Information on the use of multi-factor authentication (MFA)
We use data protection-friendly multi-factor authentication (MFA) to protect your user accounts. This measure serves to increase security when accessing our systems and services.
What is MFA?
MFA is a security procedure that protects access to a system or account by requiring multiple authentication methods. Unlike traditional authentication, which only requires a username and password, MFA adds at least one additional layer of security.
This security layer can be a physical device, such as a smartphone or tablet. Users must be in possession of this device to authenticate themselves. To do so, they must confirm their login or enter a numeric code in one of the following authentication variants (e.g., app).
By combining multiple factors, in this case the password and the code from the selected authentication method, security within the UR is increased because a potential attacker must gain access to not just one factor, but several at the same time. Therefore, multi-factor authentication helps to improve the security of user accounts, systems, and sensitive information and protects against unauthorized access, even if one authentication factor is compromised.
Technology used
Our MFA solution is based on Microsoft Entra MFA in combination with federated login. Authentication takes place via our own identity infrastructure. Passwords and password hashes are never transmitted to Microsoft.
Selection and administration of factors
As a user, you have the option of deciding for yourself which additional security factors you would like to use for logging in. Administration of these factors is carried out via the Entra ID user portal (formerly Azure AD).
The following options are available:
- Phone (SMS): A one-time code is sent to your mobile number via SMS.
- Phone (call): You will receive an automated call to confirm your login. Business or private telephone numbers, landline or mobile can be stored.
- barrier-free, suitable for people with impaired vision
- Microsoft Authenticator app: push notification or code entry via the app.
(Recommended and fully supported solution; possible on common iOS and Android devices) - FIDO2 security key: Hardware-based authentication via USB or NFC devices,forexample.
- low-barrier, suitable for people with impaired vision
- particularly data-efficient
- TOTP token: Time-based one-time passwords (e.g. via hardware tokens or apps).
- low-barrier, suitable for people with impaired vision
- particularly data-efficient when used with a separate hardware token
- also possible via authenticator app
- Windows Hello for Business: Available for business Windows PCs.
Biometric login (e.g. facial recognition or fingerprint) or PIN, which is stored locally on the device. Login is password-free and fulfils high security and data protection standards.- low-barrier, suitable for people with impaired vision
- particularly data-efficient (especially PIN)
- Authentication apps from other providers: e.g. Google Authenticator, Authy or similar.
- no support from Servicedesk possible
The use of these factors is voluntary, but at least a second factor is required to enable access to protected services.
Overview of data processingMethod Data processing / forwarding FIDO2 ? Minimal - no personal data, no centralised storage Windows Hello for Business ? Locally stored biometric data or PIN, no transmission to Microsoft TOTP (e.g. Authenticator app) ? Only local codes, no data transmission during use Microsoft Authenticator (push) ?? IP address and device information are transmitted to Microsoft Phone (SMS/call) ? Phone number is processed and transmitted to telecommunications provider Third-party apps (e.g. Google Authenticator) ? Local, but depends on the provider - observe data protection guidelines
| Method | Data processing / forwarding |
|---|---|
| FIDO2 | ? Minimal - no personal data, no centralised storage |
| Windows Hello for Business | ? Locally stored biometric data or PIN, no transmission to Microsoft |
| TOTP (e.g. Authenticator app) | ? Only local codes, no data transmission during use |
| Microsoft Authenticator (push) | ?? IP address and device information are transmitted to Microsoft |
| Phone (SMS/call) | ? Phone number is processed and transmitted to telecommunications provider |
| Third-party apps (e.g. Google Authenticator) | ? Local, but depends on the provider - observe data protection guidelines |
Data protection and data storage
We attach great importance to the protection of your personal data. The MFA data (e.g. telephone numbers or registered devices) are used exclusively to perform authentication and are processed in accordance with the applicable data protection laws.
- No transmission of passwords to third parties
- No profiling or use for other purposes
- Data is stored exclusively in the EU or in accordance with the requirements of the GDPR
Legal basis
As a state institution, UR is legally obliged to ensure IT security. Access to information systems should be protected by additional factors in addition to a query of the access data (computer center account and password). The introduction of MFA is therefore based on Art. 6 (1) lit. c GDPR in conjunction with Art. 43 (1) BayDiG. This obligation is specified in Art. 42 (1) No. 3 BayDiG in conjunction with the guidelines of the State Office for Information Security (LSI), available at leitfaden_phishing-resistente-mfa_v1-1.pdf (external link, opens in a new window).
Your rights
You have the right at any time to
- Information about the data stored about you
- Correction of incorrect data
- Erasure or restriction of processing, provided there are no statutory retention obligations
- Objection to the processing of your data within the scope of MFA
Further information can be found in our privacy policy.