MUNI Unified Login


Multi-factor authentication

MUNI Unified Login offers multi-factor authentication using TOTP and WebAuthn. Users may also generate backup OTP codes for regaining access in case they lose their tokens. Detailed instructions can be found here.

TOTP

TOTP is a standard method for one time code generation, defined in RFC 6238, and used by many commercial services. TOTP app has a shared secret with the server and generates time-constrained numerical codes based on that secret. The most common setting is with 6 digits and validity of 30 seconds.

You may know this method by many alternative names, including “code from verification app”, “verification code”, “authentication code”, “code from authentication app”, “6 digit code from code generator”, “code from Google Authenticator” or “verification code from the Google Authenticator app”.

The advantage of this method is its versatility - you can copy the one time code from the app in your smartphone to another app, type it on your PC or even a smart TV. The only requirement that the device you want to authenticate on needs to fulfil is the capability to enter digits.

You can use any TOTP app, for example one of those listed below. Alternatively you can use the TOTP capability of your password manager (e.g. BitWarden or LastPass Authenticator). If you already have a TOTP app installed, you do not have to install another one, you can just add MUNI Unified Login.

Overview of TOTP apps

Name Author Download Opensource Last update Back up, export Token picture App lock Advanced parameters (improved security)
Aegis Authenticator Beem Development Android yes 2022 yes manual setting yes yes
Google Authenticator Google Android, iOS no 2022 only within the same app no no no
FreeOTP Red Hat Android, iOS yes 2016 no yes no yes
FreeOTP+ Haowen Ning Android yes 2022 yes yes yes yes
Microsoft Authenticator Microsoft Android, iOS no 2022 only into Microsoft account no yes no
Yubico Authenticator (vyžaduje klíčenku YubiKey 5) Yubico Android, iOS, Windows / macOS / Linux yes 2022 no, keys are inside YubiKey yes yes, with YubiKey yes

WebAuthn

WebAuthn, short for Web Authentication API, is a modern standard created by W3C and FIDO. This method offers a high level of security while protecting your privacy, it is also easy to use. WebAuthn is often a part of the operating system, so you do not need to install anything on most devices.

You may know this method by different names, including “FIDO2”, “U2F”, “security key verification”, “universal second factor” or simply “security key”.

The advantage of this method is its simplicity - you do not need to grab your smartphone, open an app and type in a code, you just confirm the authentication e.g. by pressing a button or using your thumb for fingerprint. You may register various devices and use a different method of authentication in each one depending on the device’s capabilities.

In order to use WebAuthn, you need to use one of the supported web browsers together with the operating system capability, an app or a physical authenticator (e.g. a YubiKey).

All web browsers officially supported by MUNI Unified Login support WebAuthn authentication.

If you want to learn more, check out webauthn.io and webauthn.me.

Operating systems with WebAuthn built in

  • Windows 10+ (Windows Hello)
  • macOS 10.15+ (only some browsers depending on version)
  • Android 7+ (a screen lock has to be set - e.g. a fingerprint or face recognition))
  • iOS 14.5+ (Touch ID, Face ID)
  • For Linux, you can try Rust U2F or tpm-fido.
Tested authenticators

 

Operating system and browser Built-in WebAuthn External via USB External via NFC
Android 12, Firefox yes (fingerprint) yes yes*
Android 12, Brave/Chrome/Edge yes (fingerprint) yes yes*
Android 7, Firefox yes (fingerprint)   yes*
Android 7, Brave/Chrome/Edge yes (fingerprint)   yes*
iOS 15.4.1, Safari yes (Touch ID) N/A yes***
Linux, Firefox N/A (only tpm-fido****) yes N/A
Linux, Brave/Chrome/Edge N/A (only tpm-fido****) yes N/A
macOS 12.2, Safari ** (Touch ID / Face ID) yes N/A
macOS 12.2, Firefox ** (Touch ID / Face ID) yes N/A
macOS 12.2, Chrome
yes (password) yes N/A
Windows 11, Firefox yes yes N/A
Windows 11, Brave/Chrome/Edge yes yes N/A

* You can use an external authenticator only if you do not have your phone registered as an authenticator (using screen lock). During the registration, you have to precisely attach the keychain to the NFC reader with good timing (let the phone vibrate two times), otherwise the registration will fail.

** Using the built in WebAuthn of macOS in Firefox and Safari is possible only if the device has Touch ID or Face ID.

*** You have to attach the keychain to the top edge of your phone (align horizontaly), sometimes it might also be necessary to tilt the keychain towards the phone screen. Attach the keychain once you are asked to use Touch ID. If you press “use security key” and then you attach the keychain, the registration will succeed, but the operating system dialog will not close automatically - look for a change in the page behind it and once the registration is complete, close the dialog by tapping next to it. Your device has to be NFC capable (iPhone 7 or newer).

**** Web browser should not have restricted permissions, e.g. as a snap, because then it does not have permission to access the simulated USB device from tpm-fido.

Tested external authenticators

  • YubiKey Security Key
  • YubiKey 5
  • YubiKey Bio
  • GoTrust Idem Key

WebAuthn works with any authenticator which adheres to the standard, but we recommend using a certified FIDO2 device. In case of any problems with a specific device, please contact us.

Examples of multi-factor authentication settings by protection level

Lower protection level Download the Google Authenticator TOTP app and add one token.
Optimal protection level Choose a  TOTP app, register the device as WebAuthn, and save the one-time codes as a backup.
Higher protection level Choose a TOTP app with encrypted backups, purchase two physical tokens for WebAuthn. Then print the backup codes and store them in a vault.

You are running an old browser version. We recommend updating your browser to its latest version.