Starting with Two-Factor Authentication

"Authentication" is the process where you digitally prove who you are. Usually, your identity is verified when you type in your username and password. As you should never(!) share your password with someone else, only you can provide the correct password to your digital identity.

At CERN, you have basically one password which is attached to your CERN account and the Single Sign-On portal is the central instance for authentication. Please report to us whenever you are asked for your CERN password outside the Single Sign-On portal portal.

For some services, "just" knowing a password might not be sufficient as passwords get regularly stolen or lost. "Two-Factor Authentication" is an enhanced method and requires not only you knowing something (a password) but also you possessing a physical device (hardware token, phone, ...). The following services are thus requiring "Two-Factor Authentication":

  • Critical applications that are used within the CERN Finance Department or in the CERN Computer Security Team.
  • [Under development] Access to sensitive services used for the internal infrastructure of the CERN IT Department.

In the future, more services might require Two-Factor Authentication, too: access to the technical network, admin ('root') access to IT services...

As there is no single second factor suiting all needs, the Single Sign-On portal allows you to authenticate with two different factors:

  • A SmartPhone running an application providing TOTP (i.e. "Time-based One-Time Password") authentication (for example andOTP, FreeOTP Authenticator, Google Authenticator, ...)
  • A Yubikey hardware token. Other "Universal 2nd Factor" (U2F) hardware tokens are also supported for the SSO but not SSH.

Two-Factor Authentication also works to connect to Linux servers via SSH! If you are a system manager interested to enable it, just include our multifactor Puppet module or check our code on Github.

Obtaining a 2nd factor

TOTP applications can be downloaded from your favorite app store. To get a Yubikey:

  • If you are part of the CERN IT Department, just pass by the IT secretariat to get one or to get redirected to the right procedure (your supervisor might need to get it for you).
  • If you are within another department at CERN, please coordinate within your group and contact us via Computer.Security@cern.ch. We will provide them to you at cost (via a TID).

Registering your 2nd factor

  • To register your 2nd factor on the SSO, you just need to try to authenticate on the Single Sign-On portal:
    • For Yubikeys/U2F, you simply need to insert the key and press it when it starts blinking, as instructed. If it doesn't start blinking, see below for some prerequisites on Linux systems.
    • For TOTP, follow the instructions to configure you application.
  • To register your Yubikey(s) for SSH access, you need to register your key on a dedicated website

Unfortunately, it is not yet possible to unregister TOTP application or Yubikey/U2F devices by yourself. Please contact the the CERN Service Desk at Service.Desk@cern.ch to get them unregistered.

U2F prerequisites on Linux systems

As your web browser needs to interact with the U2F token during registration or authentication, it needs to be authorized to do so. Unfortunately, generic support for U2F hardware tokens was added only very recently to systemd/udev itself. Some distributions (e.g. Fedora, Ubuntu) have other solutions in place by default, but this is not the case for all distributions yet.

CERN CentOS 7

A new package has just been added to CERN CentOS 7 (also available in EPEL): u2f-hidraw-policy. You just need to unplug/replug the device into your system after installing it.

Scientific Linux CERN 6

Unfortunately at this time, we are aware of any proper support of U2F hardware tokens on Firefox on SLC6. Please consider updating your system to CERN Centos 7 as SLC6 is to be retired by end 2020.

Support

For questions or help, please contact the CERN Service Desk at Service.Desk@cern.ch.