Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. In addition to an existing institutional login. SURFsecureID is only used for the 2nd factor. This is especially interesting for use by a central (authentication) facility such as ADFS, Citrix or F5 BIGIP. This facility handles the 1st factor itself and calls SURFsecureID for the 2nd factor if necessary. This makes strong authentication available for a range of internal and external (cloud) services. This option is also called Second Factor Only, especially in the more technical documentation.

  2. For a (cloud) service.  SURFsecureID handles the entire login for service, The service outsources the complete login (ie both the 1st and the 2nd factor) to either SURFconext or SURFsecureID. The 1st factor (username / password) via the IdP and the 2nd factor via the available means.
    Image Removedavailable SURFsecureID tokens. The available options are:

    a. The cloud service (Service Provider, or SP) is connected to SURFconext which is configured to call SURFsecureID for this service. This makes it especially easy for services already connected to SURFconext to use SURFsecureID as this is transparant for the service. The service can use either SAML or OpenID Connect to connect to SURFconext.

    Image Added

    b. The cloud service connects to SURFsecureID. This option is similar to (a) except that it supports dynamic LoA request by the service and only supports SAML.
    Image Added

SURFsecureID gives access to services via three different types of tokens: SMS, Tiqr (smartphone app) or YubiKey (USB hardware token). Users first log in with their institutional account and are then prompted to confirm their identity with their token. In this way there is a second layer of security.

SURFsecureID is available at an additional fee for all institutions connected to SURFconext.

How does


a token registration work?

  1. The user registers his preferred token (SMS, Tiqr or Yubikey) in the registration portal
  2. User must visit his institution's service desk to have an authorised employee verify his identity.
  3. This employee will bind the user's token to his account. After that the user's token will be activated.
  4. Now the user can log in to any service designated for strong authentication using the two-step login procedure.