Multifactor authentication: Difference between revisions

Jump to navigation Jump to search

Multifactor authentication (view source)

Revision as of 21:02, 20 November 2023

174 bytes removed ,  11 months ago
copyedits
No edit summary
(copyedits)
Line 8: Line 8:
<!--T:21-->
<!--T:21-->
You can choose any of these factors for this second authentication step:
You can choose any of these factors for this second authentication step:
*Approving a notification on a smart device through the Duo Mobile application.
*Approve a notification on a smart device through the Duo Mobile application.
*Entering a code generated on demand.
*Enter a code generated on demand.
*Pushing a button on a hardware key (YubiKey).
*Push a button on a hardware key (YubiKey).


<!--T:22-->
<!--T:22-->
This feature will be progressively deployed, that is, it will not be immediately available for all our services.
This feature will be gradually deployed and will not be immediately available for all of our services.


= Recorded webinars = <!--T:50-->
= Recorded webinars = <!--T:50-->
Line 24: Line 24:
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.
When you enable multifactor authentication for your account, we <b>strongly recommend</b> that you configure at least two options for your second factor. For example, you can use a phone and single-use codes; a phone and a hardware key; or two hardware keys. This will ensure that if you lose one factor, you can still use your other one to access your account.


== To use a smartphone or tablet == <!--T:3-->
== Use a smartphone or tablet == <!--T:3-->


<!--T:46-->
<!--T:46-->
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or on [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will fail to scan the QR code.
#Install the Duo Mobile authentication application from the [https://itunes.apple.com/us/app/duo-mobile/id422663827 Apple Store] or [https://play.google.com/store/apps/details?id=com.duosecurity.duomobile Google Play]. Make sure to get the correct application (see icon below). TOTP applications such as Aegis, Google Authenticator, and Microsoft Authenticator are <b>not</b> compatible with Duo and will not scan the QR code.
#Go to the [https://ccdb.alliancecan.ca CCDB], connect to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.
#Go to the [https://ccdb.alliancecan.ca CCDB], login to your account and select <i>My account → [https://ccdb.alliancecan.ca/multi_factor_authentications Multifactor authentication management]</i>.
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.
#Under <i>Register a device</i>, click on <i>Duo Mobile</i>.
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.
#Enter a name for your device. Click on <i>Continue</i>. A QR code will be displayed.
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.
#In the Duo Mobile application, tap <i>Set up account</i> or the “+” sign.
#Tap <i>Use a QR code</i>.
#Tap <i>Use a QR code</i>.
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wifi or cellular data) while you are scanning the QR code.</b>
#Scan the QR code shown to you in CCDB. <b>Important: Make sure that your mobile device is connected to the internet (over wi-fi or cellular data) while you are scanning the QR code.</b>
<gallery widths=300px heights=300px>
<gallery widths=300px heights=300px>
File:Duo-mobile-app-icon.png|Step 1
File:Duo-mobile-app-icon.png|Step 1
Line 43: Line 43:
</gallery>
</gallery>


== To use a YubiKey 5 == <!--T:4-->
== Use a YubiKey 5 == <!--T:4-->
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey 5 is your best option.
A YubiKey is a hardware token made by the [https://www.yubico.com/ Yubico] company. If you do not have a smartphone or tablet, do not wish to use your phone or tablet for multifactor authentication, or are often in a situation when using your phone or tablet is not possible, then a YubiKey is your best option.


<!--T:45-->
<!--T:45-->
Line 53: Line 53:


<!--T:5-->
<!--T:5-->
Among the many protocols supported by YubiKeys, the one which works with SSH connections to our clusters is the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates and transmits a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.
Multiple protocols are supported by YubiKeys. Our clusters use the Yubico One-Time Password (OTP). After you have registered a YubiKey for multifactor authentication, when you log on to one of our clusters you will be prompted for a one-time password (OTP). You respond by touching a button on your YubiKey, which generates a string of 32 characters to complete your authentication. Using a YubiKey does not require any typing on the keyboard: the YubiKey connected to your computer “types” the 32-character string when you touch its button.


<!--T:6-->
<!--T:6-->
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.
To register your YubiKey you will need its Public ID, Private ID, and Secret Key. If you have this information, go to the [https://ccdb.computecanada.ca/multi_factor_authentications Multifactor authentication management page]. If you do not have this information, configure your key using the steps below.


