Two-factor authentication (2FA)
General information about 2FA
Do I need to enable 2FA?
You must enable 2FA if you use any of the following services:
The SSH gateway machines (gate1, gate2)
The HPC systems via SSH or VNC
The remote visualization service
The MPCDF instance of GitLab at https://gitlab.mpcdf.mpg.de
The MPCDF DataShare instance at https://datashare.mpcdf.mpg.de (after 09/13/2025)
If you do not use any of these services, you are not required to enable 2FA at this time. Please note that this list may be updated in the future.
How can I check if 2FA is activated on my account?
You can easily check if 2FA is active for your account:
When you log in to the SelfService portal, you will be prompted for a One-Time Password (OTP) if 2FA is enabled.
If you are already logged in, navigate to “My Account > Security > Configure 2FA”. If a token is listed, 2FA is enabled.
Why is 2FA enforced?
Enforcing 2FA is a crucial security measure to protect our systems and your account. Here’s why:
Cyberattacks are increasingly common. In early 2020, a major attack on European research institutions exploited leaked login credentials, highlighting the need for stronger security.
Even if your account doesn’t contain sensitive data, a compromised account can be used to disrupt services and harm other users.
2FA adds a second layer of security. It requires you to provide both something you know (your password) and something you have (a token). This means that even if an attacker steals your password, they cannot access your account without your token.
What are tokens, OTPs, and seeds?
These are the core components of 2FA:
OTP (One-Time Password): A password that is valid for only one login session or transaction. The most common type is a Time-based One-Time Password (TOTP), which automatically regenerates every 30 seconds.
Token: A device or application that generates OTPs. This can be a dedicated hardware device, or an app on your smartphone.
Seed: A secret key shared between the token and the authentication server. The seed is used to generate the same sequence of OTPs on both your token and the server. It is critical to keep your seed secure, just like a password.
What kinds of tokens are available?
We offer two types of tokens:
Primary Tokens: You can have only one primary token at a time.
App Token: An application on your smartphone or tablet.
Hardware Token: A dedicated physical device.
Secondary Tokens (Backup): You can have multiple secondary tokens of different types. These are for backup purposes.
TAN List: A list of single-use passwords.
SMS: A code sent to your mobile phone (this method is being phased out and is not recommended).
Important: SMS tokens are less secure and should only be used as a backup if you cannot access your primary token.
When will I be asked for an OTP?
You will be prompted for an OTP in the following situations:
Logging into the SelfService Portal: If 2FA is enabled for your account, you will be asked for an OTP. You can find your OTP in the authenticator app on your phone. Look for an entry with your account name and a serial number starting with “TOTP…”.
Accessing SSH Servers: 2FA is mandatory for all SSH access. You will always be asked for an OTP, so you must have a token enrolled to access these systems.
What if I’ve lost my token?
If you have uninstalled your authenticator app or changed your phone, you will need to use the token recovery process to regain access to your account.
Activation of 2FA
How do I enable 2FA?
To enable 2FA on your account, follow these steps:
Log in to the SelfService portal.
Navigate to “My Account > Security” from the top menu.
Select “Configure 2FA” and enter your password.
Choose a primary token type to enroll.
Validate your token by entering a valid OTP from it.
(Optional) Choose a secondary token type for backup.
Important: You must validate your primary token to complete the 2FA setup. Without validation, you will not be able to use it for authentication.
How do I enroll and use an app token?
You can use any smartphone or tablet with a compatible OTP app. While tablets work, we recommend using a smartphone for convenience.
Important: OTP generation is time-sensitive. Ensure your device’s clock is set accurately. For information on using devices with a deliberate time offset, see “How to use 2FA on a phone with a time shift”.
To enroll an app token:
Log in to the SelfService portal.
Navigate to “My Account > Security” and select “Configure 2FA”. You will be prompted for your password.
If you have an existing token, click “Replace existing or enroll additional token”.
