Because SURF research access management provides access to research data that may be confidential, all users must sign in using two factors. Preferably users already use a second factor log in with their institution's IdP, these often offer SSO with a vetted token. If the IdP does not offer a second factor, or if SURF research access management is unaware a second factor has been used, SURF research access management provides a second factor as a fallback.
Behaviour per federation and IdP type
Unfortunately, it is not always possible to ascertain if a user has authenticated using a second factor at the IdP. Therefore, it is not always recommended to enable the second factor on the IdP.
SURFconext
SURFsecureID
SURFsecureID's second factor is supported. Users without a token will be unable to log in.
Other IdPs
For other IdPs, e.g., Microsoft Azure MFA, the second factor can be enabled or disabled for the entire IdP only. If enabled, users without a token cannot authenticate. In practice, only enable the second factor if all users, or all researchers, have a token.
eduGAIN
For IdPs connected via eduGAIN, the second factor is not detected by SURF Research Access Management. The fallback is required for all users, regardless of your institutes configured second factor.
eduID.nl
The second factor or eduID.nl is used. This means setting up the second factor in the eduID.nl app is mandatory.
Fallback to unvetted TOTP
In case SURF Research Access Management requires a two-factor authentication (2FA) but doesn’t know if you've already used a second factor during login you will be prompted to enter a TOTP code.
What is TOTP?
TOTP stands for Time-Based One-Time Password. It's a type of 2FA that uses an app (Google Authenticator, Microsoft Authenticator, or FreeOTP) to generate a temporary code based on the current time and a shared secret key.
This prompt is part of an unvetted challenge, which means you’ll be asked for your TOTP code even if you've already used another second factor earlier in the login process.
Registration
When logging in to SRAM for the first time, you'll need to set up and verify a TOTP token. You will do this using an app like Google Authenticator, Microsoft Authenticator or FreeOTP.
Setting up your TOTP token only requires logging in through your institution (federated login). In many cases, this means just entering your username and password. There is no additional vetting or approval process during this initial setup.
The TOTP token registration page
Login
On every subsequent login you need to provide the TOTP. There is a 10 minute grace period, subject to tweaking by SURF.
The TOTP challenge page
Recover or reset your token
If you've lost access to your TOTP token, for example if you've switched to a new phone, you can reset it. To do this, you’ll need approval from one of the following:
An organisation admin or manager (if applicable)
A collaboration admin from any collaboration you're a member of
The SURF Research Access Management support team
How to request a reset:
Go to SRAM and log in using your institutional account.
When the verification screen appears, click "Reset your verification code."
The TOTP token recovery page
After permission has been granted by any of the adminstrators, an email with the reset token will be sent.
The reset TOTP token page