User Tools

Site Tools


services:2fa

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
services:2fa [2021/03/15 08:45]
deul [Introduction]
services:2fa [2021/03/25 07:24] (current)
deul [Error Message]
Line 1: Line 1:
-======Two-Factor Authentication (2FA)======+======Two-Factor Authentication (2FA) @ STRW======
 {{ services:2fa_graphic.jpg?nolink&400|}} {{ services:2fa_graphic.jpg?nolink&400|}}
-=====Introduction===== 
-  * Please read this document carefully or start from [[:services:2fa#first_time_access|here]] 
-====Why==== 
-After the recent increase in hacker activity and floods of phishing emails, it is clear that the Observatory Compute environment is under constant attack. One of the major deficiencies in our current setup is that it is enough to know a username and password to get access to a wide variety of resources and data. With the improper handling of phishing emails, but also when using public wifi services, it seems easy for people with not so good intentions to get account credential information. After that, there is no easy way to prevent misuse of accounts and computer resources. 
  
-We need to put a stop to that, and the only way to do that is to introduce a second step in identifying that you are the rightful owner of the account credentials. This second step is provided throught the Two-Factor Authentication (2FA) mechanism. For this second verification, you need a physical device, for instance a smart phone or personal computer. +Please read this document carefully or jump to  
- +  * [[:services:2fa#first_time_access|First Time Access]]  
-====Where==== +  * [[:services:2fa#setup_ssh_keys|Setup ssh keys]] 
-In principle for every service where you need to identify yourself, 2FA is needed. In the beginning we will restrict 2FA to two major services: Web pages and ssh remote login. At a later stage 2FA will be implemented for other services as well. You will be informed well in advance. +=====Introduction====== 
-===WEB Pages & 2FA === +  * [[:services:2fa:introduction|whywhere and how]]
-For all Web pages where you need to login, we will enforce 2FA. This also, and in particular, includes webmail. The Observatory WEBsite has many pages shielded by authentication and each page will be individually added to the 2FA facility. +
-===ssh remote login & 2FA=== +
-One other major way to gain access to our resources and data is through the ssh protocol. So this means that using ''%%ssh%%'' to login from remote to the Observatory ssh gateway or to the local desktops or serversyou will be confronted with a second prompt to enter credentials. How this works is explained later on this page. In fact, 2FA is imposed on the ssh protocol, so ''%%scp%%'', ''%%sftp%%'', remote ''%%rsync%%'' and even tunnelier (Win) will also be affected. +
-====How==== +
-The 2FA protocol that we have implemented is based on the Time-based One Time Password (TOTP) mechanism and we are using RedHat developed tools to implement this. TOTP means that for a limited amount of time you get a passcode, which you have to provide to the authentication program as a second 'password' to gain access to the resource. Initially, at first use of 2FA, you have been given a private secret key and have stored that on your mobile device. Then, for each login, you use that mobile device to generate (time limited) passcodes. This passcode you present (type in) to the login procedure and after verification it gives you access to the restricted resource. Details on this process are described below.+
  
 ======Timeline===== ======Timeline=====
Line 81: Line 72:
 In case of problems, look at the [[services:2fa#fa_problems|2FA Problem]] section at the end of this page. In case of problems, look at the [[services:2fa#fa_problems|2FA Problem]] section at the end of this page.
 ====Making ssh operations easier==== ====Making ssh operations easier====
-Of course it is not very handy to have to authenticate each time you login between computers at the Observatory using the 2FA mechanism. Therefor, we have disabled 2FA for the case where you have implemented personal ssh keys. So if you setup ssh keys at the Observatory, you do not have to type in either your password, nor your passcode+Of course it is not very handy to have to authenticate each time you login between computers at the Observatory using the 2FA mechanism. Therefor, we have disabled 2FA for the case where you have implemented personal ssh keys. So if you setup ssh keys at the Observatory, you do not have to type in either your password, nor your passcode.
  
-Please read the dokuwiki page on [[:SSH#ssh_keys|ssh]], section SSH Keys, on how to setup ssh keys in your Observatory account.+===Setup ssh keys==== 
 +Go to the [[:services:2fa:sshkeys|how to setup sshkeys]] page for a detailed description on ssh key configuration. 
 + 
 +Also read the generic dokuwiki page on [[:SSH#ssh_keys|ssh]], section SSH Keys, on how to setup ssh keys in your Observatory account.
    
 =====2FA Problems====== =====2FA Problems======
Line 92: Line 86:
   * Reset your password   * Reset your password
   * Re-initiate the 2FA process as described above in the 'First Time Access' section   * Re-initiate the 2FA process as described above in the 'First Time Access' section
 +====Error Message====
 +If you see **Two-factor authentication has not been setup for your account <accountname> yet.  Please refer to
 + the computer documentation on the institute webpage for the description and setup of 2FA**, this means your secret code has not trickled down to this system yet. It may take up to 30 minutes after setting up 2FA before all Observatory systems know about your secret key. Thus be patient ant try again in 30 minutes. 
 +
 ====Code not accepted==== ====Code not accepted====
-Note that the passcodes have a lifespan of 30 seconds and that both the Observatory computers and yout Smart Phone or personal computer need to be in time sync. You might also have been just a bit too late confirming your passcode. In that case repeat the process of creating the passcode en entering it into the prompt/web form.+Note that the passcodes have a lifespan of 30 seconds and that both the Observatory computers and your Smart Phone or personal computer need to be in time sync. You must enter the 2FA app settings and select "**Time synchronisation**". After this the codes should work again. You might also have been just a bit too late confirming your passcode. In that case repeat the process of creating the passcode en entering it into the prompt/web form.
  
 In principle the system also allows passcodes that are from the previous or next timeslot. So you should have a total of 90 seconds to deliver a trusted passcode. This period is shortened if the Observatory time keeping differs slightly from your smart phone or personal computer time keeping. In principle the system also allows passcodes that are from the previous or next timeslot. So you should have a total of 90 seconds to deliver a trusted passcode. This period is shortened if the Observatory time keeping differs slightly from your smart phone or personal computer time keeping.
services/2fa.1615797918.txt.gz · Last modified: 2021/03/15 08:45 by deul