Click “App token”. (This option is only available if you do not have a hardware token).
Open your OTP app and scan the QR code. You may need to tap a “+” icon to add a new token.
If your app requires manual configuration, use these settings:
Type: TOTP
Algorithm: SHA-1
Timestep: 30 seconds
Digits: 6
A new token entry will appear in your app, named with your username and a serial number starting with “TOTP”.
The app will generate a new 6-digit OTP every 30 seconds.
Activate your token: Click the validation button in the SelfService portal and enter the current OTP from your app. This step is mandatory.
Which authenticator app should I use?
You can use a wide variety of authenticator apps. We recommend open-source applications for transparency and security. While there are fewer open-source options for iOS, several excellent choices are available for Android.
You can also use popular closed-source apps like Google Authenticator, Microsoft Authenticator, or Authy if you prefer.
Here are some recommended open-source apps:
| App | OS | Source | Features |
|---|---|---|---|
| Aegis Authenticator | Android | Github | Backup, Encryption, Authentication with fingerprint |
| andOTP | Android | Github | Backup, Encryption |
| FreeOTP+ | Android | Github | Backup, Encryption |
| PrivacyIDEA Authenticator | Android, iOS | Github | Push tokens (not yet supported by us) |
For Android users who prefer not to use the Google Play Store, most of these apps are also available on F-Droid, an alternative app repository for open-source software.
How do I register an existing hardware token?
If you already own a hardware token, you can register it with our services.
Important: We only support TOTP tokens (time-based, with OTPs changing every 30 or 60 seconds). HOTP tokens are not supported.
To register your token:
Log in to the SelfService portal.
Navigate to “My Account > Security” and select “Configure 2FA”.
If you have an existing token, click “Replace existing or enroll additional token”.
Click “Register token”.
Enter your token’s details. All information must be exact, except for the serial number, which is for your reference.
If you do not know your token’s seed, please contact your supplier.
Submit the form and confirm the registration by entering a valid OTP from your token.
How do I enroll and use a secondary (backup) token?
To enroll a secondary token for backup purposes:
Log in to the SelfService portal.
Navigate to “My Account > Security” and select “Configure 2FA”.
If you do not have a primary token, you must enroll one first.
Click “Replace existing or enroll additional token”.
Choose a secondary token type (e.g., TAN list, SMS).
Using SMS Tokens:
You will be prompted to provide your mobile number if we do not have it on file.
Once enrolled, you can request an SMS OTP from the SelfService login page if you do not have access to your primary token.
Using TAN Lists:
Store your TAN list in a secure location, such as a locked cabinet or an encrypted file.
Do not store your TAN list in a password manager, as this would compromise your security if your manager is breached.
Each TAN can be used once, in any order.
Why can’t I have an app token and a hardware token simultaneously?
This is due to a technical limitation and our security policy. Both app and hardware tokens are of the same type (”TOTP”), and our system permits only one token of each type to be active at a time. Therefore, you must choose between an app token or a hardware token as your primary 2FA method.
2FA Tips and Tricks
Do I have to type in an OTP every time I access the secured systems?
For the systems you access via SSH you can configure a ControlMaster setup. Allowing you to conveniently type in your password and OTP only once a day. After that an SSH tunnel will be kept open for the day that can be used without having to retype your credentials.
Linux and MacOS
Please find an example of a ControlMaster setup for Linux and MacOS here.
Windows
Unlike on Linux and MacOS, the OpenSSH client on Windows doesn’t support ControlMaster setups. You’ll need to use one of the graphical clients to avoid having to retype your password and OTP. Two examples are given in the following.
PuTTY
To avoid retyping your credentials with PuTTY, you can configure connection sharing. For detailed instructions on using PuTTY, please refer to the official user manual or our step-by-step guide.
Connecting via a Gateway:
Create a new session for the gateway machine (e.g.,
gate1.mpcdf.mpg.de).Save the session with a descriptive name (e.g.,
raven.mpcdf.mpg.de).Load the session and go to “Connection > SSH > Tunnels”.
