MUNI Unified Login offers multi-factor authentication using TOTP and WebAuthn. Users may also generate backup OTP codes for regaining access in case they lose their tokens. Detailed instructions can be found here.
TOTP is a standard method for one time code generation, defined in RFC 6238, and used by many commercial services. TOTP app has a shared secret with the server and generates time-constrained numerical codes based on that secret. The most common setting is with 6 digits and validity of 30 seconds.
You may know this method by many alternative names, including “code from verification app”, “verification code”, “authentication code”, “code from authentication app”, “6 digit code from code generator”, “code from Google Authenticator” or “verification code from the Google Authenticator app”.
The advantage of this method is its versatility - you can copy the one time code from the app in your smartphone to another app, type it on your PC or even a smart TV. The only requirement that the device you want to authenticate on needs to fulfil is the capability to enter digits.
You can use any TOTP app, for example one of those listed below. Alternatively you can use the TOTP capability of your password manager (e.g. BitWarden or LastPass Authenticator). If you already have a TOTP app installed, you do not have to install another one, you can just add MUNI Unified Login.
|Name||Author||Download||Opensource||Last update||Back up, export||Token picture||App lock||Advanced parameters (improved security)|
|Aegis Authenticator||Beem Development||Android||yes||2022||yes||manual setting||yes||yes|
|Google Authenticator||Android, iOS||no||2022||only within the same app||no||no||no|
|FreeOTP||Red Hat||Android, iOS||yes||2016||no||yes||no||yes|
|Microsoft Authenticator||Microsoft||Android, iOS||no||2022||only into Microsoft account||no||yes||no|
|Yubico Authenticator (vyžaduje klíčenku YubiKey 5)||Yubico||Android, iOS, Windows / macOS / Linux||yes||2022||no, keys are inside YubiKey||yes||yes, with YubiKey||yes|
WebAuthn, short for Web Authentication API, is a modern standard created by W3C and FIDO. This method offers a high level of security while protecting your privacy, it is also easy to use. WebAuthn is often a part of the operating system, so you do not need to install anything on most devices.
You may know this method by different names, including “FIDO2”, “U2F”, “security key verification”, “universal second factor” or simply “security key”.
The advantage of this method is its simplicity - you do not need to grab your smartphone, open an app and type in a code, you just confirm the authentication e.g. by pressing a button or using your thumb for fingerprint. You may register various devices and use a different method of authentication in each one depending on the device’s capabilities.
In order to use WebAuthn, you need to use one of the supported web browsers together with the operating system capability, an app or a physical authenticator (e.g. a YubiKey).
All web browsers officially supported by MUNI Unified Login support WebAuthn authentication.
Operating systems with WebAuthn built in
|Operating system and browser||Built-in WebAuthn||External via USB||External via NFC|
|Android 12, Firefox||yes (fingerprint)||yes||yes*|
|Android 12, Brave/Chrome/Edge||yes (fingerprint)||yes||yes*|
|Android 7, Firefox||yes (fingerprint)||yes*|
|Android 7, Brave/Chrome/Edge||yes (fingerprint)||yes*|
|iOS 15.4.1, Safari||yes (Touch ID)||N/A||yes***|
|Linux, Firefox||N/A (only tpm-fido****)||yes||N/A|
|Linux, Brave/Chrome/Edge||N/A (only tpm-fido****)||yes||N/A|
|macOS 12.2, Safari||** (Touch ID / Face ID)||yes||N/A|
|macOS 12.2, Firefox||** (Touch ID / Face ID)||yes||N/A|
|macOS 12.2, Chrome
|Windows 11, Firefox||yes||yes||N/A|
|Windows 11, Brave/Chrome/Edge||yes||yes||N/A|
* You can use an external authenticator only if you do not have your phone registered as an authenticator (using screen lock). During the registration, you have to precisely attach the keychain to the NFC reader with good timing (let the phone vibrate two times), otherwise the registration will fail.
** Using the built in WebAuthn of macOS in Firefox and Safari is possible only if the device has Touch ID or Face ID.
*** You have to attach the keychain to the top edge of your phone (align horizontaly), sometimes it might also be necessary to tilt the keychain towards the phone screen. Attach the keychain once you are asked to use Touch ID. If you press “use security key” and then you attach the keychain, the registration will succeed, but the operating system dialog will not close automatically - look for a change in the page behind it and once the registration is complete, close the dialog by tapping next to it. Your device has to be NFC capable (iPhone 7 or newer).
**** Web browser should not have restricted permissions, e.g. as a snap, because then it does not have permission to access the simulated USB device from tpm-fido.
Tested external authenticators
- YubiKey Security Key
- YubiKey 5
- YubiKey Bio
- GoTrust Idem Key
WebAuthn works with any authenticator which adheres to the standard, but we recommend using a certified FIDO2 device. In case of any problems with a specific device, please contact us.
|Lower protection level||Download the Google Authenticator TOTP app and add one token.|
|Optimal protection level||Choose a TOTP app, register the device as WebAuthn, and save the one-time codes as a backup.|
|Higher protection level||Choose a TOTP app with encrypted backups, purchase two physical tokens for WebAuthn. Then print the backup codes and store them in a vault.|