BwUniCluster 2.0 User Access/2FA Tokens: Difference between revisions

From bwHPC Wiki
Jump to navigation Jump to search
(Created page with "Since August 13, 2020 a '''2-factor authentication''' mechanism (2FA) is being enforced for logins to bwUniCluster 2.0 to improve security. In addition to the service password...")
 
No edit summary
Line 7: Line 7:
The token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.
The token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.


It is very important that the device which generates the One-Time Passwords and the device which is used to log into bwUniCluster 2.0 are not the same. Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the software token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge. The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a software token by installing one of the following apps:
It is very important that the device which generates the One-Time Passwords and the device which is used to log into bwUniCluster 2.0 are not the same. Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the software token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a software token by installing one of the following apps:


* FreeOTP for [https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp Android] or [https://apps.apple.com/de/app/freeotp-authenticator/id872559395 iOS]
* FreeOTP for [https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp Android] or [https://apps.apple.com/de/app/freeotp-authenticator/id872559395 iOS]
Line 18: Line 20:


* Authy for [https://authy.com/download/ Mac]
* Authy for [https://authy.com/download/ Mac]

[[File:Freeotp-example.png|center|An example of the FreeOTP app on Android, displaying generated One-Time Passwords for various services]]


These are only suggestions, you can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.
These are only suggestions, you can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard.

Revision as of 17:01, 4 August 2020

Since August 13, 2020 a 2-factor authentication mechanism (2FA) is being enforced for logins to bwUniCluster 2.0 to improve security. In addition to the service password a second value, the second factor, has to be entered on every login.

How 2FA works

For bwUniCluster we use six-digit, auto-generated, time-dependent One-Time Passwords (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a Hardware Token) or of a normal application running on a common device (a Software Token).

The token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.

It is very important that the device which generates the One-Time Passwords and the device which is used to log into bwUniCluster 2.0 are not the same. Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the software token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.

The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a software token by installing one of the following apps:

An example of the FreeOTP app on Android, displaying generated One-Time Passwords for various services

These are only suggestions, you can use any application compatible with the TOTP standard.

Token Management

bwUniCluster 2.0 Tokens are be managed via the My Tokens menu entry on the central bwIDM system.