Secure authentication

To further protect subjects’ personal data against compromised or weak passwords, Castellum can and should be used with two-factor authentication (2FA).

If enabled, you need to enter an additional code before you can log in to Castellum (similar to a TAN for online banking).

Currently we support any generic TOTP application or FIDO2 hardware security tokens.

Smartphone apps (TOTP)

We recommend to use a 2FA application on your phone. Just ask your local IT on suggestions for appropriate apps to be used at your institution.


By the time of writing (June 2021) the MPI for Human Development recommends its Castellum users to install either Google Authenticator or andOTP for Android or Microsoft Authenticator on iOS.

TOTP stands for “Time-based One-Time Password”. As the name suggests, each TOTP code can only be used once.

Most TOTP apps work the same:

  1. Install an authenticator app on a phone

  2. Register that phone on the website (Castellum) by scanning a QR code with the authenticator app

  3. The app will now generate a new 6-digit numeric code every 30 seconds

  4. The code depends on the current time, so make sure that the phone has the correct time set

Hardware Keys (FIDO2)

If you do not want to use your phone and TOTP, you can also chose to use FIDO2-based hardware keys (tokens). In that case we recommend Yubico FIDO2 tokens, but any FIDO2-compatible token should work.

The tokens are connected to your device with USB and, when registered successfully, usually just require a tap / key press when prompted on login.

For additional details about supported hardware tokens or Authenticator apps, contact your local IT department or security officer.