MFA Hardware Tokens (Security Keys)

How to acquire and use a Hardware Token in cases where normal MFA methods are unavailable.

What are Hardware tokens and who is this information for?

Hardware tokens are physical devices, similar to USB keys, which generate multi-factor authentication (MFA) codes offline, to enable secure access to University services. This information is to assist staff or students who may require a hardware token for MFA.

Recommended Use of Tokens

The recommendation for staff and students to ensure the best user experience,  is to use an authenticator application on your mobile phone.  However, if this is not suitable, a hardware token provides an alternative method.  Details of options and how to set up your best MFA method are available on the MFA support page.

Acquiring an MFA Hardware Token

MFA Hardware Tokens

Purchasing a compatible MFA hardware token

While there are numerous MFA hardware tokens available on the market, the University has tested the following models:

Feitian ePass FIDO: https://www.ftsafe.com/products/FIDO/NFC

YubiKey 5C NFC: https://www.yubico.com/gb/product/yubikey-5c-nfc

Any FIDO2 token will also work, and therefore if you already have such a token, this can be used.

University-provided hardware tokens

The University offers hardware tokens primarily for those who cannot use other MFA methods, and these can be obtain as follows:

Staff and Students: Please request your token via https://edin.ac/mfa-hardware-token-request-form

Overseas students or staff: you will need to purchase your own compatible token (see section above).

Handling and Policies

Issuance and Approval: No prior approval is required for obtaining a funded FIDO2 key.

Responsibility and Records: Hardware tokens are issued in a similar way to other IT equipment.

Token Loss or Replacement: If a University provided hardware token is lost or stolen then this should be reported to the IS Helpline - the University will replace it in the same way other IT equipment is managed.  If a token is lost or stolen then the user should remove it from their account settings when setting up a new token/using an alternative MFA mechanism (see section below).

Registering and using an MFA Hardware Token

After acquiring a token, users need to log into their University account and navigate to the security settings to register the new device.

Please see the following guide on how to do this, and also on using the token:

Need any help?

This article was published on