rsnt_translations
56,430
edits
Multifactor authentication: Difference between revisions
Jump to navigation
Jump to search
Marked this version for translation
No edit summary |
(Marked this version for translation) |
||
| Line 2: | Line 2: | ||
<translate> | <translate> | ||
<!--T:1--> | |||
Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is enrolled in multifactor authentication, you will be prompted for a second action in addition to your password. This action could be accepting a notification on your phone (Duo Push), entering a 6-digit time-based code, entering a single-use bypass code, or pushing the button on a YubiKey hardware key. This second factor will be required when connecting to many of our services. Note that while we are deploying this, not all of our services may support it, but our goal is to protect most of our services with multifactor authentication in the near future. | Multifactor authentication (MFA) allows you to protect your account with more than a password. Once your account is enrolled in multifactor authentication, you will be prompted for a second action in addition to your password. This action could be accepting a notification on your phone (Duo Push), entering a 6-digit time-based code, entering a single-use bypass code, or pushing the button on a YubiKey hardware key. This second factor will be required when connecting to many of our services. Note that while we are deploying this, not all of our services may support it, but our goal is to protect most of our services with multifactor authentication in the near future. | ||
== Registering factors == | == Registering factors == <!--T:2--> | ||
=== Registering multiple factors === | === Registering multiple factors === | ||
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options of second factor. For example, you can use a phone and single-use codes, a phone and a hardware key, or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account. | When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options of second factor. For example, you can use a phone and single-use codes, a phone and a hardware key, or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account. | ||
=== Using a smart phone or tablet === | === Using a smart phone or tablet === <!--T:3--> | ||
When using a smart phone or tablet, you will first need to install the Duo Mobile authentication app. You can find it on the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store], or on [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Once the application is installed, visit the [https://ccdb.computecanada.ca/multi_factor_authentications multifactor authentication management page in your account]. On that page, select the Duo Mobile option, give a name to your device, then scan the QR code that is shown to you. | When using a smart phone or tablet, you will first need to install the Duo Mobile authentication app. You can find it on the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store], or on [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Once the application is installed, visit the [https://ccdb.computecanada.ca/multi_factor_authentications multifactor authentication management page in your account]. On that page, select the Duo Mobile option, give a name to your device, then scan the QR code that is shown to you. | ||
=== Using a YubiKey hardware key === | === Using a YubiKey hardware key === <!--T:4--> | ||
YubiKeys are hardware tokens made by the company [https://yubico.com/ Yubico]. They have the size of a small USB stick, and different models support different ports. Some will connect to a USB-A port, USB-C port, Lightning. Some models also support near field communication (NFC) to be used with your phone or tablet. To figure out which one may best suit your need, consult [https://www.yubico.com/quiz/ this page]. They cost between 50$ and 100$, and they are the best option if you do not want to use or if you do not have a smart phone. They are also the best option if you are often in situations when using your phone is not possible. | YubiKeys are hardware tokens made by the company [https://yubico.com/ Yubico]. They have the size of a small USB stick, and different models support different ports. Some will connect to a USB-A port, USB-C port, Lightning. Some models also support near field communication (NFC) to be used with your phone or tablet. To figure out which one may best suit your need, consult [https://www.yubico.com/quiz/ this page]. They cost between 50$ and 100$, and they are the best option if you do not want to use or if you do not have a smart phone. They are also the best option if you are often in situations when using your phone is not possible. | ||
<!--T:5--> | |||
YubiKeys support multiple authentication protocols which are commonly used for web authentication, such as WebAuthn, FIDO2, U2F. However, the one protocol which works with SSH connections used on our clusters is called Yubico One Time Password (OTP). When using Yubico OTP, pressing the button on the key will write a long string of characters looking like <tt>vvcccbhbndkglanfhevnricjdvftcfugdtjeflgrhenr</tt>, which will act as your second factor. | YubiKeys support multiple authentication protocols which are commonly used for web authentication, such as WebAuthn, FIDO2, U2F. However, the one protocol which works with SSH connections used on our clusters is called Yubico One Time Password (OTP). When using Yubico OTP, pressing the button on the key will write a long string of characters looking like <tt>vvcccbhbndkglanfhevnricjdvftcfugdtjeflgrhenr</tt>, which will act as your second factor. | ||
<!--T:6--> | |||
Yubico OTP itself has two modes which it can use. In Yubico Cloud mode, authentication requests are forwarded to the Yubico Cloud, where your key was preregistered when you purchased it. This mode is not supported by Duo, which instead supports Yubico OTP. For this mode, you need to have the Public ID, the Private ID, and the Secret Key for your key. If you already have this information, you can use your existing information to register your Yubico OTP on your [https://ccdb.computecanada.ca/multi_factor_authentications multifactor authentication account page]. If you do not have this information, you need to configure your key using the steps below. | Yubico OTP itself has two modes which it can use. In Yubico Cloud mode, authentication requests are forwarded to the Yubico Cloud, where your key was preregistered when you purchased it. This mode is not supported by Duo, which instead supports Yubico OTP. For this mode, you need to have the Public ID, the Private ID, and the Secret Key for your key. If you already have this information, you can use your existing information to register your Yubico OTP on your [https://ccdb.computecanada.ca/multi_factor_authentications multifactor authentication account page]. If you do not have this information, you need to configure your key using the steps below. | ||
