Question 1

How do I get my first APP-Token as a student?

Accepted Answer

As a student, you will receive your APP-Token during account activation directly in the 2FA Portal. Follow these steps: 1. Log in to the 2FA Portal 2. Select 'Initial Token Issuance' for students 3. Install the compatible app (Uni Marburg App or 2FAS) 4. Scan the QR code with your authenticator app 5. Confirm registration with the 8-digit code from the app

Question 2

Can I use the APP-Token list from the examination office for login?

Accepted Answer

Yes! The APP-Token list you received from the examination office or for exam registrations is already a complete APP-Token. You can use this list to log in to the 2FA Portal itself as well. The codes on the list are identical to those that an authenticator app would generate. Important: Keep this list secure and use the codes in sequence. Each code can only be used once.

Question 3

How do I activate an APP-Token received by mail?

Accepted Answer

If you received an unactivated QR code by mail or at a support office, follow these steps: 1. Install the compatible authenticator app (Uni Marburg App or 2FAS) 2. Open your app and use the scan function 3. Scan the QR code from the letter 4. Visit the activation page of the 2FA Portal 5. Accept the terms of use 6. Enter your username, realm, and password + 8-digit code 7. Click 'Proceed' - your token is now active

Question 4

How do I create an additional APP-Token if I already use 2FA?

Accepted Answer

If you already have an active token (YubiKey, TAN list, or another APP-Token), you can add more app tokens anytime: 1. Log in to the 2FA Portal with your password + code from your active token 2. Go to 'Token Issuance' in the menu 3. Select 'App-Token' as the token type 4. Scan the QR code that appears with your authenticator app 5. Immediately enter the new 8-digit code to confirm 6. Your new app token is activated and ready to use

Question 5

Which authenticator apps are supported?

Accepted Answer

Recommended: Uni Marburg App, 2FAS Authenticator, Proton Authenticator, KeePassXC. NOT supported: Google Authenticator and Microsoft Authenticator (do not support SHA-512 and 8-digit one-time passwords). Important: New apps generate 8-digit codes (previously 6-digit).

Question 6

How do I use my APP-Token to log in?

Accepted Answer

The APP-Token is required when logging into 2FA-protected services: 1. Open your authenticator app 2. Note the current 8-digit code (updates every 30 seconds) 3. Enter the code when requested - for combined input: password + code without spaces, for separate input: code in separate OTP field 4. The code is time-limited - use it quickly 5. If expired: Wait for the new code and try again

Question 7

What are the backup and security recommendations?

Accepted Answer

Set up an additional backup token stored securely. This could be: A second APP-Token on another device, a YubiKey as hardware backup, or a TAN list (for emergencies). Why a backup? In case your smartphone is lost or damaged, technical failures, or data loss - you remain capable of action. Store backups safely in a vault or safe.

Question 8

How do I request a new APP-Token or block an existing one?

Accepted Answer

Self-service in the 2FA Portal: Log in and go to 'Manage Tokens'. There you can block/deactivate existing tokens or create new ones. For special cases, use the forms - Token request and Token blocking/status report on the university website. Students use self-service or apply, staff receive tokens from personnel department, guests/partners apply via form.

Question 9

Who can help me if problems occur?

Accepted Answer

The HRZ (University Computing Center) supports you: Email: 2fa@hrz.uni-marburg.de, Phone: +49 6421 28-28282, Address: Hans-Meerwein-Straße 6, 35032 Marburg, Hours: Monday-Friday, 8:00-17:00. Common issues: Token does not work (check app compatibility), code not accepted (make sure no space), token lost (block it immediately), device lost (report to HRZ).

Question 10

I don't want to use a smartphone - are there alternatives?

Accepted Answer

Yes! If you prefer not to use a smartphone, you have these options: 1. YubiKey Token (hardware key, no app required) - recommended for daily use 2. Paper Token (150 pre-printed TANs, available in person at IT service desk) - not recommended for permanent use, ideal as backup or for rare logins 3. TAN Token (self-printed) - from fall 2026 only usable as backup for the 2FA Portal 4. KeePassXC or similar desktop manager (for computers) 5. Contact HRZ for advice on digital detox solutions: 2fa@hrz.uni-marburg.de. HRZ can help you find a 2FA solution that doesn't require a smartphone.

