|
| 1 | +[](){#mfa} |
| 2 | +# Multi Factor Authentification |
| 3 | + |
| 4 | +To access CSCS services and systems users are required to authenticate using multi-factor authentication (MFA). |
| 5 | +MFA is implemented as a two-factor authentication, where one factor is the login and password pair ("the thing you know") and the other factor is the device which generates one-time passwords (OTPs, "the thing you have"). |
| 6 | +In this way security is significantly improved compared to single-factor (password only) authentication. |
| 7 | + |
| 8 | +The MFA workflow uses a time-based one-time password (OTP) to verify identity. |
| 9 | +An OTP is a six-digit number which changes every 30 seconds. |
| 10 | +OTPs are generated using a tool installed on a device other than the one used to access CSCS services and infrastructure. |
| 11 | +We recommend to use a smartphone with an application such as Google Authenticator to obtain the OTPs. |
| 12 | + |
| 13 | +[](){#mfa-setup} |
| 14 | +## Getting Started |
| 15 | + |
| 16 | +When you first log in to any of the CSCS web applications such as UMP, Jupyter, etc., you will be asked to register your device. |
| 17 | + |
| 18 | +Firstly, you will be asked to provide a code that you received by email. |
| 19 | +After this validation step, you will need to scan a QR code with your mobile phone using an application such as Google Authenticator. |
| 20 | +Lastly, you will need to enter the OTP from the authenticator application to complete the registration of your device. |
| 21 | +From then on, two-factor authrentication will be required to access CSCS services and systems. |
| 22 | +A more detailed explanation of the registration process is provided in the next section. |
| 23 | + |
| 24 | +!!! warning |
| 25 | + It is not possible to log in to CSCS systems using SSH without registering a device and creating certified SSH keys. |
| 26 | + See below for details on generating certified SSH keys. |
| 27 | + |
| 28 | +### Authenticator Application |
| 29 | + |
| 30 | +CSCS supports authenticators that follow an open standard called [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password). |
| 31 | +The recommended way to access such an authenticator is to install an application on your mobile phone. |
| 32 | +Google Authenticator and FreeOTP have been tested successfully; however, if you are using a different mobile application for OTPs, feel free to continue using it - given it supports the TOTP standard. |
| 33 | + |
| 34 | +You can download Google Authenticator for your phone: |
| 35 | + |
| 36 | +* :fontawesome-brands-android: Android: on the [Google Play Store](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2). |
| 37 | +* :fontawesome-brands-apple: iOS: on the [Apple Store](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2). |
| 38 | + |
| 39 | +[](){#mfa-configure-otp} |
| 40 | +### Configure the Authenticator |
| 41 | + |
| 42 | +Before starting, ensure that the following pre-requisites are satisfied |
| 43 | + |
| 44 | +1. You have an invitation email from CSCS for MFA enrollment |
| 45 | + * a notification email will be sent atleast one week before we sent the invitation email. |
| 46 | +2. You have installed an OTP Authenticator app on your mobile device (see above). |
| 47 | + |
| 48 | +!!! note |
| 49 | + If you try access any of our web applications without setting up MFA, you will be redirected to enroll for MFA. |
| 50 | + |
| 51 | +!!! warning |
| 52 | + If you try to SSH to CSCS systems without setting up MFA, you will be prompted with permission denied error, for example: |
| 53 | + ``` |
| 54 | + > ssh ela.cscs.ch |
| 55 | + [email protected]: Permission denied (publickey). |
| 56 | + Connection closed by UNKNOWN port 65535 |
| 57 | + ``` |
| 58 | + |
| 59 | +Steps: |
| 60 | + |
| 61 | +1. Access any of the CSCS Web applications such as [`account.cscs.ch`](https://account.cscs.ch), Jupyter, etc., on a new browser session which will redirects you to the CSCS login page. |
| 62 | +2. Log in with your username and password. |
| 63 | +3. You will be asked to key in a code which CSCS Authentication system sent to you by email. |
| 64 | + After successfaul validation of the code you will be redirected to the next page which present a QR code. |
| 65 | +4. Scan the QR code with the authenticator app that was installed on your mobile device. |
| 66 | + After scanning the QR code the authenticator app will start generating a new 6 digit OTP every 60 seconds. |
| 67 | +5. To complete the OTP registration process, please enter the 6 digit OTP from the authenticator app at the bottom of the the same QR code page. Optionally, you can input your device name where you imported the OTP seed by scanning the QR code |
| 68 | +6. On successful registration you will be logged into the CSCS web application that you accessed in step-1 |
| 69 | + |
| 70 | +!!! todo |
| 71 | + do we need the images from KB? |
| 72 | + |
| 73 | +### Resetting the Authenticator |
| 74 | + |
| 75 | +In case users lose access to their mobile device/Authenticator OTP, users can reset their OTP by following the below self-service process. |
| 76 | + |
| 77 | +1. Access any CSCS web application like: [account.cscs.ch](https://account.cscs.ch/) which redirects you to the CSCS Login page. |
| 78 | +2. From the login screen, click the "Reset OTP" link below the "LOG IN" button |
| 79 | +3. Enter your username and password. |
| 80 | +4. On successful validation of user credentials, users will receive an email with a reset credentials link like the one below, click on the link in the email |
| 81 | +5. The steps are the same as for the first time you [configured the authenticator][mfa-configure-otp]. |
| 82 | + |
| 83 | +!!! warning |
| 84 | + When replacing your smartphone remember to sync the authenticator app before resetting the old smartphone. |
| 85 | + Otherwise, you will have to follow this process. |
| 86 | + |
0 commit comments