Because SURF research access management provides access to research data that may be confidential, all users must sign in using two factors. Preferably users already use a second factor log in with their institution's IdP, these often offer SSO and vetting. If the IdP does not offer a second factor, or if SURF research access management is unaware a second factor has been used, SURF research access management provides a second factor as a fallback.

Behaviour per federation and IdP type

Unfortunately, it is not always possible to ascertain if a user has authenticated using a second factor at the IdP. Therefore, it is not always recommended to enable the second factor on the IdP.

SURFconext

SURFsecureID

SURFsecureID's second factor is supported. Users without a token will be unable to log in.

Other IdPs

For other IdPs, e.g., Microsoft Azure MFA, the second factor can be enabled or disabled for the entire IdP only. If enabled, users without a token cannot authenticate. In practice, only enable the second factor if all users, or all researchers, have a token.

eduGAIN

For IdPs connected via eduGAIN, the second factor is not detected by SURF Research Access Management. The fallback is required for all users, regardless of an IdP's second factor.

eduID.nl

The second factor or eduID.nl is used. This means setting up the second factor in the eduID.nl app is mandatory.

Fallback to unvetted TOTP

In case SURF research access management requires a second factor, but isn't aware if a second factor has been used already, it presents the user with an unvetted TOTP challenge. TOTP, or Time-Based One-Time Password, is a type of two-factor authentication algorithm that generates a temporary password based on the current time and a shared secret key. 

Registration

On their first login a user needs to register and verify a TOTP token (e.g., by using using Google Authenticator, Microsoft Authenticator or FreeOTP Authenticator). Note that for initial registration of the TOTP token, only a federated authentication is needed, sometimes only requiring a username and password. In other words: there is no vetting process.

The TOTP token registration page

Login

On every subsequent login the user needs to provide the TOTP. There is a 10 minute grace period, subject to tweaking by SURF.

The TOTP challenge page

Recovery

In case the user has lost access to their TOTP token, the token can be reset. This requires permission from either a fellow organisation admin or manager (if applicable), a collaboration admin of one of the collaborations the user is a member or or SURF research access management support.

The TOTP token recovery page

After permission has been granted by any of the adminstrators, an email with the reset token will be sent to the user.

The reset TOTP token page