==== Configuring your YubiKey for Yubico OTP ==== | ==== Configuring your YubiKey for Yubico OTP ==== <!--T:7--> | ||
To configure your YubiKey, follow these instructions: | To configure your YubiKey, follow these instructions: | ||
<!--T:8--> | |||
# Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website]. | # Download and install the YubiKey Manager software from the [https://www.yubico.com/support/download/yubikey-manager/ Yubico website]. | ||
# Insert your YubiKey and launch the YubiKey Manager software. | # Insert your YubiKey and launch the YubiKey Manager software. | ||
| Line 36: | Line 40: | ||
</gallery> | </gallery> | ||
== Using your second factor == | == Using your second factor == <!--T:9--> | ||
=== When connecting via SSH === | === When connecting via SSH === | ||
When your account has multifactor authentication enabled, if you connect to a cluster which supports it via SSH, you will be prompted to use your second factor after you first authenticate either using your password or your [[SSH Keys|SSH key]]. This prompt will look like this: | When your account has multifactor authentication enabled, if you connect to a cluster which supports it via SSH, you will be prompted to use your second factor after you first authenticate either using your password or your [[SSH Keys|SSH key]]. This prompt will look like this: | ||
| Line 42: | Line 46: | ||
|result= Duo two-factor login for name | |result= Duo two-factor login for name | ||
<!--T:10--> | |||
Enter a passcode or select one of the following options: | Enter a passcode or select one of the following options: | ||
1. Duo Push to My phone (iOS) | <!--T:11--> | ||
1. Duo Push to My phone (iOS) | |||
<!--T:12--> | |||
Passcode or option (1-1):}} | Passcode or option (1-1):}} | ||
At this point, you can either select which phone or tablet (if you have multiple devices enrolled, you would get a list) you want Duo to send a notification to. You will then get a notification on your device, which you need to accept or decline. | At this point, you can either select which phone or tablet (if you have multiple devices enrolled, you would get a list) you want Duo to send a notification to. You will then get a notification on your device, which you need to accept or decline. | ||
<!--T:13--> | |||
If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example: | If you are using a YubiKey, a backup code, or if you prefer to enter the time-based one-time password that the Duo Mobile application shows, you would write these instead of selecting an option. For example: | ||
{{Command|ssh cluster.computecanada.ca | {{Command|ssh cluster.computecanada.ca | ||
|result= Duo two-factor login for name | |result= Duo two-factor login for name | ||
<!--T:14--> | |||
Enter a passcode or select one of the following options: | Enter a passcode or select one of the following options: | ||
1. Duo Push to My phone (iOS) | <!--T:15--> | ||
1. Duo Push to My phone (iOS) | |||
<!--T:16--> | |||
Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki | Passcode or option (1-1):vvcccbhbllnuuebegkkbcfdftndjijlneejilrgiguki | ||
Success. Logging you in...}} | Success. Logging you in...}} | ||
==== Configuring your SSH client to only ask every so often ==== | ==== Configuring your SSH client to only ask every so often ==== <!--T:17--> | ||
You can configure your OpenSSH client to only ask for the second factor every so often by using the "ControlMaster" mechanism. To do so, edit your <tt>.ssh/config</tt> to add the lines: | You can configure your OpenSSH client to only ask for the second factor every so often by using the "ControlMaster" mechanism. To do so, edit your <tt>.ssh/config</tt> to add the lines: | ||
<pre> | <pre> | ||
| Line 70: | Line 81: | ||
where you would replace <tt>HOSTNAME</tt> with the host name of the server for which you want this configuration. | where you would replace <tt>HOSTNAME</tt> with the host name of the server for which you want this configuration. | ||
=== When authenticating to our account portal === | === When authenticating to our account portal === <!--T:18--> | ||
Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After using your username and password, you will see a prompt similar to this: | Once multifactor authentication is enabled on your account, you will be required to use it when connecting to our account portal. After using your username and password, you will see a prompt similar to this: | ||
<gallery widths=300px heights=300px> | <gallery widths=300px heights=300px> | ||
| Line 77: | Line 88: | ||
at this point, select the option you want to use. | at this point, select the option you want to use. | ||
== Frequently asked questions == | == Frequently asked questions == <!--T:19--> | ||
=== I do not have a smart phone or tablet, or they are too old. Can I still use multifactor authentication? === | === I do not have a smart phone or tablet, or they are too old. Can I still use multifactor authentication? === | ||
Yes. In this case, you need to use YubiKeys (see above). | Yes. In this case, you need to use YubiKeys (see above). | ||
=== I have lost my second factor device. What can I do? === | === I have lost my second factor device. What can I do? === <!--T:20--> | ||
* If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.computecanada.ca/multi_factor_authentications account portal], and then delete your lost device. Then, register a new device. | * If you have backup codes, or if you have more than one device, use that other mechanism to connect to your account on our [https://ccdb.computecanada.ca/multi_factor_authentications account portal], and then delete your lost device. Then, register a new device. | ||
* If you do not have backup codes, or if have lost all of your devices, contact our [[Technical support]] for assistance. | * If you do not have backup codes, or if have lost all of your devices, contact our [[Technical support]] for assistance. | ||
</translate> | </translate> | ||