Setting up two-factor authentication for the AGH SSO
In order to improve the security of your account and its data, we recommend you to set up two-factor authentication for services using the AGH SSO.
IMPORTANT INFORMATION
We strongly suggest setting up more than one two-factor authentication method, e.g., an OTP app and a Yubikey.
It will protect you from losing access to the AGH systems in case of losing your phone.
If you cannot set up any other 2FA method, you must create a back-up copy of your OTP app credentials. Details here.
If you do not do that, you will have to visit the IT Solutions Centre with your personal ID card to regain access to the AGH systems.
There are three different two-factor authentication methods available:
- a mobile app that generates time-based one-time passwords (TOTP),
- WEBAUTHN (using a physical "Yubikey" key),
- a physical key – "Yubikey".
- Log in at sso.agh.edu.pl using your AGH e-mail credentials (Logging into AGH SSO).
- After clicking on the "Connected as <e-mail address>" link, choose "2ndFA Manager" from the drop-down menu.
- Choose the verification method you'd like to configure:
- OTP app,
- physical key - WEBAUTHN,
- physical key - Yubikey.
TOTP - mobile app authentication
TOTP (Time-based one-time password) is the fastest and most popular authentication method, which is available for both Android and iOS. Those kinds of apps read QR codes or 32-digit access keys.
The IT Solutions Centre recommends using 2FA Authenticator (2FAS), a free 2FA app available in Google Play and App Store.
-
Download the app dedicated to your operational system.
-
Open the 2FAS app you have installed earlier and go through the tutorial by pressing "Continue". To add an account, press the "+" button (located in the top right or bottom right corner, depending on the device) or the "Pair new service" button.
- Scan the QR code or enter the 32-character key into the app. Both the QR code and the key will be displayed in the AGH SSO after selecting the OTP APP in the 2FA Manager.
-
The mobile app has been paired with your AGH SSO account and two-factor authentication has been enabled.
Attention
We recommend that you back up your credentials. In the 2FAS application, you can do this in 2 ways:
- Cloud backup – this is enabled by default. The backup automatically saves to your Google or iCloud account. If you accidentally delete the app from your device or lose access to your phone, your paired services data is automatically restored when you reinstall it.
- Export data to file – you can also export the backup to a file, which you can then import to another device. To do this, click on "Settings" -> "2FAS backup" and select "Export/Export to file". The file will be saved in the phone's memory.
WEBAUTHN - physical key
You can also use a physical key (e.g., Yubikey) as a second factor for authentication into AGH SSO.
- Choose the "WEBAUTHN" option in the 2ndFA Manager.
- Insert the physical key into the USB port and make sure that the "Security key setup" pop-up displays "sso.agh.edu.pl" as the service you are trying to add your physical key to. Press "OK".
- You may be prompted to set up a PIN code for your physical key – enter it. Then you will receive a prompt to press the Yubikey button to connect the device with the AGH SSO. Hold and press the button for about 3 seconds.
-
Your Yubikey has been paired with your AGH SSO account and configured as a second factor for authentication.
-
You can view the list of your 2ndFA devices by selecting "2ndFA Manager".
"Yubikey" - physical key
You can also use a physical key (e.g., Yubikey) as a second factor for authentication into AGH SSO.
- Choose the "YUBIKEY" option in the 2ndFA Manager.
- Enter the name for your physical key so it is easily recognizable and select the "Id" field. Insert your physical key into the USB port and press its button.
