Data Archive: Using multi-factor authentication

This article explains what two-factor authentication is, and the process for enabling it for use on the Data Archive. The SURF Data Archive currently does not have 2FA automatically enabled, but it is likely that 2FA will become mandatory for end-users in the near future. For now, it is optional, but it can be enabled on the level of user groups.

Please contact the SURF helpdesk if you would like to have it enabled, and please follow the steps below which are required to configure your authentication in the service.

About two-factor authentication

SURF compute and storage facilities will move away from using only the traditional username + password combination for authentication, in favour of stronger procedures such as certificate-based identities and two-factor authentication (2FA). 2FA (or MFA ) in itself is a stronger mode of authentication, since, in addition to your password, you need to have something else — a ‘second factor’ — to prove your identity.

Setting up 2FA on the Data Archive

If you would like to enable 2FA on your user group, contact the SURF servicedesk to request this. The following sections explain the configuration you need to do on your side to use 2FA.

! To make the transition to 2FA as smooth as possible, we recommend that users first obtain a token and familiarize themselves with the client application to use the token. When 2FA is enforced on a set of logins while some of the users have no valid token yet, or do not understand how to use it, those users are effectively locked out until they are able to use their token.

Configuring a Time-based One-Time Password (TOTP): a particular 2FA protocol

You will also need to set up a TOTP protocol.

TOTP is a well understood and well-documented protocol (see: RFC6238, and also Wikipedia).

It uses the current time as an input to generate a 6-digit code that is unique and that is valid only for a very limited span of time after being generated (about 30 seconds). At each login you demonstrate proof of possession of the particular token that has been associated with your login name by responding with the 6-digit code that the token has generated for the current time interval.

Installing a TOTP client application

A TOTP token is a so-called software token. To possess a TOTP software token you need a TOTP compliant client application that can be installed and run on the operating system platform(s) of your preference, in which you can safely store a token identity that was created for you by a TOTP server.

The following list provides a number of locations where TOTP client applications can be downloaded. More client applications exist, there are quite a few to choose from. In principle any TOTP client should work well, but the list below only contains the clients that have been tested by SURF (October 2019), and verified to work well. There is at least one SURF tested client for each of the following platforms: IOS, Android, MacOS, Linux, and Windows.

TOTP clients for IOS

• https://apps.apple.com/gb/app/privacyidea-authenticator/id1445401301
• https://apps.apple.com/us/app/otp-auth/id659877384

TOTP client for Android

• https://play.google.com/store/apps/details?id=it.netknights.piauthenticator

TOTP client for MacOS

• https://www.makeuseof.com/tag/authenticator-apps-mac/
• https://cooperrs.de/otpauth_macos.html

TOTP client for Linux

• https://flathub.org/apps/details/com.github.bilelmoussaoui.Authenticator

TOTP clients for Windows

• https://winauth.github.io/winauth/
• https://www.microsoft.com/nl-nl/p/authenticator/9nblggh08h54

! Make sure you have at least one TOTP client installed and ready to be used on your phone or computer. Once a token identity is generated and presented to you (see below), it is associated with the loginname with which you entered the 2FA portal. You are expected to safely store and subsequently use it. You will no longer be able to login to the 2FA portal on the basis of username + password only.

Creating a token at the 2FA portal

To create a usable software token you must obtain a token identity associated with your login from our 2FA portal, and safely store the identifier in the TOTP compliant app of your choice. This section explains in a few illustrated steps how to do just that.

• Step 1:

To obtain the identity for your token, go to the specialised 2FA portal located at https://2fa.surfsara.nl. Since you have no usable token yet, you must login with the loginname you want activate 2FA for, and its corresponding password.

• Step 2:

Once logged in to the portal, you are presented with a dialogue, as shown in the figure below, that has only one option, viz. to ‘enroll’ a new token. In this dialogue, click the green button to proceed.

• Step 3:

When you see a dialogue, similar to the one shown in the figure below, a token identity has been generated for you. It is presented to you, visualised as a QR code, and you must store the token identity in one or more of your TOTP client apps.

! N.B.: DO NOT PRESS THE LOGOUT BUTTON BEFORE SAFELY STORING YOUR TOKEN IDENTITY WITH AT LEAST ONE OF YOUR TOTP APPS!

Once a token has been generated for you, you are required to use it for authentication, and you will no longer be able to get into the portal based on just your username + password only. Once a token identity has been associated with your login and you cannot use it you will need the help of SURF to delete the association of your login with that token identity.