How To Use Two-Factor Authentication in CMS

About

To increase general security and reduce the need to age passwords, CMS has implemented a two-factor authentication (hereafter "2FA") method for interactive login. You do not need to set up 2FA for email or web logins or any other CMS service, only to use an SSH client to gain console access to interactive login servers (login.cms.caltech.edu, group login hosts for compute intensive work, etc)

Process

Most likely, your Android or iPhone already has Google Authenticator installed. CMS 2FA will work with Google Authenticator, but for the purposes of this documentation we will assume that you don't have it installed. If you are already familiar with Google Authenticator and know it is installed on your phone, you can skip the first part of the instructions. You can also use privacyIDEA Authenticator.

Prepping your Phone

Download and install Google Authenticator on your cell phone. This is both available via the Google Play store and via the App Store for the iPhone. Simply open the Play Store or the App Store, search for the app, and install it. If you have an objection to Google Authenticator you can also use privacyIDEA Authenticator, but the remainder of this documentation assumes Google Authenticator is the app you are using (instructions are similar for both).

Screenshot_20221018-095336_Google Play Store.jpg

Screenshot_20221018-092700_Google Play Store.jpg

Set Up Your Token

Log into the CMS Token management gateway, using your CMS credentials.

Torii-Login.png

The first time you log in, you'll see the "Welcome" splash, hit OK

welcome-splash.png

If you have never enrolled a token before, and this is your first time logging in here, the system will automatically enroll a token for you.

New User Enroll.png

Click "Enroll Token"

TOTPenroll.png

Scan this QR code with your phone, either with your (Google) Authenticator app, or the phone's camera, and it should proceed to add this OTP token to your phone'a authenticator system.

This will create your token and logout. Click "Logout" and you'll be logged out.

You may login again, but you have already accomplished everything needed to use your token to SSH remotely!

If, however, you do need to perform tasks on your existing token and/or create another token, login as above into the CMS Token management gateway.

To create a new token again (when this is not your first time)

Login, as above, and choose Enroll Token again

home-screen.png

This will take you to the token enrollment screen.

Since the system will not be creating a token for you automatically, as when you first enrolled, there are three things to keep in mind here:

(a) Leave TOTP chosen at the top

(b) The Token Data Description field is optional and you only need to use this if you want to be able to use multiple tokens and want comments embedded in them so you can easily identify each token. You can leave this blank. A description is not required.

(c) The PIN field in your browser may be highlighted in red because your browser wants you to put something in the box. HOWEVER A PIN IS NOT REQUIRED.

If you don't want a PIN, select the top box and just clear it. If you want a PIN, you will be prompted to unlock the token every time you use it (arguably more secure, to a degree, but not necessary). You won't be able to enroll the token until you clear the box:

Enroll New Token.png

Once you've cleared the text box under PIN (or set one, if you've decided to use it), hit "Enroll Token" to add the token to your token list

You'll now see the token screen. THIS IS YOUR SECRET TOKEN. Do not share this QR code with anyone, or they'll be able to set up 2FA on their own phone as you (I'm including a screenshot of one of my old ones, here, for documentation purposes, but that token is already discarded)

Token-display.png

Open your phone's camera app and point it at the token's QR code. You'll get a popup asking you if you want to go to a webpage, click on that and Google Authenticator (or privacyIDEA Authenticator) will launch and ask you if you want to save the key. Click on "Okay".

On your phone, you should now see a Goolge Authenticator screen with your enrolled Token. There will be a six digit code displayed in blue, with a running clock icon just to the right. The clock icon shows how much time is left in the useful life of that six-digit code (each code lasts 30 seconds).

Congratulations, you are now enrolled in 2FA in CMS. To learn how to log in interactively to a CMS interactive login server now that you have a token, click here.

-- PatrickCahalan - 2022-10-18
Topic revision: r3 - 2022-11-10, DavidLeBlanc
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding CMS Wiki? Send feedback