jsc-logo.jpg


2-Factor Authentication (2FA)

Introduction

2-Factor Authentication (2FA), sometimes referred to as two-factor verification, is a security method in which you provide two different authentication factors to identify yourself at login. This process is performed to better protect both your credentials and the resources that you can access.

In the first login step, you start with the usual entry of a good password. The service then confirms the correctness of the password entered. This does not, however, lead directly to the desired entrance - but to a further barrier.

The second login step prevents unauthorized third parties from gaining access to your account just because they might have stolen your password. A quite common 2nd-factor is a One-Time Password (OTP) generated by a so-called OTP-App you install and initialize once on one of your personal devices. This OTP-app then provides (in our case every 30 seconds) a new one-time password that needs to be entered on the login page.

Basic Principle

These two factors for authentication combine the building blocks knowledge and possession in the login procedure.

  • knowledge - the secret knowledge is the password you enter.
  • possession - With the one-time password you show that you are in possession of a certain device (e.g. your smartphone), because only the OTP-App, installed on that device, can generate it.

Source: Bundesamt für Sicherheit in der Informationstechnik

Algorithm

The OTP-App can calculate personal one-time passwords completely autonomously from the outside world using a standardized and open algorithm for the generation of Time-based One-Time Passwords (TOTP).

The TOTP algorithm was published in 2011 by the Internet Engineering Task Force (IETF) as RFC 6238. The TOTP algorithm is a hash function in which a secret code is hashed together with the current time. Behind the hash function is the HMAC-based One-time Password Algorithm according to RFC 4226 - in simple terms nothing more than a standard that forms a hash in a certain way.

The calculation includes both a "secret initialization code", that is known to both the server and the client, and the current time. The final one-time password is generated from these two inputs and is valid for a certain period of time. (in our case for 30 seconds). The procedure can be implemented in such a way that slight differences in time between client and server are accepted.

Hence, any one-time password is time-based, calculated locally, and always unique.


How to get started with 2FA

Preparation

To get ready to use 2-Factor Authentication (2FA) for Jupyter-JSC you have to prepare it ONCE:

  • (1) request 2FA for Jupyter-JSC,
  • (2) activate 2FA for Juypter-JSC,
    • (a) install an OTP-App, which supports the TOTP algorithm
    • (b) communicate the secret initialization code to this OTP-App
    • (c) test a first one-time password generated.

... and then 2FA is ready to be used next time you log in.

1. Request 2FA

Please login to Jupyter-JSC as usual through https://jupyter-jsc.fz-juelich.de
and visit the webpage https://jupyter-jsc.fz-juelich.de/2fa for requesting 2FA.

Please read the notes on this webpage carefully and click the button Request 2FA to start.
A confirmation email including an activation link will be send to you directly.

2. Activate 2FA

Please follow this activation link to instruct Jupyter-JSC for preparation of your 2FA.
You will be asked to re-login to your account to recieve a secret initialization code as QR-Code (and string)
for a required OTP-App.

So first, you need to install an OTP-App on one of your personal devices (if you haven´t done so already),
which you plan to use in the future to generate the required one-time passwords for each time you log in:

a. OTP-App Installation

There are a large number of different OTP-Apps available that implemented the TOTP algorithm.
You have to install one of them - for example, take one of the following:

Recommended, free & open-source:

Free, but closed source:

The TOTP algorithm can also be implemented in hardware as a so-called "hardware token" (e.g. Protectimus Tokens, Microcosm Tokens)

b. OTP-App Initialization & Validation

Before you can use 2FA for Jupyter-JSC a random, user-specific, unique and secret initialization code must be known by both Jupyter-JSC and the your OTP-App. This secret initialization code gets generated by Jupyter-JSC and is shown as a QR-Code (or string) on the activation page.

The QR-Code provides the secret initialization code with the descriptive data (1) algorithm = TOTP, (2) period of validity = 30s. If you prefer to use the string instead of the QR-Code, please ensure you set these descriptive dates manually in your OTP-App.

Next, the OTP-App provides now a verification code you have to enter on the activation webpage. Jupyter-JSC compares the verification code you provide with the one generated by Jupyter-JSC.

If they match, 2FA is now activated.


2FA-Login at Jupyter-JSC

Congratulation! You are now ready to use 2-Factor Authentication with Jupyter-JSC.

Login is now as simple as this

  1. Enter your JSC-account password
    Each time you log in, you enter your JSC-account password as usual.
  2. Enter the current one-time password
    You will then be asked for a one-time password that you can read from your installed & initialized OTP-App (e.g. on your smartphone).

Remember me
Jupyter-JSC can set a cookie to remember, that you have logged in from this device already.
Just check the "Remember me" checkbox where you enter one-time password .
Jupyter-JSC skips the request of a one-time password in this browser on that device then for one week.