Skip to content

Multi-Factor Authentication

Multi-Factor Authentication (MFA) also called Two-Factor Authentication (2FA) “is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Your credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Your credentials must come from two different categories to enhance security – so entering two different passwords would not be considered multi-factor.”[1]

Drexel's use of the Microsoft Authenticator is a MFA system.

MFA is currently only available on Picotte, and it is optional.

Prerequisites

You will need an authenticator app on your phone. Any of these should work:

Some password-saving apps also have MFA code generation features:

Setup

This setup process will generate a QR code right in your terminal. You should make sure your terminal is full-screen to ensure that the QR code will fit.

google-authenticator -t -d -r 3 -R 30 -e 10

This will then display a QR code, which you should scan with your authenticator app.

You should then type in the 6-digit code that the app generates into the terminal. DO NOT type in "-1" to skip. If the code was correct, it will display 10 "scratch codes", or backup codes.

Your emergency scratch codes are:
  AAAAAA
  BBBBBB
  CCCCCC
  DDDDDD
  EEEEEE
  FFFFFF
  GGGGGG
  HHHHHH
  IIIIII
  JJJJJJ

You should write all these codes down on paper, and store them in a safe place. If you ever lose your phone, you can use one of these codes to login. Or, use a password saving app (which has online storage) to create an encrypted note containing these scratch codes.

Next it will ask two questions, one whether to update your /home/yourname/.google_authenticator file, and something about skew. Answer "y" to both questions.

title: Setting Up Multi-Factor Authentication permalink: /Setting_Up_Multi-Factor_Authentication/

Multi-factor authentication (MFA, which includes two-factor authentication)[1] is an electronic authentication method in which a computer user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows, typically a password), possession (something only the user has), and inherence (something only the user is).

MFA is available only on Picotte.

Preparation

MFA requires an authenticator app (for mobile or tablet):

You will also require a secure method for storing backup codes, in case you lose your primary authenticator.

  • Write them on paper, and keep them secure at home.
  • Use a password-saving app: most have the ability to store secure (i.e. encrypted) notes.

Setup

Run your SSH terminal program of choice, and expand it to fullscreen. The size is needed to accomodate the QR code that will be displayed in the terminal.

MFA setup uses a command line program “google-authenticator”. At various points, it will ask you Y/N questions: say "y" to all (that should be the default).

Next, run the command (N.B. DO NOT copy and paste the URL that will be displayed):

[juser@picotte001 ~]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y
__QR Code is displayed__
Your new secret key is: __random characters (no need to copy)__

In your authenticator app

  • add a new account (tap the “+” icon)
  • scan the QR code

This will create the account in the authenticator app, and immediately display a code.

At the prompt, enter the code in the terminal - DO NOT SKIP:

Enter code from app (-1 to skip): __type code here__

Answer “y” to the remaining 4 questions. And it is done.

Testing

To test, log out, and then log back in. You will be asked for your password and verification code:

Password:🔑
Verification code:🔑

No Automated Logins with SSH Key Pairs

Using MFA means that automated logins with SSH key pairs will not be possible.

References

[1] Multi-factor authentication

References

[1] NIST IT Lab. Cybersecurity Div. - Back to basics: Multi-factor authentication (MFA)