Account and password information
The IT services of the university can be used free of charge for teaching, research and study. However, a user permit/ an account with the corresponding access data is required.
The access data for your personal account may not be passed on to third parties and the services may only be used by you personally (for exceptions see Disclosure of user data). By using the services, you accept the usage and operating regulations of the central IT service (zid).
Content
- FAQs
- I have forgotten my password, what to do?
- I have problems with my password.
- How can I change my password?
- I cannot access my second factor.
- I lost my cell phone with the authenticator app.
- How can I set up 2FA on my new phone?
- The 2FA login with the app does not work. What can I do?
- I have set up the Windows Hello PIN on my device and now I cannot add a security key.
- We have a shared account. What do we need to consider when setting up a second factor?
- I don't want to or cannot install the Authenticator app.
- Can I install an authenticator app on my desktop computer or my notebook?
- How can I get a security key?
- I scanned the QR code with my iPhone camera and can no longer find the token.
Accounts for employees and external lecturers
For employees who are part of the permanent staff, a personal use permit for an account is requested as part of the staffing procedure. No separate application needs to be submitted.
For all other purposes, you may complete and submit application forms online (authorized personnel only).
Applications for accounts can be submitted for the following group of persons:
- Employees of the University of Innsbruck
- Apprentices
- External lecturers
- External lecturers who only use the learning management system OpenOlat
External institutions, which are not university organizational units, but are strongly connected with the university, can also use services of the zid under certain conditions. The heads of these institutions should contact the head of the zid (Tel. 0512 507-23003).
Employees who are already actively studying will receive an employee account as their primary account (for longer-term employment). This primary account can be used for all services. The student account (CXXXNNN) remains active as a secondary account as long as the employee is actively studying.
Upon termination of employment, the student account will be reactivated for LFU:online and other services. If this does not happen automatically, please contact zid-benutzerverwaltung@uibk.ac.at.
Function accounts
For functions (e.g. institute email address, projects), it is advisable not to link authorizations directly to a person's personal account, but to create separate function accounts. These accounts are separate from the personal accounts, but the person for whom the request is made is responsible for the functional account.
Function accounts can be used by more than one person. The person responsible for the function account should change the password regularly (at the latest when a person should no longer have access).
For information on two-factor authentication for shared function accounts, see the FAQs.
Delivery of the account login data
The login data for the account will be delivered to your department or to your private address. If you have not received aa account, please contact zid-benutzerverwaltung@uibk.ac.at.
The login data for function accounts are sent to the personal university e-mail address of the person responsible.
Expiry of the account
As a rule, personal accounts are valid until the end of the person's employment, function accounts are valid for two years from the date of permit.
In order to simplify the administration and to provide the heads of the organizational units with a more precise overview, the zid sends out a collective application ("Sammelantrag") once a year. All valid function accounts are recorded on the collective application and shall be transmitted to the zid for further renewal or deregistration.
If an account is provided for expiration, the zid gives the affected users deadline to secure data. To inform users about the imminent expiry of their account, the zid sends two or, for personal accounts, three expiry warnings by e-mail.
After the account has expired, the data (e-mails, documents) are retained for one year, after which they are deleted.
Rules for expiration of accounts after termination of employment
Employees will receive a notification via e-mail one month after the termination of the employment, stating the exact date of the expiration of the account. The deadline is seven months after the end of the employment for permanent staff and external lecturers. It is not possible to extend the use permit for the account beyond the stated date.
Emeritus university professors and retired academic staff may continue to use the personal account and apply for an extension after five years.
For personal accounts, an automatic reply email will be sent for one year from the time the account has expired, stating that the email address no longer exists. Staff members have the option of entering a reference to an alternative mail address there. This can either be another personal email address or a reference to an institute address.
In the information mail about the expiration of the account, a link for activating this function is provided.
https://lfuonline.uibk.ac.at/public/pvs_public.mail_fwd
This link is only available in the period between the sending of the first expiration warning and the expiration of the account. The activation of the automatic reply will take place when the account is expired. Mail forwarding to other mail addresses is not possible after the account has expired.
If the employment is renewed, the period of use of the account can be extended or reactivated either via the entry workflow or via the application form.
If the employment takes place within the expiration period, a corresponding notification for the extension of the use permit is usually sent, a separate application is then not necessary.
Accounts for students
Students receive the account for the IT services of the zid together with the admission data. The document contains the user ID (= username, "Benutzerkennung", "Benutzername"), the initial password and the official e-mail address (e.g. First_name.Surname@student.uibk.ac.at).
