Why do I need to identify myself?
Your institution wants to make sure that services and data are safe and only accessible to authorized persons. SURFsecureID is used for access to extra sensitive services or data. The institution then wants to be more sure that the person who has access is also who he says he is. Part of the solution is to use a 2nd factor to log in. But only a 2nd factor does not provide more certainty about the identity of the person; for example, if I create an account with Google as Pietje Puk, I can also activate a 2nd factor, but that does not mean that I am really Pietje Puk. That is why SURFsecureID asks you to identify yourself before the 2nd factor is activated. Thus, with a higher degree of reliability, it is certain that you are who you say you are.
Why is part of the document number saved?
An important part of SURFsecureID is that during the activation of the token the identity of the user is checked with an identity document. To ensure that an identity document has actually been checked, the service desk employee must register the last 6 positions of the document number. On the one hand, this ensures that the service desk employee does not skip the identification due to pressure or convenience, and on the other hand that the identity document has also been carefully examined. The latter can, for example, already prevent the use of a false identity document.
What is a valid identity document?
The following are valid identity documents in the Netherlands:
a Dutch passport or a passport or identity card of a country belonging to the EU or the EEA. Passports of all other countries must contain a valid residence sticker;
a Dutch identity card;
a refugee travel document issued by the Dutch authorities;
an alien’s travel document issued by the Dutch authorities
a residence permit or leave to remain card (W-document);
a driving license.
Please note:
the identity document cannot be expired
the identity document cannot be a copy
a student card, banking card etc. is not a valid identity document
Which of my data does SURFsecureID process?
SURFsecureID processes a number of personal data of its users. These data are supplied by your institution via SURFconext. The institution has given permission for this and has a processing agreement with SURF.
The following personal data are processed:
- Full name
- E-mail address
- Institution name
- Your identifier at the institution
- The last 6 positions of the document number of the identity document
You can see the value of this data via https://profile.surfconext.nl/my-services (except for the last 6 positions of the document number).
In addition, your phone number is saved if you have chosen to use SMS as a token. In the case of tiqr, a tiqr identifier and the address to send push messages to are stored. In the case of Yubikey, the serial number of the Yubikey used is stored.
Services that are protected with SURFsecureID can also receive personal data in order to function. These data are then made available to that service via SURFconext. Read here about the type of data and how SURFconext handles them.
How does SURFsecureID handle my data?
SURF processes your data on behalf of your institution. To this end, SURF has a processing agreement with your institution in the context of the GDPR.
All account data within SURFsecureID is processed in the Netherlands. The retention period for accounts in SURFsecureID is thirty-seven months after the last login. Log data is stored for 6 months. It is also possible to delete account data within SURFsecureID at the request of the institution or at the request of the person concerned.
Does it matter if I register a work or private phone?
No. It does not matter if you register your work or private phone. Receiving one time pass codes via text messages is free. Just make sure you register the phone (work or private) that you have with you every time you need two-step authentication. Without your phone, you cannot log in.
Is it possible to use tiqr on two phones?
No, you can only register once with your institutional account and hence register the tiqr app once. Unless you create a back-up of the tiqr app on one phone and do a restore on the other (for advanced users!).
I have an account with two (or more) institutions. Can I use the same token (SMS, tiqr, YubiKey) to log in to applications I use with my institutional accounts?
Yes you can. But to activate your token you will have to complete the registration process once within every institution. This is necessary because your token needs to be bound to your institutional account.
Can I share my token (SMS, tiqr, YubiKey) with other users?
No, your token is private. Do not share your token with others. Because your token is bound to your institutional account another user cannot simply use your token to login and pretend to be you. This user would also need to know your institutional account (username/password).
Wat should I do if my Activation code has expired?
The activation code you will receive after registering your token (SMS, tiqr, YubiKey) expires after 14 days. If you still want to complete the activation of your token after this 14-day period, you will first have to remove your current token registration and re-start the registration process of your token. (https://sa.surfsecureid.nl).You will receive a new activation code that is again valid for 14 days. Finish the activation of your token at the Service Desk with your new activation code within 14 days.
What should I do when my phone number has changed?
