If a computer is used by several people, it is required that each user has their own local user account.
It is not possible to set up an MFA login with a technical account.
Important notice:
In order to set up the passkey, a code matrix must first be set up.
If you have activated MFA, you must use it on all devices to log in. It is recommended that the setup procedure is carried out on all devices, with the setup being completed on a minimum of two devices. This is because there is no requirement to use the code matrix to set up the device again in the event of a malfunction.
Specification version for the security chip
The first step is to check the required security level of the device. Go to the Settings of your device and open the Update and security option. You will also find the device security under Windows security.Information on the TPM (Trusted Platform Module) should be included in Specification version 2.0. This version is mandatory in order to set up the MFA with passkey under Windows.Otherwise, please follow theMFA KeePassXC instructions to use KeePassXC as an alternative application.
The second step is to activate the MFA login options on your laptop. To do this, go back to your device's Settings. There, you will find the Accounts menu item — access your work or school account. Disconnect the Microsoft user account as shown on the screen.
[Translate to English:] Abbildung 2: Trennung vom Microsoft-Konto in den Einstellungen
Notice!
If you have already set up the Windows Hello pin or fingerprint on your computer, you can continue with Roll out Passkey.
To do this, please go back to your device's Settings. There, after selecting Accounts, you will find the Sign-in options. First, activate the Windows Hello PIN in the login options. Restart the laptop after setting up to try the new login option.
Screenshot 3: Windows Hello Pin Option
Notice:
The Windows Hello PIN should not contain any content from your password for the BA number or from your BA number.
The Windows Hello PIN must be set up, without it the Passkey setup cannot be completed. It also provides as an alternative login method if fingerprint recognition does not work.
Notice for tower computers!
If you are using a desktop or tower computer, you can only set up Windows Hello PIN as a login option. You can continue directly with Roll out Passkey.
Attention!
If you have forgotten the Windows Hello Pin, you must first remove it. And set everything up again as described in the instructions in the section Setting up Windows Hello.
Now select a sign-in option (Hello fingerprint recognition is recommended) to add it.
Once set up, restart the computer to check the new login option.
[Translate to English:] Abbildung 4: Windows Hello Fingerprint
On laptops with a fingerprint option, the corresponding button can be found either near the touchpad or directly on the device's on/off button.
Screenshot 5: Fingerprintoption
Screenshot 6: Fingerprintoption
Screenshot 7: Fingerprintoption
Passkey roll out
Notice!
If you are already logged into the IAM Portal, follow the instructions.
If you want to set up Passkey on another device, first log in to the IAM portal on the end device on which you have already rolled up Passkey. Create the registration code. And follow the instructions in the section Create Passkey on the new end device.
Create registration code
To roll out the passkey, open the web application IAM Portal - Create registration code.
[Translate to English:] Abbildung 8: Im IAM-Portal Registrierungscode anlegen Menü
Your registration code will be displayed there. Please copy it and note that the code is only valid for 30 minutes.
The code matrix and the registration code should be displayed for selection as a registration option.
Please enter the previously copied registration code in the field provided on the Get passkey page and click on Check.
Screenshot 10: Passkey login
Select the menu item Roll out token.
As you have to roll out a passkey for each device, it is advisable to define a description accordingly. Therefore, assign a corresponding name under Description, such as “Laptop login”. Confirm this with Roll out token.
Screenshot 11: Describing the token name and rolling out the token
The temporary pop-up message “getpasskey.iam.uni-bamberg.de requests extended information...” will then be displayed. Please select the Allow option promptly. Otherwise the token will be deactivated and deleted.
Screenshot 12: Confirmation of the notification about the roll-out of the tokens
If the passkey has been successfully stored, you will receive the message The token has been rolled out in the next window.
Select Activate in the menu and click on Apply. The Passkey login has been activated notification is displayed as confirmation.
To deactivate the passkey login, select Deactivate in the menu and then Apply.
Manage passkey
You can manage your passkey via the IAM-Portal (iam.uni-bamberg.de). You can deactivate or delete your passkeys under the menu item Manage Passkeys. Please note that the corresponding passkey must be deleted immediately if the device is lost or stolen.
Screenshot: 14: Manage passkeys
Emergency registration with the code matrix
Please only use Codematrix in an emergency and if you are sure that the passkey login is not available. Follow the steps on the Codematrix information page. There you will find the link to the detailed instructions.
![[Translate to English:] Abbildung 2: Trennung vom Microsoft-Konto in den Kontoeinstellungen](/fileadmin/_processed_/f/6/csm_Schulkonto_trennen_92f5a5d03a.webp "[Translate to English:] Trennen vom Microsoft-Konto")
![[Translate to English:] Ansicht Windows Hello Fingerprint](/fileadmin/_processed_/a/3/csm_Windows_Anmeldeoptionen_Fingerabdruck_7a7e502c12.webp "[Translate to English:] Windows Hello Fingerprint")
![[Translate to English:] Im IAM-Portal Registrierungscode anlegen](/fileadmin/_processed_/0/d/csm_IAM_RegistrierungsCode_anlegen_7ceb3fc116.webp "[Translate to English:] Registrierungscode anlegen")
