Registration/2FA: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 35: | Line 35: | ||
These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard. |
These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard. |
||
If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. |
|||
| [[File:Otpapp.png|center|200px|TOTP Authenticator displaying generated One-Time Passwords for various services (source: https://getaegis.app)]] |
| [[File:Otpapp.png|center|200px|TOTP Authenticator displaying generated One-Time Passwords for various services (source: https://getaegis.app)]] |
||
|} |
|} |
||
= Token Management = |
|||
{|style="background:#deffee; width:100%;" |
{|style="background:#deffee; width:100%;" |
||
Line 54: | Line 56: | ||
'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete Tokens. Please select the Cluster you want to create a second factor: |
'''bwUniCluster/bwForCluster Tokens''' are generally managed via the '''My Tokens''' menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete Tokens. Please select the Cluster you want to create a second factor: |
||
→ [https://login.bwidm.de/user/twofa.xhtml '''bwUniCluster 2.0''' and '''bwForCluster JUSTUS 2'''] (KIT users can also reuse their existing hardware and software tokens for the HPC systems.) |
|||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
⚫ | |||
1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''. |
1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''. |
||
[[File:BwIDM-token.png|center|]] |
[[File:BwIDM-token.png|center|frame|Create a new Token]] |
||
2. A new window opens. Click '''Start''' to generate a new '''QR code'''. |
2. A new window opens. Click '''Start''' to generate a new '''QR code'''. |
||
Line 74: | Line 77: | ||
Do not save the QR code, print it out or share it with someone else. |
Do not save the QR code, print it out or share it with someone else. |
||
|} |
|} |
||
[[File: |
[[File:BwIDM-qr.png|center|600px|frame|QR Code for Mobile App]] |
||
3. Start the software token app on your separate device and scan the QR code. |
3. Start the software token app on your separate device and scan the QR code. |
||
Line 85: | Line 88: | ||
5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token. |
5. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token. |
||
[[File:BwIDM-app.png|center|Success]] |
[[File:BwIDM-app.png|center|frame|Success]] |
||
6. Repeat the process to register additional tokens. |
6. Repeat the process to register additional tokens. |
||
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly. |
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly. |
||
=== Yubikey |
=== Registering a Yubikey OATH TOTP === |
||
[https://developers.yubico.com/OATH/ Yubikey OATH TOTP] generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes. |
|||
Please download and install [https://developers.yubico.com/OATH/YubiKey_OATH_software.html Yubico Authenticator] for Desktop (or Android) first. |
|||
Insert your Yubikey in your computer. |
|||
1. Registering a new Token starts with a click '''NEW SMARTPHONE TOKEN'''. |
|||
[[File:BwIDM-token.png|center|frame|Create a new Token]] |
|||
2. A new window opens. Click '''Start''' to generate a new '''QR code'''. |
|||
This may take a while. |
|||
{|style="background:#deffee; width:100%;" |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
[[Image:Attention.svg|center|25px]] |
|||
|style="padding:5px; background:#cef2e0; text-align:left"| |
|||
The QR code contains a key which has to remain secret. |
|||
Only use the QR code to link your software token app with bwIDM/bwServices in the next step. |
|||
Do not save the QR code, print it out or share it with someone else. |
|||
|} |
|||
3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select '''Scan QR code'''. |
|||
[[File:BwIDM-yubi1.png|center|600px|frame|QR Code and Yubico Authenticator on Linux]] |
|||
4. Yubico Authenticator automatically translates the QR code to a new entry called '''bwIDM''' or '''bwServices''' (MLS&WISO). |
|||
Click '''Add account'''. |
|||
[[File:BwIDM-yubi2.png|center|600px|frame|Create new TOTP on Yubico Authenticator]] |
|||
5. You will receive a six-digit code. |
|||
Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click '''CHECK'''. |
|||
[[File:BwIDM-yubi3.png|center|600px|frame|Verify TOTP]] |
|||
6. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your software token. |
|||
