About two-factor authentication
On SURF compute and storage facilities we will move away from the traditional username + password combination for authentication, in favour of stronger procedures such as certificate-based identities and two-factor authentication (2FA). 2FA ( or MFA ) in itself is a stronger mode of authentication, since, in addition to your password, you need to have something else - a ‘second factor’ - to prove your identity. The second factor, that you need to demonstrate possession of in a 2FA protocol, is commonly called a ‘token’. Not all 2FA protocols are equally strong though. The strength of a particular 2FA protocol depends in large part on the ease with which the token can be obtained, copied, reproduced, as this has direct impact on the comparative easy with which a token can be stolen.
MFA works only with SSH public key authentication
In order to work with SSH public key authentication, you need to create an SSH keypair and upload the public key to the servers. The way of doing that is explained here: SSH public-key authentication
Requesting two-factor authentication on Snellius
Snellius supports a 2FA procedure for end-users. For now, the usage of 2FA for end-users is still optional. To be more precise: as the principal investigator of a project is considered the owner of the project and its data, only principal investigators can request 2FA. To do so, they must contact the SURF helpdesk.
If a principal investigator requests 2FA for his or her project, 2FA becomes mandatory for ALL logins that are associated with the project and have access to the project’s data.
In particular, individual users cannot send in tickets to be exempted from, or to undo, 2FA for their login. Neither will a request from principal investigators be honoured that requests 2FA for some but not for other logins associated with a project.
It is likely that 2FA on SURF facilities will become mandatory for end-users in the near future.
Enforcing logins to use 2FA to access Snellius is a configuration operation that is separate and logically distinct from the operation of associating a login with a particular 2FA token. The latter is basically a self-service operation that is explained and documented below. To make the transition to 2FA as smooth as possible, it is best that users first obtain a token and familiarize themselves with the client application to use the token. When 2FA is enforced on a set of logins while some of the users have no valid token yet, or do not understand how to use it, those users are effectively locked out until they are able to use their token.
Time-based One-Time Passwords: a particular 2FA protocol
The first 2FA procedure currently supported on Snellius is based on software tokens that use the Time-based One-Time Password algorithm (TOTP) to generate a 6-digit code. TOTP is a well-understood and well-documented protocol (see: RFC6238, and also Wikipedia). It uses the current time as an input to generate a value that is unique and that is valid only for a very limited span of time after being generated (about 30 seconds). At each login, you demonstrate proof of possession of the particular token that has been associated with your login name by responding with the 6-digit code that token the has generated for the current time interval.
Client applications
A TOTP token is a so-called software token. To possess a TOTP software token you need a TOTP-compliant client application that can be installed and run on the operating system platform(s) of your preference, in which you can safely store a token identity that was created for you by a TOTP server.
The following list provides a number of locations where TOTP client applications can be downloaded. More client applications exist, there are quite a few to choose from. In principle, any TOTP client should work well, but the list below only contains the clients that have been tested by SURF (October 2019), and verified to work well. There is at least one SURF-tested client for each of the following platforms: IOS, Android, MacOS, Linux, and Windows.
TOTP clients for IOS
- https://apps.apple.com/gb/app/privacyidea-authenticator/id1445401301
- https://apps.apple.com/us/app/otp-auth/id659877384
TOTP client for Android
TOTP client for MacOS
TOTP client for Linux
TOTP clients for Windows
Token creation and 2FA enrollment
The 2FA enrollment is currently done in the end-user portal during the login setup. For more information, check our documentation about the SURFcua enrollment here.
Make sure you have at least one TOTP client installed and ready to be used on your phone or computer. Once a token identity is generated and presented to you (see below), it is associated with the loginname with which you entered portal. You are expected to safely store and subsequently use it. You will no longer be able to login to the portal on the basis of username + password only.