Question 11

My token is lost or stolen - what should I do?

Accepted Answer

Act quickly: 1. Report the loss/theft to HRZ immediately via email (2fa@hrz.uni-marburg.de) or phone (+49 6421 28-28282) 2. The token will be deactivated/blocked 3. Request a new token (use the online form or 2FA Portal if possible) 4. Activate the new token according to the instructions 5. Check your audit log in the portal for suspicious activity. Important: The faster you act, the better you are protected!

Question 12

How do I transfer my app token to a new smartphone?

Accepted Answer

To switch to a new device: 1. Install the authenticator app (Uni Marburg App or 2FAS) on the new phone 2. Log in to the 2FA Portal with an active token 3. Go to Token Issuance and create a new app token 4. Scan the QR code with the app on your new phone 5. Enter the 8-digit code to confirm 6. Optionally delete the old app from your old phone. Recommendation: Create the new token before giving away or wiping the old device!

Question 13

How should I store my YubiKey safely?

Accepted Answer

Tips for safely storing your YubiKey: 1. Staff members: Attach the YubiKey to your keychain (like your keys and access card) - DO NOT store it in your laptop bag! 2. Store it separately from your password 3. Protect it from physical damage (water, extreme heat) 4. Use a backup token (e.g., TAN list or second app token) in case of loss 5. If you no longer need the token, return it to HRZ. Important: The YubiKey is robust and should always be within reach - best on your keychain!

Question 14

How can I delete or deactivate my token?

Accepted Answer

In the 2FA Portal under Manage Tokens you have two options: 1. Deactivate (token remains visible): Click Deactivate - the token no longer works 2. Delete (token is removed): After deactivation, you can delete the token - it will be completely removed. Important: Make sure you still have at least one active token! Otherwise you won't be able to log in. Need help? Contact HRZ.

Question 15

What changes in autumn 2026 for self-printed TAN tokens?

Accepted Answer

Starting in autumn 2026, self-printed TAN tokens will have a major limitation: 1. They can only be used to log in to the 2FA Portal itself 2. Usage at other 2FA-protected services will no longer be supported 3. Recommendation: Switch to an App Token (recommended) or request a YubiKey now 4. Contact HRZ if you have questions about migration. Hint: App Tokens and YubiKey provide better protection!

Question 16

Why does the 2FA Portal use SHA-512 and 8-digit one-time passwords?

Accepted Answer

HRZ prioritizes strong security: 1. SHA-512: This is a highly secure encryption algorithm that is significantly stronger than the older SHA-1. It protects your one-time passwords from unauthorized access 2. 8-digit codes: With 8 digits instead of 6, security is increased 100-fold. This makes it much harder for codes to be guessed or compromised 3. Combination: SHA-512 + 8-digit codes provide maximum protection for your accounts. This is the current security standard for modern 2FA systems 4. Long-term security: HRZ deliberately implements the higher security standard now so you won't be forced into another update in one or two years. With growing AI capabilities and computing power, we must act proactively, not reactively. This protects you in the long term from repeated forced migrations. Important: Google Authenticator and Microsoft Authenticator do not support these new security standards - use the Uni-App or 2FAS instead!

Question 17

Do I need to verify the QR code after scanning it?

Accepted Answer

Yes, verification is essential! After scanning the QR code, you must validate the code IMMEDIATELY: 1. The app shows you an 8-digit code that changes every 30 seconds 2. Enter this code right away - this is the crucial verification 3. Without this confirmation, the token will not be activated 4. This applies to app tokens for both initial setup and with every new token 5. If it expires: If the code expires during entry, don't worry - wait for the next code and try again. This verification is important to ensure that the app is truly synchronized with your token!

