digit code 7. Click 'Proceed' - your token is now active

  • If you already have an active token (YubiKey, TAN list, or another APP-Token), you can add more app tokens anytime: 1. Log in to the 2FA Portal with your password + code from your active token 2. Go to 'Token Issuance' in the menu 3. Select 'App-Token' as the token type 4. Scan the QR code that appears with your authenticator app 5. Immediately enter the new 8-digit code to confirm 6. Your new app token is activated and ready to use

  • Recommended: Uni Marburg App, 2FAS Authenticator, Proton Authenticator, KeePassXC. NOT supported: Google Authenticator and Microsoft Authenticator (do not support SHA-512 and 8-digit one-time passwords). Important: New apps generate 8-digit codes (previously 6-digit).

  • The APP-Token is required when logging into 2FA-protected services: 1. Open your authenticator app 2. Note the current 8-digit code (updates every 30 seconds) 3. Enter the code when requested - for combined input: password + code without spaces, for separate input: code in separate OTP field 4. The code is time-limited - use it quickly 5. If expired: Wait for the new code and try again

  • Set up an additional backup token stored securely. This could be: A second APP-Token on another device, a YubiKey as hardware backup, or a TAN list (for emergencies). Why a backup? In case your smartphone is lost or damaged, technical failures, or data loss - you remain capable of action. Store backups safely in a vault or safe.

  • Self-service in the 2FA Portal: Log in and go to 'Manage Tokens'. There you can block/deactivate existing tokens or create new ones. For special cases, use the forms - Token request and Token blocking/status report on the university website. Students use self-service or apply, staff receive tokens from personnel department, guests/partners apply via form.

  • The HRZ (University Computing Center) supports you: Email: 2fa@hrz.uni-marburg.de, Phone: +49 6421 28-28282, Address: Hans-Meerwein-Straße 6, 35032 Marburg, Hours: Monday-Friday, 8:00-17:00. Common issues: Token does not work (check app compatibility), code not accepted (make sure no space), token lost (block it immediately), device lost (report to HRZ).

  • Yes! If you prefer not to use a smartphone, you have these options: 1. YubiKey Token (hardware key, no app required) - recommended for daily use 2. Paper Token (150 pre-printed TANs, available in person at IT service desk) - not recommended for permanent use, ideal as backup or for rare logins 3. TAN Token (self-printed) - from fall 2026 only usable as backup for the 2FA Portal 4. KeePassXC or similar desktop manager (for computers) 5. Contact HRZ for advice on digital detox solutions: 2fa@hrz.uni-marburg.de. HRZ can help you find a 2FA solution that doesn't require a smartphone.

  • Act quickly: 1. Report the loss/theft to HRZ immediately via email (2fa@hrz.uni-marburg.de) or phone (+49 6421 28-28282) 2. The token will be deactivated/blocked 3. Request a new token (use the online form or 2FA Portal if possible) 4. Activate the new token according to the instructions 5. Check your audit log in the portal for suspicious activity. Important: The faster you act, the better you are protected!

  • To switch to a new device: 1. Install the authenticator app (Uni Marburg App or 2FAS) on the new phone 2. Log in to the 2FA Portal with an active token 3. Go to Token Issuance and create a new app token 4. Scan the QR code with the app on your new phone 5. Enter the 8-digit code to confirm 6. Optionally delete the old app from your old phone. Recommendation: Create the new token before giving away or wiping the old device!

  • Tips for safely storing your YubiKey: 1. Staff members: Attach the YubiKey to your keychain (like your keys and access card) - DO NOT store it in your laptop bag! 2. Store it separately from your password 3. Protect it from physical damage (water, extreme heat) 4. Use a backup token (e.g., TAN list or second app token) in case of loss 5. If you no longer need the token, return it to HRZ. Important: The YubiKey is robust and should always be within reach - best on your keychain!

  • In the 2FA Portal under Manage Tokens you have two options: 1. Deactivate (token remains visible): Click Deactivate - the token no longer works 2. Delete (token is removed): After deactivation, you can delete the token - it will be completely removed. Important: Make sure you still have at least one active token! Otherwise you won't be able to log in. Need help? Contact HRZ.

  • Starting in autumn 2026, self-printed TAN tokens will have a major limitation: 1. They can only be used to log in to the 2FA Portal itself 2. Usage at other 2FA-protected services will no longer be supported 3. Recommendation: Switch to an App Token (recommended) or request a YubiKey now 4. Contact HRZ if you have questions about migration. Hint: App Tokens and YubiKey provide better protection!