[[File:BwIDM-app.png|center|frame|Success]] |
|||
7. Repeat the process to register additional tokens. |
|||
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly. |
|||
== Yubikey OTP == |
|||
[https://developers.yubico.com/OTP/OTPs_Explained.html Yubikey OTP] is even easier and you don't need a device that displays the six-digit code. |
|||
New Yubikeys are already configured to provide Yubikey OTP in slot 1. |
|||
If you need to configure your Yubikey, read this [[Registration/2FA/Yubikey|documentation]]. |
|||
1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead. |
1. If you want to use [https://www.yubico.com/resources/glossary/yubico-otp/ Yubico OTP], you can click '''NEW YUBIKEY TOKEN''' instead. |
||
[[File:BwIDM-token.png|center|Generate Yubikey OTP]] |
[[File:BwIDM-token.png|center|frame|Generate Yubikey OTP]] |
||
2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey. |
2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey. |
||
Please |
Please refer to this [[Registration/2FA/Yubikey|documentation]] on how to configure your Yubikey. |
||
[[File:BwIDM-yubikey.png|center|Yubikey OTP]] |
[[File:BwIDM-yubikey.png|center|frame|Yubikey OTP]] |
||
3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey. |
3. If everything worked as expected, you will be returned to the '''My Tokens''' screen and there will be a new entry for your Yubikey. |
||
[[File:BwIDM-yubikey2.png|center|Success]] |
[[File:BwIDM-yubikey2.png|center|frame|Success]] |
||
4. Repeat the process to register additional tokens. |
4. Repeat the process to register additional tokens. |
||
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly. |
Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly. |
||
== Backup TAN List == |
|||
{|style="background:#deffee; width:100%;" |
{|style="background:#deffee; width:100%;" |
||
Line 113: | Line 157: | ||
Passwords from the "Backup TAN list" should only be used if no other token is left. |
Passwords from the "Backup TAN list" should only be used if no other token is left. |
||
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs. |
Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs. |
||
Each TAN can only be used once. |
|||
|} |
|} |
||
1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''. |
1. Please create at least one "Backup TAN list" by clicking '''CREATE NEW TAN LIST'''. |
||
[[File:BwIDM-token.png|center|Generate Backup TAN list]] |
[[File:BwIDM-token.png|center|frame|Generate Backup TAN list]] |
||
2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs. |
2. Click '''START'''. You will be redirected to the '''My Tokens''' screen and there will be a new entry for your backup TANs. |
||
[[File:BwIDM-tan.png|center|Success]] |
[[File:BwIDM-tan.png|center|frame|Success]] |
||
3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies. |
3. Click '''SHOW TANS''', print the codes and keep then in a separate place for emergencies. |
||
[[File:JUSTUS-2-2FA-backup-TAN-list.png|center|frame|600px|Print Backup TAN List]] |
|||
4. Repeat the process to register additional tokens. |
4. Repeat the process to register additional tokens. |
||
== Deactivating a Token == |
|||
Click '''Disable''' next to the Token entry on the '''My Tokens''' screen. |
Click '''Disable''' next to the Token entry on the '''My Tokens''' screen. |
||
== Deleting a Token == |
|||
After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token. |
After a Token has been disabled a new button labeled '''Delete''' will appear. Click on it to delete the token. |
||
= Lost Token = |
|||
If you have lost a token please create a new one. |
If you have lost a token please create a new one. |
Revision as of 19:28, 20 January 2022
Generate a Second Factor (2FA)
To improve security a 2-factor authentication mechanism (2FA) is being enforced for logins to bwUniCluster/bwForClusters. In addition to the service password a second value, the second factor, has to be entered on every login.
How 2FA works
It is very important that the device that generates the One-Time Passwords and the device which is used to log into the bwUniCluster/bwForClusters are not the same. Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge. |
On the bwUniCluster/bwForClusters we use six-digit, auto-generated, time-dependent one-time passwords (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a hardware token) or of a normal application running on a common device (a software token).