If you have any questions or problems with the account, please contact zid-benutzerverwaltung@uibk.ac.at.
Communications with university institutions
Important personal messages from the university (e.g. appointments, notifications of exam results, etc.) will be sent to your mail address. You can read the mails via webmail for students, in a mail client or in the university app.
Expiry of the account
The account expires at the end of the admission to studies. Admission to studies expires if no continuation notification is made.
After the end of the admission period (October 31 for the winter semester or March 31 for the summer semester, plus a processing period), a check is made to determine which students are no longer admitted. Students who are no longer admitted will receive an expiration warning by e-mail to the university e-mail address at least 10 days before expiration with the exact expiration date. On this date, the account will be automatically deactivated, an extension beyond this date is not possible.
Access to LFU:online remains active even after the account has expired. You can still log in with your ID and the corresponding password and retrieve your examination data, etc.
If you are admitted to the program again, the account will be reactivated in the course of the admission procedure in the Admissions Office. In this case, the ID, initial password and e-mail address remain unchanged. The password will be reset to the original initial password during reactivation. If this automatic reactivation has not taken place, please contact zid-benutzerverwaltung@uibk.ac.at.
Further information
Accounts for external users
Study applicants and users of the career portal can register an account on LFU:online independently.
These accounts use a private e-mail address as the user name and can only be used for the LFU:online and VIS:online services.
Information on the LFU:online access data can be found on the LFU:online login page.
If you have problems with external accounts, please use the support form for LFU:online.
Password
If you wish to change your password, log in to the University's Account Portal and follow the steps provided there.
The password is used to authenticate users on the university's systems. It is permanently assigned to your ID. You can find it in the use permit sent to you (for members of the institute) or you received it with your admission documents when you were admitted to the study program (for students).
The password is valid for the services offered by the zid. A few examples:
- PC registration
- VIS:online
- LFU:online
- OpenOlat
Secure handling of passwords
Your password protects your access to IT services of the zid. A suitable password protects your account from being misused by others. You are responsible for actions taken from your account, even if someone else has misused your access data.
Choosing a suitable passwort
You will receive an initial password from zid. Change this as soon as possible and replace it with a suitable password of your own.
Please note the following requirements for a suitable password
The password must have at least eight characters; umlauts (ä, ö, and ü) must not be used.
It must contain at least one uppercase letter, ideally not at the beginning of the password
It must contain at least one digit
We also recommend the use of special characters; suitable are dot, comma, semicolon, question mark, exclamation mark, minus, underscore; special characters must not be used at the beginning of the password.
A simple method to create a secure password: think of a sentence and construct the password from it. An example is the sentence "This is a secure password, right?".
This results in the following password:
Ti1sPw,r?
The password becomes even more secure if you change the case of singular letters or take several letters from one word (without making it difficult for you to remember), for example:
Tis1siPW,r?
Password safekeeping
Ideally, choose a password that you can remember and don't have to write down. If you are unsure if you can remember the password, write it down, but store it in a way that is not accessible to anyone else. A common mistake is to have the password written down on a piece of paper that is attached on the computer, monitor or under the keyboard.
So-called password managers are helpful with the secure handling of passwords.
A platform-independent, free password manager is KeePassXC.
Administrator password
Note that there is also an "Administrator" user on your PC. A secure password must also be selected for this user. If you have questions about this or problems with your administrator user, please contact the technical support of your institute.
Entering the password
Make sure no one is watching you when you enter your password. If you are unsure whether someone has seen the password, set a new one immediately.
Disclosure of user data
The password of a personal account may only be known to the owner of the ID in order to avoid misuse.
Passing on the password to third parties violates the zid's user regulations.
Function-related user authorizations are an exception. You can find more information about this under Function accounts.
External private accounts
Nowadays there are many web services for which you need an account.
For these web services you should in any case use a different password than for the services of the zid: This password is transmitted over unknown and thus potentially untrusted networks. If possible, you should use a separate password for each of these services.
Modern browsers also offer the possibility to save the passwords for you, so you don't have to remember them. However, the passwords are now stored under your account in the browser profile. If someone gains access to your account, it is easy to learn these passwords. Therefore, if you use this feature of the web browser, you should pay special attention to the security of your account and assign a master password for the browser password safe.
A platform-independent, free password manager is KeePassXC.
More links on the topic
- "Have I been pwned?" Email - Check if your email or phone has been affected by a data breach.
- "Have I been pwned?" Passwords - Check if your password has been exposed in a data breach.
- Firefox Monitor - Check if your personal data has been compromised.