First you will have to remove the registration of your old phone number in the Registration Portal. Then, you will have to complete a new registration with your new phone number and activate it at your institution's Service Desk. Or follow the instructions on how to replace your token.
What should I do when I get a new mobile phone?
If you keep the same number and use SMS authentication, you don't have to do anything. You can use your new phone for strong authentication.
If you use SMS authentication and your number changes, then first delete your old token in the Registration Portal and then register again with your new telephone number. You have to go to your institution's Service Desk to activate your device.
If you use tiqr, you can try to transfer your tiqr account to your new phone via a backup of your old phone. SURF does not provide support for this, you can contact your phone's manufacturer with questions or issues.
- For iOS: this only works when you've made a backup via iCloud or an encrypted backup with iTunes.
- For Android: use the Google backup functionality for this. Some supplier's own backup facilities (such as those from Samsung) do not restore your tiqr account.
For Android: there are several options, often depending on the manufacturer of the phone. We have not been able to test every backup facility, so other methods may also work that we do not mention here:
Use the Google backup functionality. This is a standard option on Android phones.
For Samsung phones you can use Samsung Smart Switch. The Samsung backup facilities does not work and will not restore your tiqr account.
If this does not work, first remove your old tiqr account in the Registration Portal. Then install the tiqr app on your new phone and register it in the Registration Portal. Go to the Service Desk of your institution to activate tiqr on your phone.
What should I do if I have lost my phone or YubiKey?
Remove your token registration in the Registration Portal. From that moment on, your token cannot be abused anymore. The Service Desk of your institution is also able to remove a token registration for you.
If you suspect that others have taken advantage of your phone or YubiKey to access services that require strong authentication, please contact your local support desk.
My Tiqr account has been locked. How do I solve this?
Your Tiqr account can get locked. This happens when you enter an incorrect PIN too many times in a row during a Tiqr authentication. When your Tiqr account is locked you will get the error "Error - Your account is locked" at tiqr.surfconext.nl. All the Tiqr accounts in the Tiqr app on your phone will be locked. This lock is permanent and cannot be undone. The locked status of your Tiqr account is not visible in the SURFsecureID self service portal. To get Tiqr working with SURFsecureID again, you must register a new Tiqr token. To do this:
- Go to the SURFsecureID self-service portal: https://sa.surfconext.nl
- Remove the Tiqr token from the overview
- Now you can register a new Tiqr token using the self-service portal. You will need to follow the registration process again as described in the Token registration manual.
Scanning the QR code doesn't work. What can i do?
Android devices in particular seem to have trouble scanning the QR code with the tiqr app. As a workaround, you can try to:
- Scan the QR code with a different scanner app, like this one of this one. The Android camera app can often also scan QR codes. When scanning a tiqr QR code, you will be asked to open the tiqr app and you can proceed in the same way as when you scanned the QR code from within tiqr.
- Move the camera towards the screen displaying the QR code and back again. Sometime the camera has trouble focussing, and moving in and out can help with that.
Where should I go if I need support?
Did you not find what you were looking for in the FAQ? If you have more questions on how to register, replace, remove or use you token (SMS, tiqr, YubiKey) please contact your local support desk at your institution.
What kind of phone do I need to use tiqr?
You can run tiqr on iOS or on Android devices. For Android, the minimal version is 5.0 (Lollipop), or SDK 21.
I do not receive SMS messages. What can I do?
An SMS message sent by SURFsecureID typically takes just a few seconds to arrive on your phone. Sometimes it can longer for SMS messages to arrive or SMS message may appear to fail to arrive altogether. SURFsecureID uses an SMS Gateway – a service that is specialised in sending SMS messages – that can deliver SMS messages anywhere in the world. If you did not get an error from SURFsecureID this means that the SMS message was delivered at the SMS gateway.
What you can do when SMS messages do not arrive:
- Verify that you have mobile network reception. Mobile network reception is required for receiving SMS messages
- Restart your phone. Your phone will then reauthenticate to the mobile network
- Try again later. Experience has shown that an SMS message reception issue usually resolves itself after some time
- Go to the Self-Service portal (https://sa.surfconext.nl) en use "Test a token" to send an SMS
Contact the ICT service desk of your institution if the problem persists.