User Tools

Site Tools


institute_lorentz:2fa-introduction

Two-Factor Authentication at the Lorentz Institute

Introduction

After the recent increase in cracker activity and floods of phishing emails (cyber criminalilty), it is clear that the Lorentz Institute IT infrastructure is under constant attack. One of the major deficiencies in our current setup is that knowing a username and password is enough to get access to a wide variety of resources and data on our servers. When phishing e-mails are handled improperly, but also when users improperly disclose their credentials (for instance on public WiFi), cyber criminals can easily obtain account credential information. Once a user's credentials have been comprised, preventing the misuse of accounts and computer resources becomes impossible.

To avoid or at least drastically mitigate the problems described above, we have introduced Two-Factor Authentication (2FA) to add an extra level of security to your Lorentz Institute account. With 2FA enabled, knowledge of your username and password is no longer sufficient to gain access to the system, because you will have to provide an additional, unique security code (AKA one-time password or OTP) to successfully authenticate.

Lorentz Institute's OTPs are generated using the current time (hence the name TOTP) as a source of uniqueness and have a limited duration. If the TOTP has expired, authentication will automatically fail. Users can (re-)generate valid TOTPs by storing a copy of a secret key provided by the IL authentication system on a personal device. This copy of the secret key will be used as a seed in calculating the new TOTP (see instructions below). Because TOTPs are calculated by means of the secret key, it is of extreme importance that you do not share the key with anybody to prevent that your account is compromised.

More information can be found in the published TOTP open standard https://tools.ietf.org/html/rfc6238.

First-time 2FA Setup

2FA setup is different depending on whether you own a smart phone or not. Users without smart phone will have to use their personal computer. 2FA requires you to provide the Lorentz Institute with your private email address 1)

2FA-enabled Logins

Two-factor authentication is mandatory to access the following services

1)
Used only for important security communications related to your IL account
institute_lorentz/2fa-introduction.txt · Last modified: 2021/03/22 15:06 by lenocil