Two-factor authentication
With two-factor authentication, a second factor in the form of a number or a Security Key is requested in addition to the usual password when logging in. Only if both factors are entered correctly, the login can be performed successfully. The combination of a password (something you know) and a second factor (something you own) therefore provides better protection against unauthorized access to the account.
Various methods are available for authentication with a second factor. The zid recommends setting up at least 2 methods. If a second factor is lost, it is still possible to log in with another second factor.
Once you have set up one or more second factors, you can use them to log in to university services in the future. You do NOT have to set up a second factor before each login.
Getting started - How do I set up two-factor authentication?
To set up a second factor for logging into university services, the first thing you need to do is set up an authenticator app and/or a Security Key, Windows Hello or iCloud Keychain. Then, in a second step, these must then be connected to your Uni account via the Account Portal.
Here you will find step-by-step instructions on how to set up two-factor authentication.
Open the Account Portal and follow the instructions there to start directly.
Authenticator App - Android and iOS
An authenticator app generates one-time passwords that you must enter as a second factor after logging in with your password. The method used at the university is called TOTP, which stands for time-based one-time password.
If you use multiple accounts (see function accounts), you can use the same authenticator app for all of them. You just need to link the authenticator app to the corresponding account in the Account Portal.
We recommend the privacyIDEA Authenticator (netKnights GmbH) because<
- it is a Free Open Source Software (FOSS) and therefore the source code is public.
- the university has a contract with the manufacturer.
- the business model is not based on the display of advertisment or the sale of data.
- it is easy to use.
- the app is identical for Android and iOS.
In principle, you can use any authenticator app that supports the TOTP standard. Please note, however, that it is not possible for the zid to provide a detailed analysis of the large number of authenticator apps available on the market. In particular because no real control over the software is possible and not the same amount of know-how can be built up for all applications.
Here you will find step-by-step instructions on how to set up the authenticator app.
Security Key, Windows Hello, iCloud Keychain
A security key is a special piece of hardware (USB stick) that can be used as a second factor. It is also possible to query the second factor via a security chip that is installed in the computer or cell phone. The names for this technology vary depending on the manufacturer. For Windows systems, for example, there is the Windows Hello PIN, for Apple systems the iCloud Keychain.
Please note: if you activate the built-in security chip as a second factor on the device at your workplace, you cannot use it to log in to your home office, as this second factor is linked to the device at your workplace. Please also use an authenticator app or a security key.
Security Key
A Security Key is special hardware that can be used as a second factor. Please make sure that the product supports the FIDO2 standard. At zid, successful tests have been made with the NitroKey FIDO2 and the Security Key product line from Yubico. The Security Key connects to a USB input on your device and typically has an actuation mechanism, such as touching a contact surface.
If you use multiple accounts (see function accounts), you can use the same Security Key for all of them. You just need to link the Security Key to the corresponding account in the Account Portal.
Here you will find step-by-step instructions on how to set up the Security Key.
Please note: if you have already set up the Windows Hello PIN on your device, you will need to cancel its entry to set up the security key.
You should always have the security key with you, and attach it to your keychain, for example.
You can find out how to obtain a security key from the university in our FAQs.
Windows Hello
To use the security chip on Windows devices as a second factor you first need to set up the Windows Hello PIN. Attention: this factor then only applies to the device on which the security chip has been set up.
Here you will find step-by-step instructions on how to set up Windows Hello.
iCloud Keychain
To use the security chip as a second factor on Apple devices, you must first set up the Apple ID. This variant currently only works with Safari on macOS. Chrome and Firefox are not supported.
Here you will find step-by-step instructions on how to set up the iCloud Keychain.
Security chip - GNU/Linux
GNU/Linux currently lacks an implementation of a FIDO2 platform authenticator, so the TPM chips built into common hardware cannot be used as a second factor. As a result, you can currently only use an authenticator app (TOTP) or a FIDO2 roaming authenticator (e.g. dedicated Security Key) under GNU/Linux.
Passwort Manager
Many password managers offer the option of generating tokens for two-factor authentication (TOTP support). This token can be used to log in to the university's services. If you already use a password manager, please find out whether it enables two-factor authentication. Two password managers that offer this function are presented below.
With two-factor authentication using a password manager, Pass the second factor (something you own) is mapped via access to the password manager. The second factor should therefore be stored independently of the first (the password).
Proton Pass
Proton Pass is a service where the access data is stored in encrypted form on the provider's system. This means that you don't have to worry about ensuring that your access data is available everywhere and doesn't get lost.
We recommend Proton Pass because
- private use is free of charge (including 2FA functionality).
