Multifactor authentication: Difference between revisions

Jump to navigation Jump to search

Multifactor authentication (view source)

Revision as of 18:51, 28 February 2023

7 bytes removed ,  1 year ago
no edit summary
No edit summary
Line 1: Line 1:
{{Draft}}
{{Draft}}


Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is enrolled in multifactor authentication, you will be prompted for a second action in addition to your password. This action could be accepting a notification on your phone (Duo Push), entering a 6 digits time based code, entering a single-use bypass code, or pushing on the button of a Yubikey hardware key. This second factor will be required when connecting to many of our services. Note that while we are deploying this, not all of our services may supported it, but our goal is to protect most of our services with mutlifactor authentication in the near future.  
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is enrolled in multifactor authentication, you will be prompted for a second action in addition to your password. This action could be accepting a notification on your phone (Duo Push), entering a 6-digit time-based code, entering a single-use bypass code, or pushing the button on a Yubikey hardware key. This second factor will be required when connecting to many of our services. Note that while we are deploying this, not all of our services may support it, but our goal is to protect most of our services with mutlifactor authentication in the near future.  


== Registering factors ==  
== Registering factors ==  
Line 11: Line 11:


=== Using a YubiKey hardware key ===
=== Using a YubiKey hardware key ===
YubiKeys are hardware tokens made by the company [https://yubico.com/ Yubico]. They have the size of a small USB stick, and different models support different ports. Some will connect to a USB-A port, USB-C port, Lightning. Some models also support near field communication (NFC) to be used with your phone or tablet. To figure out which one may best suite your need, consult [https://www.yubico.com/quiz/ this page]. They cost between 50$ and 100$, and they are the best option if you do not want to use or if you do not have a smart phone. They are also the best option if you are often in situations when using your phone is not possible.  
YubiKeys are hardware tokens made by the company [https://yubico.com/ Yubico]. They have the size of a small USB stick, and different models support different ports. Some will connect to a USB-A port, USB-C port, Lightning. Some models also support near field communication (NFC) to be used with your phone or tablet. To figure out which one may best suit your need, consult [https://www.yubico.com/quiz/ this page]. They cost between 50$ and 100$, and they are the best option if you do not want to use or if you do not have a smart phone. They are also the best option if you are often in situations when using your phone is not possible.  


YubiKeys support multiple authentication protocols which are commonly used for web authentication, such as WebAuthn, FIDO2, U2F. However, the one protocol which works with SSH connections used on our clusters is called Yubico One Time Password (OTP). When using Yubico OTP, pressing the button on the key will write a long string of characters looking like <tt>vvcccbhbndkglanfhevnricjdvftcfugdtjeflgrhenr</tt>, which will act as your second factor.  
YubiKeys support multiple authentication protocols which are commonly used for web authentication, such as WebAuthn, FIDO2, U2F. However, the one protocol which works with SSH connections used on our clusters is called Yubico One Time Password (OTP). When using Yubico OTP, pressing the button on the key will write a long string of characters looking like <tt>vvcccbhbndkglanfhevnricjdvftcfugdtjeflgrhenr</tt>, which will act as your second factor.  


Yubico OTP itself has two modes which it can use. In Yubico Cloud mode, authentication requests are forwarded to Yubico's cloud, in which your key is already pre-registered when you purchase it. This mode is not supported by Duo, which instead supports Yubico OTP. For this mode, you need to have the Public ID, the Private ID, and the Secret Key for your key. If you already have this information, you can use your existing information to register your Yubico OTP on your [https://ccdb.computecanada.ca/multi_factor_authentications mutlifactor authentication account page]. If you do not have this information, you need to configure your key using the steps below.  
Yubico OTP itself has two modes which it can use. In Yubico Cloud mode, authentication requests are forwarded to Yubico's cloud, in which your key is already preregistered when you purchase it. This mode is not supported by Duo, which instead supports Yubico OTP. For this mode, you need to have the Public ID, the Private ID, and the Secret Key for your key. If you already have this information, you can use your existing information to register your Yubico OTP on your [https://ccdb.computecanada.ca/multi_factor_authentications mutlifactor authentication account page]. If you do not have this information, you need to configure your key using the steps below.  


==== Configuring your YubiKey for Yubico OTP ====
==== Configuring your YubiKey for Yubico OTP ====
Line 26: Line 26:
# Select <tt>Yubico OTP</tt>
# Select <tt>Yubico OTP</tt>
# Select <tt>Use serial</tt>, then generate a Private ID and a Secret Key. '''Securely save a copy of the data in the Public ID, Private ID, and Secret key fields before you click Finish, as you will need the data for the next step.'''
# Select <tt>Use serial</tt>, then generate a Private ID and a Secret Key. '''Securely save a copy of the data in the Public ID, Private ID, and Secret key fields before you click Finish, as you will need the data for the next step.'''
# Keep the previous screen open and log into the CCDB to register your Yubikey in your [https://ccdb.computecanada.ca/multi_factor_authentications mutlifactor authentication account page]
# Keep the previous screen open and log into the CCDB to register your Yubikey in your [https://ccdb.computecanada.ca/multi_factor_authentications mutlifactor authentication account page].
<gallery widths=300px heights=300px>
<gallery widths=300px heights=300px>
File:Yubico Manager OTP.png|Step 3
File:Yubico Manager OTP.png|Step 3
Line 48: Line 48:
At this point, you can either select which phone or tablet (if you have multiple devices enrolled, you would get a list) you want Duo to send a notification to. You will then get a notification on your device, which you need to accept or decline.  
At this point, you can either select which phone or tablet (if you have multiple devices enrolled, you would get a list) you want Duo to send a notification to. You will then get a notification on your device, which you need to accept or decline.  


If you are using a Yubikey, a backup code, or if you prefer to enter the time based one time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:  
If you are using a Yubikey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example:  
{{Command|ssh cluster.computecanada.ca
{{Command|ssh cluster.computecanada.ca
|result= Duo two-factor login for name
|result= Duo two-factor login for name
Diane27
rsnt_translations
56,430

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/130528"

Navigation menu