This manual is for all users that want to register a token for SURFsecureID.
Users can select an authentication token via a Registration Portal. The following tokens are available:
- SMS
- Tiqr
- YubiKey
- Azure MFA
- FIDO2
Table of contents of this manual:
0. Log in
- Open a internet browser
- Visit https://sa.surfsecureid.nl
- Select your institution you will be redirected to a login page of your institution.
- Log in with your username/ password
1. Select token
Select one of the following tokens. Then read on at step 2, link token.
Your setting determines which tokens you are allowed to register. So you may not see all the token.
2. Link token
(Scroll down for Tiqr, YubiKey, Azure MFA or FIDO2)
SMS
You will need:
- A mobile phone (work or private) that can receive SMS text messages.
Please note:
- Your phone is private, do not share your phone with others.
- Never leave your phone unattended.
- Lock your phone, e.g. with a code or fingerprint
- Please ensure your mobile phone has a signal and can receive text messages
- Enter your mobile phone number
- Click 'Send code'
- Enter the code that was sent to your mobile phone and click 'Verify'
- Click 'Send new code' if you did not receive a code
- Please continue reading at 3 (Confirm e-mail)
tiqr
You will need:
- A iOS or Android mobile phone (work or private)
- For iOS: enable push-notifications
Please note:
- Your phone is private, do not share your phone with others.
- Never leave your phone unattended.
- Lock your phone, e.g. with a code or fingerprint
Please make sure you've installed the tiqr app on your mobile phone. You can install the tiqr app for iOS or Android with one of these links:
You can also search the app store for the tiqr app. Make sure you install the tiqr app published by SURF.
- Open the tiqr app on your phone
- Scan the QR code with the tiqr app
- Confirm account activation and press 'OK' in your mobile tiqr app
- Choose a unique PIN for tiqr
- Please remember this PIN, it cannot be changed later!
- Please continue reading at 3 (Confirm e-mail)
YubiKey
You will need:
- A YubiKey (Standard, Neo, Edge or 4)
Handle your YubiKey with care
- Your YubiKey token is private, do not share your YubiKey with others.
- Never leave your YubiKey unattended; keep your YubiKey separated from your computer
- Insert your YubiKey in the USB port of your computer/ laptop with the button facing forward/ upward
- Please ensure that the input field has focus
- Press and hold the button on your YubiKey
- A One Time Password will be entered in the field below automatically
- Please continue reading at 3 (Confirm e-mail)
Azure MFA
You will need:
- An Azure MFA token you've already registered for you institution
- You can check this by going to this page from Microsoft and logging in with your institution account
- For SURFsecureID, it does not matter which Azure MFA method you use. The most used is the MS Authenticator app for your mobile phone.
Handle your Azure MFA token with care
- Most Azure MFA methods use your phone. Your phone is private, do not share it with others.
- Never leave your phone unattended; keep your phone separated from your computer
- When you click the "Register your Azure MFA token", you will be asked to login at you institution.
- After login with your username/password, you will also be asked to use your Azure MFA token
If you were already logged into your institution in this browser session, this step could be automatically skipped. You will experience single sign-on.
- Please continue reading at 3 (Confirm e-mail)
FIDO2
You will need:
- You need a FIDO2 token and a recent browser.
- Not all FIDO2 tokens are supported by SURFsecureID. Look here for an overview of supported FIDO2 tokens.
- Contact your institution to obtain a FIDO2 token, or order one online.
Handle your FIDO2 token with care
- Your FIDO2 token is private, do not share it with others.
- Don't lose sight of your FIDO2 token; keep the token and computer separate from each other.
- When you click on "Register your FIDO2 token", you will be asked to use your FIDO2 token.
- The steps depend on the browser you use.
| Action | Edge op Windows |
|---|---|
1) First registration step. You may first be given a choice if there are several options, for example if your computer has a fingerprint sensor. Choose USB, put your FIDO2 token in a USB port and touch your token. |
|
| 2) Give permission to use this token. |
|
3) You will see this screen when you login with your FIDO2 token. Insert your FIDO2 token into a USB port and touch your token. |
|
| Actie | Chrome op Windows | Chrome op Mac OSX |
|---|---|---|
1) First registration step. You may first be given a choice if there are several options, for example if your computer has a fingerprint sensor. Choose USB, put your FIDO2 token in a USB port and touch your token. |
|
|
2) Give permission to use this token. |
|
|
3) You will see this screen when you login with your FIDO2 token. Insert your FIDO2 token into a USB port and touch your token. |
|
|
| Actie | Safari op Mac OSX |
|---|---|
1) Registration. Insert your FIDO2 token in a USB port and touch your token. |
|
2) You will see this screen when you login with your FIDO2 token. Insert your FIDO2 token into a USB port and touch your token. |
|
Actie | Firefox op Mac OSX |
|---|---|
1) First registration step. Insert your FIDO2 token in a USB port and touch your token. |
|
2) Give permission to use this token. Do not use the option to "Anonymize anyway". |
|
3) You will see this screen when you login with your FIDO2 token. Insert your FIDO2 token into a USB port and touch your token. |
|
- Please continue reading at 3 (Confirm e-mail)
3. Confirm e-mail
It is possible that your institution has disabled the email confirmation step. In that case you will not be asked to verify your email address and this step will be skipped.