- the access data is automatically synchronized between devices (wherever the app or browser add-on is installed)
- the company specializes in secure communication.
- the source code of the clients and web applications is public.
- The company and server location is in Europe and therefore European data protection standards apply.
Here you will find step-by-step instructions on how to set up Proton Pass.
KeePassXC
KeePassXC is an offline password manager that supports two-factor authentication. The application stores access data in an encrypted file on the local hard disk.
ATTENTION: With KeePassXC, you must keep your password file safe yourself and ensure that you have it available on every device you want to use to log in to the university's services.
Installation and use is described in the article Password management.
Single Sign On (SSO)
SSO enables the use of various web applications of the University of Innsbruck and other providers via the Austrian academic federation ACOnet Identity Federation, as well as the global academic federation eduGAIN after a single sign on.
Once you have logged in, you can use all services on the same device in the same browser without having to log in again (the exception here is the Account Portal). The system does not require you to log in again until after 8 hours.
Login and Logout
When logging in, you enter your identifier and password that you received from the university and, if necessary, a mandatory factor.
To make sure that you are logged out from all websites using WebSSO of the University of Innsbruck, please close your browser.
Log in with another account
If you want to log in with another account (e.g. function accounts), you have the following options:
- use the private mode of your web browser (Mozilla Firefox; Google Chrome; Microsoft Edge; Internet Explorer).
- use Multi-Account Containers for Firefox.
- disable automatic Windows Desktop login in the login settings.
Log in on foreign devices
Please enter your credentials only on trusted devices!
If you log in on a foreign device, we recommend using the private mode of your web browser (Mozilla Firefox; Google Chrome; Microsoft Edge; Internet Explorer). Close the browser windows to log out.
Windows Login (Integrated Windows Authentication)
This method allows you to automatically log in to WebSSO as soon as you are logged in to your Windows workstation PC.
If you always want to be logged in automatically, select the "Always use Windows Login" option. You can change this option via your settings.
This method works for PCs that are logged in to the Windows domain of the University of Innsbruck.
Furthermore, your web browser must be configured for Windows Login of the University of Innsbruck. This is the case by default for workstation PCs for Microsoft Internet Explorer as well as Google Chrome. For Mozilla Firefox the WebSSO server (idp.uibk.ac.at) must be entered:
- Enter about:config in the address bar.
- On the configuration page, search for negotiate.
- You should now see the option network.negotiate-auth.trusted-uris. Click on it. A dialog will open. Enter idp.uibk.ac.at here and confirm.
FAQs
I have forgotten my password, what should I do?
First of all, please make sure that you have entered the ID and password correctly and that the Caps Lock is deactivated.
Please contact the zid-Benutzerverwaltung@uibk.ac.at. For security reasons, you will be asked to confirm your identity. Therefore, please have a document ready that verifies your identity.
I have problems with my password.
If you are able to log in to some services (e.g. web mail) but not others (e.g. LSA, VPN access, wiki login, etc.), you can synchronize your password in the Account Portal.
You can also change your password via the account portal.
You can change your password via the account portal.
In addition to your user ID and the old access password, the new password must be entered twice. We recommend to use upper and lower case in the password and at least one digit or special character (see also Choosing a suitable password).
If you use network drives (e.g. the home directory I:, in general: network file systems), you must log out of your computer and log in again after changing the password.
If you use an external account (user name is your private e-mail address), you can reset your password to LFU:online yourself.
I cannot access my Second Factor.
If you have set up several two-factor authentication methods, please use the one that is still available to you.
If you do not have another second factor, please contact the zid Service Desk.
To ensure that you retain access to your account and resources even if you lose or forget your current device, we strongly recommend setting up additional factors. By having multiple second factors, you minimize the risk of access issues and ensure reliable and flexible authentication.
Please note that when setting up additional security keyss, you should ensure that they support the FIDO2 standard to ensure the highest possible security. Contact the zid Service Desk if you have any questions or need assistance.
I lost my cell phone with the Authenticator app.
It is important to report the loss or absence of the Second Factor immediately to minimize potential security risks and restore access to your digital services. Do not hesitate to contact the zid Service Desk for assistance.
How can I set up 2FA on my new phone?
Download the Authenticator app on your new cell phone and link the app to your account in the Account Portal. Please note that you still need your old cell phone with the corresponding app to log in to the Account Portal with 2FA. (If you have set up a security key, Windows Hello pin or Apple ID, you can also use these to log in).
If you no longer have access to your old cell phone, this should be treated like a lost token. Contact the zid Service Desk.
The 2FA login with the app does not work. What can I do?
