Multifactor authentication: Difference between revisions

Jump to navigation Jump to search

Multifactor authentication (view source)

Revision as of 13:33, 28 February 2023

115 bytes added ,  1 year ago
no edit summary
No edit summary
No edit summary
Line 1: Line 1:
{{Draft}}
{{Draft}}


Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is enrolled in MFA, you will be prompted for a second action in addition to your password. This action could be accepting a notification on your phone (Duo Push), entering a 6 digits time based code, entering a single-use bypass code, or pushing on the button of a Yubikey hardware key. This second factor will be required when connecting to many of our services. Note that while we are deploying this, not all of our services may supported it, but our goal is to protect most of our services with MFA in the near future.  
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is enrolled in multifactor authentication, you will be prompted for a second action in addition to your password. This action could be accepting a notification on your phone (Duo Push), entering a 6 digits time based code, entering a single-use bypass code, or pushing on the button of a Yubikey hardware key. This second factor will be required when connecting to many of our services. Note that while we are deploying this, not all of our services may supported it, but our goal is to protect most of our services with mutlifactor authentication in the near future.  


== Registering multiple factors ==  
== Registering multiple factors ==  
When you enable MFA for your account, we '''strongly recommend''' that you configure at least two options of second factor. For example, you can use a phone and single-use codes, a phone and a hardware key, or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.
When you enable mutlifactor authentication for your account, we '''strongly recommend''' that you configure at least two options of second factor. For example, you can use a phone and single-use codes, a phone and a hardware key, or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.


== Using a smart phone ==
== Using a smart phone ==
Line 14: Line 14:
YubiKeys support multiple authentication protocols which are commonly used for web authentication, such as WebAuthn, FIDO2, U2F. However, the one protocol which works with SSH connections used on our clusters is called Yubico One Time Password (OTP). When using Yubico OTP, pressing the button on the key will write a long string of characters looking like <tt>vvcccbhbndkglanfhevnricjdvftcfugdtjeflgrhenr</tt>, which will act as your second factor.  
YubiKeys support multiple authentication protocols which are commonly used for web authentication, such as WebAuthn, FIDO2, U2F. However, the one protocol which works with SSH connections used on our clusters is called Yubico One Time Password (OTP). When using Yubico OTP, pressing the button on the key will write a long string of characters looking like <tt>vvcccbhbndkglanfhevnricjdvftcfugdtjeflgrhenr</tt>, which will act as your second factor.  


Yubico OTP itself has two modes which it can use. In Yubico Cloud mode, authentication requests are forwarded to Yubico's cloud, in which your key is already pre-registered when you purchase it. This mode is not supported by Duo, which instead supports Yubico OTP. For this mode, you need to have the Public ID, the Private ID, and the Secret Key for your key. If you already have this information, you can use your existing information to register your Yubico OTP on your [https://ccdb.computecanada.ca/multi_factor_authentications MFA account page]. If you do not have this information, you need to configure your key using the steps below.  
Yubico OTP itself has two modes which it can use. In Yubico Cloud mode, authentication requests are forwarded to Yubico's cloud, in which your key is already pre-registered when you purchase it. This mode is not supported by Duo, which instead supports Yubico OTP. For this mode, you need to have the Public ID, the Private ID, and the Secret Key for your key. If you already have this information, you can use your existing information to register your Yubico OTP on your [https://ccdb.computecanada.ca/multi_factor_authentications mutlifactor authentication account page]. If you do not have this information, you need to configure your key using the steps below.  


=== Configuring your YubiKey for Yubico OTP ===
=== Configuring your YubiKey for Yubico OTP ===
Line 33: Line 33:
[[File:Generate Yubikey IDs.png|thumb|left]]
[[File:Generate Yubikey IDs.png|thumb|left]]


* Keep the previous screen open and log into the CCDB to register your Yubikey in your [https://ccdb.computecanada.ca/multi_factor_authentications MFA account page]
* Keep the previous screen open and log into the CCDB to register your Yubikey in your [https://ccdb.computecanada.ca/multi_factor_authentications mutlifactor authentication account page]
[[File:CCDB Yubikeys.png|thumb|left]]
[[File:CCDB Yubikeys.png|thumb|left]]
Mboisson
Bureaucrats, cc_docs_admin, cc_staff, rsnt_translations
2,837

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/130471"

Navigation menu