Enter
22as the “Source port”.Enter the destination hostname and port (e.g.,
raven.mpcdf.mpg.de:22) as the “Destination”.Click “Add”.
Return to the “Session” settings, and save the session again.
Click “Open” to connect.
Enabling Connection Sharing:
Go to “Connection > SSH”.
Enable the “Share SSH connections if possible” option.
As long as the initial SSH session is active, new PuTTY windows will reuse the connection without requiring you to re-enter your credentials.
MobaXterm
For guidance on using MobaXterm, refer to the official documentation.
To enable 2FA support in MobaXterm:
Go to “Settings > SSH”.
Check the “Use 2-factor authentication for SSH gateways” box.
To configure a session for connecting via a gateway:
Create a new session by clicking “Session > SSH”.
Enter the remote hostname (e.g.,
raven.mpcdf.mpg.de) and your username.Go to the “Network settings” tab and select “SSH gateway (jump host)”.
Enter the gateway hostname (e.g.,
gate1.mpcdf.mpg.de) and your username.Click “OK”. You will be prompted for your password and OTP.
MobaXterm automatically reuses connections, so you will not need to enter your OTP again for subsequent connections.
Weekly Reboots
For security reasons, our SSH gateway machines are rebooted weekly. This action terminates any long-standing SSH tunnels.
2FA Troubleshooting
What should I do if I need to factory-reset my phone?
Before factory-resetting your phone, ensure you have a secondary token enrolled. If you don’t, please enroll one first.
After the reset, you can re-enroll your app token:
Log in to the SelfService portal using your secondary token.
Navigate to “My Account > Security > Configure 2FA > Replace existing or enroll additional token”.
Click “App token” to create a new token.
Scan the QR code with the authenticator app on your newly reset phone.
Validate the new token by entering a valid OTP.
This process will replace your old token with the new one.
Alternatively, some authenticator apps (like Aegis Authenticator) support backup and restore. You can back up your tokens before resetting your phone and restore them afterward. Be sure to save the backup file to an external location (e.g., an SD card or cloud storage).
How do I transfer my token to a new phone?
To transfer your token to a new phone, you will need access to your old phone or a secondary token.
Log in to the SelfService portal using your old phone’s token or a secondary token.
Navigate to “My Account > Security > Configure 2FA > Replace existing or enroll additional token”.
Click “App token” to create a new token.
Scan the QR code with the authenticator app on your new phone.
Validate the new token by entering a valid OTP.
This will replace your old token with the new one. You can then safely delete the token from your old phone.
Alternatively, some authenticator apps (like Aegis Authenticator) support backup and restore. You can create a backup on your old phone, transfer it to your new phone, and restore it in the app.
What if I can’t validate my token (”Wrong OTP” error)?
If you receive a “Wrong OTP” error during token validation, please try the following:
Check the code: Ensure you are entering the 6-digit code displayed by your authenticator app. Some apps require you to tap the entry to reveal the code.
Enter the current code: OTPs are time-sensitive. Enter the code while it is still active.
Check your device’s clock: The OTP algorithm relies on an accurate clock. Make sure your device’s time is correct.
Try a different device: If possible, try setting up the token on a different device.
Contact support: If you still can’t validate your token, please contact support. 2FA will not be enabled on your account until you have an active token.
I can’t log in to the SelfService anymore
Troubleshooting a Rejected Password
Check other services: Try logging in to other MPCDF services to verify your password.
Wait and retry: If you have made several failed attempts, your account may be temporarily locked. Wait 10 minutes and try again.
Contact support: If you still cannot log in, your account may be suspended or your password may have expired. Please contact support.
Troubleshooting a Rejected OTP (”Wrong OTP”)
Check the code and timing: Ensure you are entering the correct 6-digit code while it is still active.