Possible sources of error
TOTP in the app and the login window do not match.
A TOTP code should be displayed both in your app and in your university login window. This is the "name" of your password, so to speak (6-digit code). The "name" of the token must match in the app and in the university login window. If this is not the case, something went wrong when setting up the app/token, or you have accidentally deleted the token in the app. Please log in with a different authentication method and link the app again in your account portal. If you do not have another authentication method, please contact the zid Service Desk.
The time and date on the cell phone are not set correctly.
The app uses the so-called TOTP method for two-factor authentication. TOTP stands for Time-based one-time password. The procedure generates a one-time password (OTP) using the current time as the source of uniqueness. Therefore, please ensure that the time and date on your cell phone are set to "automatic". This means that the time and date are regularly synchronized with the Internet down to the second.
Code has already expired
The 6-digit code displayed in the app is only valid for 30 seconds. Please ensure that you always use the current code to log in.
I have set up the Windows Hello PIN on my device and now I cannot add a security key.
If you have set up the Windows Hello PIN on your device and are now having trouble adding a security key, please follow the steps below:
- If the Windows Hello PIN setup started before you could add a security key, cancel the setup.
- After canceling the Windows Hello PIN setup, you can now add a security key.
We have a shared function account. What do we need to consider when setting up a second factor?
Please note that account sharing is only allowed for function accounts. See also Disclosure of user data.
We recommend generating separate 2FA tokens for the function account for each person with access rights. Ideally, the tokens are created together in a personal appointment. The person responsible for the account logs on to a device in the account portal with the user data of the function account. All persons involved can then create a second factor there with their own Authenticator app or their own security key. To be able to assign the factors better, it is recommended to note the name of the associated person in the token description. Each person can then log in to the function account in the future with the user data of the function account + their own second factor.
I don't want to or can't install the Authenticator app.
You don't have to install the app we recommend. You can also use another app that supports the TOTP standard.
For Android devices, we have had good experiences with Aegis, for example. On iOS, the operating system's password manager also supports TOTP and can therefore be used. We ask for your understanding that the Service Desk can only provide support in case of problems with the app we recommend.
To generate the login codes, the app does not need any permissions (Internet access, address book access, access to files on the device, ...), apart from camera access to scan the QR code. A critical look at the permissions desired by the respective can help in choosing a trustworthy app.
During setup, only a so-called secret is exchanged via the QR code. An authenticator app can use this secret and an algorithm to generate one-time passwords. Thus, no personal or sensitive data is exchanged.
Can I install an authenticator app on my desktop computer or my notebook?
The second factor should represent physical possession. We therefore recommend generating the login codes on a mobile device that you usually carry with you.
For special use cases, it may be useful to (also) install an authenticator app on a desktop computer/notebook. We recommend the following solutions for the different operating systems.
- Many password managers supported the generation of login codes (TOTP) on different operating systems. We have created a guide for KeePassXC.
- The password manager integrated in macOS supports TOTP, but on this platform we recommend to use the Security Chip.
- On GNU/Linux we recommend GNOME Authenticator.
- On systems with Microsoft Windows, 2fast can be obtained from the Microsoft Store. If possible, we recommend to use Windows Hello though.
(This list is to be understood as a recommendation. Unfortunately, the zid cannot provide specialized support for these applications).
The Central IT Service (zid) provides a hardware security key for two-factor authentication to every employee of the university on request. The Security Key NFC model from the manufacturer Yubico is currently being issued.
Employees who cannot or do not want to install an authenticator app for two-factor authentication (e.g. because they do not have a cell phone) can obtain a security key from the responsible technical support team and use this USB hardware as a second factor (something they physically possess).
In principle, one security key is issued per employee - this can be used for both personal and functional accounts. In the event of loss or damage, we reserve the right to demand reimbursement of costs for a further issue.
The Central IT Service (zid) issues security keys to students at cost price (cash only!). Until further notice, the sales windows are every Tuesday from 10:00 to 12:00 and every Thursday from 14:00 to 16:00. The distribution point is the zid office on the Campus Technik. (Technikerstraße 23, 1st floor)
I scanned the QR code with my iPhone camera and can no longer find the token.
It is generally recommended to scan the QR code with/via an authenticator app, not via the cell phone camera app.
The token scanned on an iPhone using the cell phone camera app can be found in the settings under Passwords. The corresponding token is marked with the university logo.
Service Desk / Service-Hotline
(0512) 507-23999 (Montag - Freitag, 08.00 bis 16.00 Uhr)
E-Mail: zid-Service@uibk.ac.at