- An e-mail with further instructions has been send to your e-mailadress
(NB this is the e-mailaddress that is registered for your institutional account. - Click on the link in the e-mail or copy and paste the link in your browser to continue
- Did you close your browser during registration? You might need to login once again with your institutional account (See 1. Log in)
- Did you not receive an e-mail? Check your spam folder or contact your local Service Desk.
Your token is almost ready to be used
You can have your token activated at the given location(s)
Please bring:
- The token (phone for SMS, tiqr or YubiKey hardware USB-token) you have registered
- A valid proof of identity (passport, driver's license or national ID-card)
- Your activation code
- An e-mail with these instructions plus your activation code has also been sent to your e-mail address. You can also print these instructions.
- Please continue reading at 4 (Token activation)
4. Token activation
Your institution determines which activation method you can use. In total there are 3 activation methods from which you will sometimes have to choose.
If you do not see a choice but have to go through an activation method immediately, then there is no other option for you at that time.
The 3 activation methods are:
- Self-Activation ; you can activate your token yourself. You do this by choosing a recovery method (SMS or recovery code). If you can no longer use your token, you need a recovery method to register a new token.
- Service desk ; you activate your token at the service desk of your institution. You will receive instructions on how to do this. Activate within 14 days, because your activation code expires after 14 days
- Activate with an existing token ; if you already have a token, you can use it to activate a new token.
These methods are explained in more detail below.
Self-activation
- If you can activate your token with self-activation, you will see this selection screen. Choose self-activation.
- Your institution may provide an instruction to make your choice easier.
- A token activated with self-activation has a lower level-of-assurance than activation via a service desk. However, activation via a service desk takes more time and effort.
- If you lose your token, you must be able to securely register a new token yourself. To do this, you need to configure a recovery method.
- Choose 1 of the two recovery methods. You can edit it later and add a second one.
- If you choose a recovery code, the recovery code will be displayed on the screen.
- Store it securely, for example in a password manager and keep it safe!
- If you choose phone number as the recovery method, you must enter a mobile number.
- Enter your mobile number, including the correct country code.
- You will now receive a text message with a code
- Enter this code and click Verify
- If you have not received a code, you can choose to try again by clicking the "Send a new code" button.
Servicedesk activation
If you opt for service desk activation, or if you are directed directly to this activation method, you must activate your token at the service desk of your institution.
Do this within 14 days because then the activation code will expire and you will have to register your token again.
- In this screen you will see instructions for activating at your servicedesk. This instruction will also be sent to your email address.
- Visit the location(s) as mentioned and take the activation code with you
- Tell the servicedesk employee that you are coming to activate your token for SURFsecureID and provide your activation code
- Depending on the token of your choice the following check will take place:
- SMS: you will receive a One Time Password via SMS; please hand over this code to the Service Desk employee
- tiqr: you will receive a push-notifcation on your smartphone; please enter your tiqr PIN to verify your tiqr account. (Did not receive a push-notification? Scan the QR code instead)
- YubiKey: please hand over your YubiKey to the Service Desk employee. He/ she will check if this is indeed the YubiKey you have registered previously.
- Azure MFA: no additional check will take place.
- FIDO2: no additional check will take place.
The servicedesk employee will ask you to show a valid identification document.
After a successful verification of your token and your identification document, the employee will activate your token.
You will receive a confirmation e-mail with more details.
Do not forget to take your YubiKey or phone again after it has been activated by the Service Desk employee. 
Activation with another token
If you have already registered another token of sufficient level and your institution allows this, you will be given the option to activate your token yourself. You will then see the screen below.
- Choose "Token" and log in with your other, already existing token
- Your token is then activated and you will receive a confirmation email with more information
- If your other, existing token is not available, you can still opt for an activation via your service desk. Then follow the steps as indicated above.