=== Configuring your YubiKey for Yubico OTP === <!--T:7-->
=== Configuring your YubiKey for Yubico OTP === <!--T:7-->
Line 64: Line 64:
# Insert your YubiKey and launch the YubiKey Manager software.
# Insert your YubiKey and launch the YubiKey Manager software.
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>.  (Images below illustrate this and the next few steps.)
# In the YubiKey Manager software, select <i>Applications</i>, then <i>OTP</i>.  (Images below illustrate this and the next few steps.)
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1s to 2.5), while slot 2 is a long touch on the key (pressing for 3s to 5s). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1.  
# Select <i>Configure</i> for either slot 1 or slot 2. Slot 1 corresponds to a short touch (pressing for 1 to 2.5 seconds), while slot 2 is a long touch on the key (pressing for 3 to 5 seconds). Slot 1 is typically pre-registered for Yubico cloud mode. If you are already using this slot for other services, either use slot 2, or click on <i>Swap</i> to transfer the configuration to slot 2 before configuring slot 1.  
# Select <i>Yubico OTP</i>.
# Select <i>Yubico OTP</i>.
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b>
# Select <i>Use serial</i>, then generate a private ID and a secret key. <b>Securely save a copy of the data in the Public ID, Private ID, and Secret Key fields before you click on <i>Finish</i>, as you will need the data for the next step.</b>
Line 109: Line 109:


=== Configuring your SSH client to only ask every so often === <!--T:17-->
=== Configuring your SSH client to only ask every so often === <!--T:17-->
If you use OpenSSH to connect, you can reduce the frequency with which you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:
If you use OpenSSH to connect, you can reduce how frequently you are asked for a second factor. To do so, edit your <code>.ssh/config</code> to add the lines:


<!--T:24-->
<!--T:24-->
Line 121: Line 121:


<!--T:41-->
<!--T:41-->
If you are using Windows, you can install OpenSSH using the instructions on [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui this page]. Note that you only need the client portion of these instructions.
If you are using Windows, you can [https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui install OpenSSH]. Note that you only need the client portion of these instructions.


== When authenticating to our account portal == <!--T:18-->
== When authenticating to our account portal == <!--T:18-->
Line 131: Line 131:


= Configuring common SSH clients = <!--T:32-->
= Configuring common SSH clients = <!--T:32-->
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specifics to a few of them.  
Command line clients will typically support multifactor authentication without additional configuration. This is however often not the case for graphical clients. Below are instructions specific to a few of them.  


== FileZilla == <!--T:33-->
== FileZilla == <!--T:33-->
Line 154: Line 154:


== MobaXTerm == <!--T:36-->
== MobaXTerm == <!--T:36-->
Install version 23.1 or more recent.
Install version 23.1 or later.


<!--T:43-->
<!--T:43-->
When connecting to a remote server, MobaXterm establishes by default two connections:
When connecting to a remote server, MobaXterm establishes two connections by default:
the first one for the terminal and the second one for the remote file browser.
the first for the terminal and the second for the remote file browser.
By default, the file browser uses the <i>SFTP protocol</i>,
By default, the file browser uses the <i>SFTP protocol</i>,
which causes a mandatory second prompt for your second factor of authentication.
which causes a mandatory second prompt for your second factor of authentication.
Line 170: Line 170:


== PuTTY == <!--T:37-->
== PuTTY == <!--T:37-->
Install version 0.72 or more recent.  
Install version 0.72 or later.  


== WinSCP == <!--T:38-->
== WinSCP == <!--T:38-->
Line 225: Line 225:


== I need to have automated connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31-->
== I need to have automated connections to the clusters through my account. Can I use multifactor authentication ? == <!--T:31-->
Not at this moment. We are considering what options to implement for automation, but we do not have a general solution implemented yet. Please do not enroll into MFA at this time if you have this need - and please contact [[Technical support]] to explain your requirements.
Not at this moment. We are considering options to implement for automation, but we do not have a solution yet. Please do not enroll into MFA at this time if you have this need - and please contact [[Technical support]] to explain your requirements.


== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44-->
== What should I do when I receive the message "Access denied. Duo Security does not provide services in your current location" ? == <!--T:44-->
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.
This is a consequence of Duo being a US product: [https://help.duo.com/s/article/7544?language=en_US Duo help]. You'll need to use a VPN to circumvent this, to make it appear you're coming from an unaffected country.


= Advanced usage = <!--T:27-->
= Advanced usage = <!--T:27-->
Knewson
cc_staff
82

edits

Retrieved from "https://docs.alliancecan.ca/wiki/Special:MobileDiff/146858"

Navigation menu