Question 18

What should I do if I don't have a working token for Marvin or other 2FA services?

Accepted Answer

If you can't log in because you don't have a token: 1. First step: Quickly request a new token (online form or HRZ) 2. For exam registrations: There is a special emergency request form on the university website 3. Contact HRZ by phone for quick help: +49 6421 28-28282 4. Also inform your exam office or dean if deadlines are affected 5. HRZ can offer solutions in emergencies! Act quickly - the sooner you report, the better!

Question 19

Can I use my private YubiKey as a hardware token?

Accepted Answer

Yes! If you already own a YubiKey privately, we can support you in setting up this hardware token for your university services so it becomes functionally equivalent to an official service token: 1. On-site initialization: To securely link your YubiKey to your university account, you must surrender the device to the IT service desk in person. We configure the key for you with an HOTP token 2. Configuration protection (slot lock): During setup, the corresponding slot on your YubiKey is locked with a password. This prevents the university configuration from being accidentally overwritten or deleted 3. Usage: After that, you can use the YubiKey exactly like a device issued by the university - to log in to all 2FA-protected services 4. Return/End of studies: If you leave the university or want to free up the slot again, the key must be returned to the IT service desk. We will unlock the slot for you so you can use the device in factory state again 5. Requirements: Contact HRZ with your YubiKey for setup: 2fa@hrz.uni-marburg.de

Question 20

What is a Paper Token?

Accepted Answer

The Paper Token is a purely analog solution for users who cannot or do not want to use technical devices: 1. Capacity: A paper token contains 150 one-time passwords (8-digit). You can receive a maximum of two tokens per person 2. Scope of use: The Paper Token serves as an analog alternative for rare logins or as an emergency backup. Due to the high manual effort, it is NOT recommended for daily, frequent logins 3. How to obtain: The token is issued exclusively in person upon presentation of a photo identification (ID card, passport or similar) at the IT service desk 4. Usage: You cross off used TANs and use them in sequence. Each TAN can only be used once 5. Important: Store your paper token securely - it is a valuable emergency backup!

Question 21

What is the difference between a Paper Token and a TAN Token?

Accepted Answer

Important: Don't confuse them! These are two different token types: 1. Paper Token: A completely analog solution with 150 pre-printed TANs. Obtained only in person at the IT service desk with photo ID. Maximum 2 per person. More for emergencies/rare logins 2. TAN Token (self-printed): A token that you can issue for yourself in the 2FA Portal and print out. New: These tokens have 12 TANs to print. Scope: Previously for all 2FA services, from fall 2026 only as backup to the 2FA Portal itself 3. Commonality: Both contain 8-digit one-time passwords (TANs) that you use and cross off in sequence 4. Recommendation: We recommend App-Token or YubiKey. TAN-Token will become a backup token. The Paper Token is only intended for special emergency situations

Question 22

What is FIDO2 and Passkeys? Will the 2FA Portal support these?

Accepted Answer

We are currently working on supporting FIDO2 and Passkeys. This method will significantly simplify login as the manual entry of 8-digit codes becomes unnecessary. Benefits for you: Once this method is activated, you can use a wide range of secure devices: 1. Hardware keys: Any FIDO2-capable device such as the YubiKey, Nitrokey, or Google Titan Key 2. Browser integration: Using modern standards like Windows Hello (facial recognition/PIN) or macOS Touch ID (fingerprint) 3. Convenience: No more long codes - just touch, scan, or authenticate 4. Security: FIDO2 is an established standard with high security and is used globally by universities and companies 5. Information: We will inform you here and by email as soon as FIDO2 device registration is available in the portal. Stay tuned - this will be a great addition to our 2FA system!

Hauptinhalt

Privacy Policy

General information about the processing of your data

Scope

Name and address of the responsible person

Data protection officer

Processing your data

Legal basis for the processing of personal data

Access data

Local Google Fonts

Matomo Web Analytics (Self-Hosted)

Links to websites of other providers

Recipients of your data in case of legal or judicial obligation

Your rights

Validity