Studo supports the TOTP (Time-Based One-Time Password Algorithm) standard defined in RFC 6238. This standard is used by many universities to improve the security of the login at the university. In this common type of 2-factor authentication (2FA), unique numeric passwords are generated using a standardized algorithm. These time-based passwords are available offline and provide enhanced account security in a user-friendly way.
You can find the Studo Authenticator in the side menu of the Studo app. Make sure you have updated the Studo app to version 4.45 or higher to use this feature.
The TOTP standard is also often referred to as MFA, 2FA via QR code, OTP, Login with Google Authenticator, or Login with Microsoft Authenticator. In short, this standard describes how to generate a TOTP code and how to display the QR code so that the TOTP code can be used with all compatible authenticator apps. By supporting the mentioned TOTP standard, Studo Authenticator can also be used with many other applications that use two-factor authentication. Well-known services that supported the TOTP standard are: 1Password, Amazon, Apple/iCloud, Coinbase, Discord, Dropbox, Facebook, Firefox Account, GitHub, GitLab, GMX, Google/Gmail/YouTube, LastPass, LinkedIn, Microsoft/OneDrive/Outlook/Xbox, Nintendo, OwnCloud, PayPal, PlayStation Network, Protonmail, Slack, TeamViewer, Twitch, Zoom.
To ensure maximum compatibility, Studo supports the signature algorithms SHA-1, SHA-256 and SHA-512; code lengths of 6-8 digits; and time lengths of 1s-3600s. If a different algorithm or configuration value is required, please contact us at Studo Support.
The most common way of TOTP support is to set up an authenticator app (Google Authenticator, Microsoft Authenticator, privacyIDEA, Studo Authenticator or similar) on your smartphone, in which the TOTP codes are generated.
If a complete second factor is relevant for you for security or privacy reasons, we recommend using a standalone 2FA device that is used exclusively for generating TOTP codes and has no Internet access. This eliminates a complete category of attack vectors. The disadvantage here is that, unlike the 2FA software apps, the 2FA hardware is not free. Manufacturers of this hardware include the Swiss company Token2, or the British company Microcosm, or the Irish company Protectimus. Note that the hardware must support the RFC 6238 standard with the parameters/algorithms you need for the particular login.
Are the TOTP codes synchronised?
For privacy and security reasons, the information on how the numeric passwords are generated remains only stored locally encrypted on your device (technically speaking: the TOTP secret). You can use the QR code as a backup to use the TOTP codes on multiple devices at the same time or transfer them from one device to another: Store the QR code you use to set up 2-factor authentication in a safe place before scanning it.
Are you having trouble using the numeric passwords?
Since numeric passwords are time-based, it is mandatory that the time of the device on which Studo Authenticator is used is set to be accurate. A difference of only 1 minute already means that the generated codes are incorrect. For this reason, please use the option "Set time automatically" in the Android or iOS system settings or synchronise the time of your device to the second.
Why does my university now have 2-factor authentication?
2-factor authentication (2FA) makes your university account more secure for several reasons:
With 2-factor authentication, your university credentials include not only your password, but also a code that changes continuously. If you were to unintentionally enter your access data on a harmful website in the course of a phishing attack, this access would only be valid for a few seconds. The same applies if you were observed entering your access data: Here, too, attackers would only have a few seconds to use your access. This is usually not enough for a realistic attack scenario. You can find more information on phishing here: https://faq.studo.com/en/articles/3759285-phishing-and-spam-mails.
In addition, 2FA helps you with so-called password reuse attacks: When usernames, emails and passwords are published or sold after a system has been hacked, they are often also tried out at your university. For example, you can check at https://haveibeenpwned.com/ whether your email address has already been part of a data breach. (Please note that the data breaches investigated on this website do not claim to be complete). If your email address was in a data breach with the same password that you use for your university, attackers could simply use it to log in to your university account. Thanks to 2-factor authentication, however, this is not possible because the attackers would not have the 2-factor code. You can find more information on password reuse attacks at: https://www.dashlane.com/blog/how-password-reuse-leads-to-vulnerabilities.
The fact that all users at a university must have 2-factor authentication makes the system as a whole more secure. This reduces the risk of phishing and protects your personal account even better.
You might be interested in this article if you're searching for auth, 2fa, or mfa.