  • HRZ prioritizes strong security: 1. SHA-512: This is a highly secure encryption algorithm that is significantly stronger than the older SHA-1. It protects your one-time passwords from unauthorized access 2. 8-digit codes: With 8 digits instead of 6, security is increased 100-fold. This makes it much harder for codes to be guessed or compromised 3. Combination: SHA-512 + 8-digit codes provide maximum protection for your accounts. This is the current security standard for modern 2FA systems 4. Long-term security: HRZ deliberately implements the higher security standard now so you won't be forced into another update in one or two years. With growing AI capabilities and computing power, we must act proactively, not reactively. This protects you in the long term from repeated forced migrations. Important: Google Authenticator and Microsoft Authenticator do not support these new security standards - use the Uni-App or 2FAS instead!

  • Yes, verification is essential! After scanning the QR code, you must validate the code IMMEDIATELY: 1. The app shows you an 8-digit code that changes every 30 seconds 2. Enter this code right away - this is the crucial verification 3. Without this confirmation, the token will not be activated 4. This applies to app tokens for both initial setup and with every new token 5. If it expires: If the code expires during entry, don't worry - wait for the next code and try again. This verification is important to ensure that the app is truly synchronized with your token!

  • If you can't log in because you don't have a token: 1. First step: Quickly request a new token (online form or HRZ) 2. For exam registrations: There is a special emergency request form on the university website 3. Contact HRZ by phone for quick help: +49 6421 28-28282 4. Also inform your exam office or dean if deadlines are affected 5. HRZ can offer solutions in emergencies! Act quickly - the sooner you report, the better!

  • Yes! If you already own a YubiKey privately, we can support you in setting up this hardware token for your university services so it becomes functionally equivalent to an official service token: 1. On-site initialization: To securely link your YubiKey to your university account, you must surrender the device to the IT service desk in person. We configure the key for you with an HOTP token 2. Configuration protection (slot lock): During setup, the corresponding slot on your YubiKey is locked with a password. This prevents the university configuration from being accidentally overwritten or deleted 3. Usage: After that, you can use the YubiKey exactly like a device issued by the university - to log in to all 2FA-protected services 4. Return/End of studies: If you leave the university or want to free up the slot again, the key must be returned to the IT service desk. We will unlock the slot for you so you can use the device in factory state again 5. Requirements: Contact HRZ with your YubiKey for setup: 2fa@hrz.uni-marburg.de

  • The Paper Token is a purely analog solution for users who cannot or do not want to use technical devices: 1. Capacity: A paper token contains 150 one-time passwords (8-digit). You can receive a maximum of two tokens per person 2. Scope of use: The Paper Token serves as an analog alternative for rare logins or as an emergency backup. Due to the high manual effort, it is NOT recommended for daily, frequent logins 3. How to obtain: The token is issued exclusively in person upon presentation of a photo identification (ID card, passport or similar) at the IT service desk 4. Usage: You cross off used TANs and use them in sequence. Each TAN can only be used once 5. Important: Store your paper token securely - it is a valuable emergency backup!

  • Important: Don't confuse them! These are two different token types: 1. Paper Token: A completely analog solution with 150 pre-printed TANs. Obtained only in person at the IT service desk with photo ID. Maximum 2 per person. More for emergencies/rare logins 2. TAN Token (self-printed): A token that you can issue for yourself in the 2FA Portal and print out. New: These tokens have 12 TANs to print. Scope: Previously for all 2FA services, from fall 2026 only as backup to the 2FA Portal itself 3. Commonality: Both contain 8-digit one-time passwords (TANs) that you use and cross off in sequence 4. Recommendation: We recommend App-Token or YubiKey. TAN-Token will become a backup token. The Paper Token is only intended for special emergency situations

  • We are currently working on supporting FIDO2 and Passkeys. This method will significantly simplify login as the manual entry of 8-digit codes becomes unnecessary. Benefits for you: Once this method is activated, you can use a wide range of secure devices: 1. Hardware keys: Any FIDO2-capable device such as the YubiKey, Nitrokey, or Google Titan Key 2. Browser integration: Using modern standards like Windows Hello (facial recognition/PIN) or macOS Touch ID (fingerprint) 3. Convenience: No more long codes - just touch, scan, or authenticate 4. Security: FIDO2 is an established standard with high security and is used globally by universities and companies 5. Information: We will inform you here and by email as soon as FIDO2 device registration is available in the portal. Stay tuned - this will be a great addition to our 2FA system!