Multi-factor Authentication (2FA)
Multi-factor authentication (MFA, which includes two-factor authentication)[1] is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows, typically a password), possession (something only the user has), and inherence (something only the user is).
MFA is available only on Picotte.
Preparation
MFA requires an authenticator app (for mobile or tablet):
- Microsoft Authenticator (currently used by Drexel)
- Google Authenticator
- others, e.g. Duo, Authy, various password-saving apps
You will also require a secure method for storing backup codes, in case you lose your primary authenticator.
- Write them on paper, and keep them secure at home.
- Use a password-saving app: most have the ability to store secure (i.e. encrypted) notes.
Setup
Run your SSH terminal program of choice, and expand it to fullscreen. The size is needed to accomodate the QR code that will be displayed in the terminal.
MFA setup uses a command line program “google-authenticator”. At
various points, it will ask you Y/N questions: say "y" to all (that
should be the default).
Next, run the command (N.B. DO NOT copy and paste the URL that will be displayed):
[juser@picotte001 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
__QR Code is displayed__
Your new secret key is: __random characters (no need to copy)__
In your authenticator app
- add a new account (tap the “+” icon)
- scan the QR code
This will create the account in the authenticator app, and immediately display a code.
At the prompt, enter the code in the terminal - DO NOT SKIP:
Enter code from app (-1 to skip): __type code here__
Answer “y” to the remaining 4 questions. And it is done.
Testing
To test, log out, and then log back in. You will be asked for your password and verification code:
Password:🔑
Verification code:🔑
No Automated Logins with SSH Key Pairs
Using MFA means that automated logins with SSH key pairs will not be possible.