Verify the token: Make sure you are using the correct token from your authenticator app. The token’s serial number in the app should match the one listed in the SelfService portal under “My Account > Security > Configure 2FA”.
Check your device’s clock: Ensure your device’s time is accurate.
Resync your token: You can try to resynchronize your token by clicking “Resync token” in the SelfService portal.
Use a backup token: If you have a backup token enrolled, try using it to log in.
Contact support: If you are still unable to log in, please contact support from your registered email address.
What to Do If You Lose Your Token
Use the “Lost Token” option: In the SelfService portal, click “Lost Token” to receive a one-time password via SMS (if you have an SMS token enrolled).
If you don’t have a backup token: You can either initiate the authorization process with your account responsible or contact support from your registered email address. In order to verify your identity, the email needs to be signed with a personal S/MIME certificate.
Hardware token loss: If you have lost a hardware token, please notify support immediately so we can disable it.
What if I can’t log in to a gate machine via SSH?
If you are having trouble logging in to a gate machine via SSH, try these steps:
Simplify your connection: Attempt to log in without any extra local configuration.
Verify your password: Try logging in to another MPCDF service to confirm your password is correct.
Check token activation: Ensure you have an active 2FA token by logging in to the SelfService portal. You should be prompted for an OTP.
Isolate the issue: Try logging in to a different gate machine or the SelfService portal to determine if the problem is with a specific machine.
Troubleshoot the OTP: If you suspect the OTP is being rejected, follow the steps in the Troubleshooting a Rejected OTP section.
Why can’t I access HPC clusters via VNC?
When using vncviewer with the -via option to connect to an HPC machine through a gate machine, you must provide an OTP. Ensure you have enrolled a 2FA token by following the instructions in “How do I enable 2FA?”.
To avoid entering an OTP for each connection, you can configure a ControlMaster setup as described in our tips and tricks section.
Hardware and Client Support
How can I use GUI tools (sshfs, rsync, scp, sftp) with 2FA?
While some GUI applications support 2FA natively, many do not.
Applications that support 2FA:
FileZilla (see How can I use FileZilla with 2FA?)
WinSCP (see our step-by-step guide)
Applications that do not support 2FA:
KDE Dolphin
Gnome Nautilus
If your client does not support 2FA, you have three options:
Use a client that supports 2FA.
Use MPCDF DataShare for your data.
Create an SSH tunnel and forward the remote port to your local machine. For example:
ssh -L 2002:raven.mpcdf.mpg.de:22 USER@gate1.mpcdf.mpg.de
You can then connect to
sftp://USER@localhost:2002/u/USER.
How can I use FileZilla with 2FA?
In FileZilla, set the “Logon Type” to “Interactive”. You will be prompted for your password and OTP. We also recommend enabling “Limit number of simultaneous connections” under “Transfer Settings” and setting it to 1.
How do I use 2FA on a phone with a custom time shift?
Our system can accommodate phones with a deliberate time offset (this is different from a time zone shift, which requires no special configuration). During token validation, you will have the option to synchronize your token. You will be prompted to enter two consecutive OTPs to complete the synchronization.
Do you support FIDO2, U2F, or YubiKeys?
You can use a YubiKey (NEO, 4, 5, and FIPS series) by enrolling it as an app token with the Yubico Authenticator app. The app will generate an OTP when the YubiKey is touched or tapped.
We are exploring support for other FIDO/U2F mechanisms, but there is no implementation date at this time.
Security
How are token seeds secured on the server?
Token seeds are stored in an AES-encrypted database. Access to this database is strictly limited to system administrators, who must use a separate 2FA system and dedicated administrator accounts. In the event of a database leak, the seeds would remain encrypted and unreadable.
Who provides the hardware tokens, and do they know the seeds?
We source our hardware tokens directly from the manufacturer, Feitian Technologies. We generate a unique seed for each token and program it ourselves via NFC. The vendor does not have access to the seeds.