Difference between revisions of "BwUniCluster 2.0 User Access/2FA Tokens"
S Raffeiner (talk | contribs) m (S Raffeiner moved page BwUniCluster 2.0 User Access 2FA Tokens to BwUniCluster 2.0 User Access/2FA Tokens: Subpage) |
S Raffeiner (talk | contribs) |
||
| (8 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password. |
The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password. |
||
| + | |||
| + | <br/> |
||
| + | |||
| + | [[File:2fa token code.jpg|center|frame|Hardware Token used at KIT]] |
||
| + | |||
| + | <br/> |
||
'''It is very important that the device that generates the One-Time Passwords and the device which is used to log into bwUniCluster 2.0 are not the same.''' Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge. |
'''It is very important that the device that generates the One-Time Passwords and the device which is used to log into bwUniCluster 2.0 are not the same.''' Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge. |
||
| Line 15: | Line 21: | ||
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS] |
* Google Authenticator for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/de/app/google-authenticator/id388497605 iOS] |
||
| − | * Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] |
+ | * Microsoft Authenticator for [https://play.google.com/store/apps/details?id=com.azure.authenticator Android] and [https://apps.apple.com/de/app/microsoft-authenticator/id983156458 iOS] |
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/de/app/lastpass-authenticator/id1079110004 iOS] or [https://www.microsoft.com/de-de/p/lastpass-authenticator/9nblggh5l9d7?activetab=pivot:overviewtab Windows] |
* LastPass Authenticator for [https://play.google.com/store/apps/details?id=com.lastpass.authenticator Android], [https://apps.apple.com/de/app/lastpass-authenticator/id1079110004 iOS] or [https://www.microsoft.com/de-de/p/lastpass-authenticator/9nblggh5l9d7?activetab=pivot:overviewtab Windows] |
||
| − | * Authy for [https://authy.com/download/ Mac] |
+ | * Authy for [https://authy.com/download/ Mac, Windows or Linux] |
| + | |||
| + | * GNOME Authenticator for [https://github.com/bilelmoussaoui/Authenticator/ Linux] |
||
These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard. |
These are only suggestions. You can use any application compatible with the [https://tools.ietf.org/html/rfc6238 TOTP] standard. |
||
| Line 25: | Line 33: | ||
<br/> |
<br/> |
||
| − | [[File:Freeotp-example.png|center|An example of the FreeOTP app on Android, displaying generated One-Time Passwords for various services |
+ | [[File:Freeotp-example.png|center|frame|An example of the FreeOTP app on Android, displaying generated One-Time Passwords for various services]] |
= Token Management = |
= Token Management = |
||
| − | bwUniCluster 2.0 Tokens are |
+ | '''bwUniCluster 2.0 Tokens''' are generally managed via the '''My Tokens''' menu entry on the central [https://bwidm.scc.kit.edu/ bwIDM] system. Here you can register, activate, deactivate and delete Tokens. |
| + | |||
| + | '''KIT users''' can also re-use their existing hardware and software tokens for the HPC systems. |
||
== Registering a new Software or Hardware Token == |
== Registering a new Software or Hardware Token == |
||
| − | 1. Registering a new Token starts with a click on '''New smartphone token'''. If you happen to own a USB Hardware Token device made by the manufacturer '''Yubikey''', you can click on '''New Yubikey Token''' instead. |
+ | 1. Registering a new Token starts with a click on '''New smartphone token'''. If you happen to own a USB Hardware Token device made by the manufacturer '''[https://www.yubico.com Yubikey]''', you can click on '''New Yubikey Token''' instead. |
[[File:BwUniCluster 2.0 2fa register new empty.png|center|]] |
[[File:BwUniCluster 2.0 2fa register new empty.png|center|]] |
||
| Line 50: | Line 60: | ||
[[File:BwUniCluster 2.0 2fa register new success.png|center|]] |
[[File:BwUniCluster 2.0 2fa register new success.png|center|]] |
||
| + | |||
| + | 6. Repeat the process to register additional tokens. '''Please register at least a Backup TAN list in addition to the hardware/software token you plan to use regularly. If you only register a single token and happen to lose access to it, e.g. because you lose your device, uninstall the software token application or data gets deleted/corrupted, you will neither be able to log into the cluster system nor register a new token.''' The [[BwUniCluster 2.0 Support|support channels]] are able to deactivate your lost token, but this process will take its time. |
||
= Deactivating a Token = |
= Deactivating a Token = |
||
Revision as of 09:51, 19 October 2020
Since August 13, 2020 a 2-factor authentication mechanism (2FA) is being enforced for logins to bwUniCluster 2.0 to improve security. In addition to the service password a second value, the second factor, has to be entered on every login.
Contents
1 How 2FA works
For bwUniCluster we use six-digit, auto-generated, time-dependent One-Time Passwords (TOTP). These passwords are generated by a piece of software which is part of a special hardware device (a Hardware Token) or of a normal application running on a common device (a Software Token).
The Token has to be synchronized with a central server before it can be used for authentication and then generates an endless stream of six-digit values which can only be used once and are only valid during a very short interval of time. This makes it much harder for potential attackers to access the HPC system, even if they know the regular service password.
It is very important that the device that generates the One-Time Passwords and the device which is used to log into bwUniCluster 2.0 are not the same. Otherwise an attacker who gains access to your system can steal both the service password and the secret key of the Software Token application, which allows them to generate One-Time Passwords and log into the HPC system without your knowledge.
The most common solution is to use a mobile device (e.g. your smartphone or tablet) as a Software Token by installing one of the following apps:
- Authy for Mac, Windows or Linux
- GNOME Authenticator for Linux
These are only suggestions. You can use any application compatible with the TOTP standard.
2 Token Management
bwUniCluster 2.0 Tokens are generally managed via the My Tokens menu entry on the central bwIDM system. Here you can register, activate, deactivate and delete Tokens.
KIT users can also re-use their existing hardware and software tokens for the HPC systems.
2.1 Registering a new Software or Hardware Token
1. Registering a new Token starts with a click on New smartphone token. If you happen to own a USB Hardware Token device made by the manufacturer Yubikey, you can click on New Yubikey Token instead.
2. A new windows opens. Click on Start to generate a new QR code. This may take a while.
NOTE: The QR code contains a key which has to remain secret. Only use the QR code to link your Software Token app with bwIDM in the next step. Do not save the QR code, print it out or share it with someone else. You can always generate more codes later.
3. Start the Software Token app on your separate device and scan the QR code. The exact process is a little bit different in every app, but is usually started by pressing on a Button with a Plus (+) sign or an icon of a QR code.
4. Once the QR code has been loaded into your Software Token app there should be a new entry called bwIDM. Generate an One-Time-Password by pressing on this entry or selecting the appropriate button/menu item. You will receive a six-digit code. Enter this code into the field labeled "Current code:" in your bwIDM browser window to prove that the connection has worked and then click on Check.
5. If everything worked as expected, you will be returned to the My Tokens screen and there will be a new entry for your Software Token:
6. Repeat the process to register additional tokens. Please register at least a Backup TAN list in addition to the hardware/software token you plan to use regularly. If you only register a single token and happen to lose access to it, e.g. because you lose your device, uninstall the software token application or data gets deleted/corrupted, you will neither be able to log into the cluster system nor register a new token. The support channels are able to deactivate your lost token, but this process will take its time.
3 Deactivating a Token
Click on the Disable button next to the Token entry on the My Tokens screen.
4 Deleting a Token
After a Token has been disabled a new button labeled Delete will appear. Click on it to delete the Token.