The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password. Yubico OTP also supported if you want to use your Yubikey without depending on having a six-digit code displayed. But you can also use the Yubikey as a generator for six-digit TOTP. |
The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
These are only suggestions. You can use any application compatible with the TOTP standard. If you don't want to use a smartphone, we recommend using a hardware token, such as Yubikey or another TOTP-compatible device. |
Token Management
|
bwUniCluster/bwForCluster Tokens are generally managed via the My Tokens menu entry on the registration pages for the clusters. Here you can register, activate, deactivate and delete Tokens. Please select the Cluster you want to create a second factor:
→ bwUniCluster 2.0 and bwForCluster JUSTUS 2 (KIT users can also reuse their existing hardware and software tokens for the HPC systems.)
Registering a new Software Token using a Mobile APP
1. Registering a new Token starts with a click NEW SMARTPHONE TOKEN.
2. A new window opens. Click Start to generate a new QR code. This may take a while.
The QR code contains a key which has to remain secret. Only use the QR code to link your software token app with bwIDM/bwServices in the next step. Do not save the QR code, print it out or share it with someone else. |
3. Start the software token app on your separate device and scan the QR code. The exact process is a little bit different in every app, but is usually started by pressing on a button with a plus (+) sign or an icon of a QR code.
4. Once the QR code has been loaded into your Software Token app there should be a new entry called bwIDM or bwServices (MLS&WISO). Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item. You will receive a six-digit code. Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click Check.
5. If everything worked as expected, you will be returned to the My Tokens screen and there will be a new entry for your software token.
6. Repeat the process to register additional tokens. Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.
Registering a Yubikey OATH TOTP
Yubikey OATH TOTP generates the TANs on your Yubikey and therefore you can use different computers and Android phones to generate these codes. Please download and install Yubico Authenticator for Desktop (or Android) first. Insert your Yubikey in your computer.
1. Registering a new Token starts with a click NEW SMARTPHONE TOKEN.
2. A new window opens. Click Start to generate a new QR code. This may take a while.
The QR code contains a key which has to remain secret. Only use the QR code to link your software token app with bwIDM/bwServices in the next step. Do not save the QR code, print it out or share it with someone else. |
3. Start the Yubico Authenticator on your OS, click the three vertical dots in the upper right corner and select Scan QR code.
4. Yubico Authenticator automatically translates the QR code to a new entry called bwIDM or bwServices (MLS&WISO). Click Add account.
5. You will receive a six-digit code. Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click CHECK.
6. If everything worked as expected, you will be returned to the My Tokens screen and there will be a new entry for your software token.
7. Repeat the process to register additional tokens. Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.
Yubikey OTP
Yubikey OTP is even easier and you don't need a device that displays the six-digit code. New Yubikeys are already configured to provide Yubikey OTP in slot 1. If you need to configure your Yubikey, read this documentation.
1. If you want to use Yubico OTP, you can click NEW YUBIKEY TOKEN instead.
2. Yubikey OTP is configured to slot 1 on new Yubikeys, so you only need to click in the text box and then touch the metal part of your Yubikey. Please refer to this documentation on how to configure your Yubikey.
3. If everything worked as expected, you will be returned to the My Tokens screen and there will be a new entry for your Yubikey.
4. Repeat the process to register additional tokens. Please register at least the "Backup TAN list" in addition to the hardware/software token you plan to use regularly.
Backup TAN List
Passwords from the "Backup TAN list" should only be used if no other token is left. Please do not use the Backup TANs for regular cluster login, because you have only a limited number of TANs. Each TAN can only be used once. |
1. Please create at least one "Backup TAN list" by clicking CREATE NEW TAN LIST.
2. Click START. You will be redirected to the My Tokens screen and there will be a new entry for your backup TANs.
3. Click SHOW TANS, print the codes and keep then in a separate place for emergencies.
4. Repeat the process to register additional tokens.
Deactivating a Token
Click Disable next to the Token entry on the My Tokens screen.
Deleting a Token
After a Token has been disabled a new button labeled Delete will appear. Click on it to delete the token.
Lost Token
If you have lost a token please create a new one. If you switch your phone, please migrate your tokens first or register your new mobile app. If you don't have any valid tokens left (mobile app, hardware token, Yubikey or backup TAN) you'll need to contact the ticket system. This process will take some time.