Starting with Two-Factor Authentication

"Authentication" is the process where you digitally prove who you are. Usually, your identity is verified when you type in your password. As you should never(!) share your password with someone else, only you can provide the correct password to your digital identity. Your identity has been correctly authenticated. At CERN, you have basically one password which is attached to your CERN account and the CERN Single Sign-On portal is the central instance for authentication (Some special applications might require additional accounts and passwords but we try to reduce them to a minimum as remembering many different passwords is hard).

For critical applications, "just" knowing a password might not be sufficient as passwords get regularly stolen or lost. "Two-Factor Authentication" is an enhanced method and requires not only you knowing a password but also you possessing a hardware token. Such critical applications are currently used within the CERN Finance Department or in the CERN Computer Security Team. In the future, certain purchasing orders on EDH, access to computer centre administration consoles, or make manipulations to critical accelerator settings might require Two-Factor Authentication, too.

As there is no single second factor suiting all needs, the Single Sign-On portal allows you to authenticate with any of those four hardware factors: your CERN mobile phone, your personal SmartPhone running the "Google Authenticator"-app, a Yubikey USB token, or your CERN Access Card (with a special integrated SmartChip).

A CERN mobile phone can be obtained from the Telecom Lab; "Google Authenticator" is downloadable from your favorite app store (e.g. iTunes); Yubikeys are available from the CERN stores (under reference " - SECURITY YUBIKEY USB STICK"); a compatible CERN Access Card with a visible "golden" SmartChip might be available from the Registration Service in the future (currently, please contact the Computer Security Team).

You only would need to match your preferred hardware token with your CERN account at one of the SSO self-service stations, e.g. at the Registration Service in building 55 (ground floor), at the Service Desk office in building 55 (2nd floor) or in the IT secretariat in building 31 2-017 (you would need your CERN access card at the latter). Once configured, all your hardware tokens are listed in the "Account Management" section of the Resource Portal. From there, you also have the possibility to delete them, e.g. if your token has been lost, got stolen, or, simply, if you do not need it any more.

Two-Factor Authentication also works for Linux systems! If you are a system manager interested to enable it, just include our multifactor Puppet module or check our code on Github.

For questions or help, please contact the CERN Service Desk at