Two-factor authentication (2FA)
General information about 2FA
Do I need to enable 2FA?
You only need to enable 2FA if you are using one of the following systems:
The SSH gateway machines (gate1, gate2)
The HPC systems via SSH or VNC
The remote visualization service
You do not need to enable 2FA if you don’t recognize or use the systems mentioned above. However, additional systems may follow in the future.
Do I already have 2FA activated?
If you have 2FA activated, the SelfService https://selfservice.mpcdf.mpg.de will ask you for an OTP upon login.
If you are already logged in, you can tell by clicking on “My Account > Security > Configure 2FA” in the menu bar at the top of the page. If you see a list with at least one token then you have 2FA enabled.
Why is 2FA enforced?
Cyber criminality is on the rise and among other incidents there has been a large-scale attack on European research institutes and computing centers in early 2020 that exploited leaked credentials.
Even if you don’t have sensitive information associated with your account (e.g. in our DataShare service), your account can still be used to cause disruption of our services and pose a threat to other users if taken over by an attacker.
2FA provides protection against such attacks through more unambiguous user identification since you need to provide something you know (your password) combined with something you have (your token). If an attacker knows your password they still can’t access the protected systems since they don’t have your token.
What is a token, OTP, and seed?
OTP stands for “One-Time Password”. As the name suggests, this is a password that can only be used once. You primary token will be a “Time-based One-Time Password” (TOTP) which means that the OTP will automatically change every 30 seconds.
The token seed (or OTP seed) is a secret key that only the OTP server and the token know. Based on the seed all future OTPs can be calculated. That’s why it is important to treat the seed as carefully as a password.
A token is an entity that generates OTPs by running an algorithm on the seed. This may be a piece of software, an entry in an OTP app or a dedicated hardware device.
What kinds of tokens are there?
We internally distinguish between two categories of tokens:
Primary tokens - You can only have one of these at a time. You can choose between:
An app token for your smartphone (see “How do I enroll and use an app token”)
A hardware token you already own (see “How do I register my existing token”)
Secondary tokens - You can have a combination of the following tokens enrolled but only one per type (see How do I enroll and use a secondary/backup token?):
TAN list
E-mail
SMS
Since E-mail and SMS tokens don’t provide the most secure method of receiving OTPs, these tokens are only meant to be used as a backup method if you don’t have access to your primary token.
Why am I asked for an OTP?
The SelfService will ask you for an OTP if you have a 2FA token assigned to your account. If you don’t have a hardware token you should find your app token in an OTP app on your phone. See our FAQs for a non-exhaustive list of possible OTP apps.
Look for an entry in the app that says your account name and a serial number starting with “TOTP…” in its title. Note that you may have to tap the entry to reveal the current OTP depending on what app you use.
If you have uninstalled the app or got a new phone since enrolling the token then your token is lost and you won’t be able to log in. Use our token recovery to regain access to your account in this case.
Our SSH servers will ask you for an OTP regardless of whether your account has a token assigned or not since 2FA is mandatory for those machines. You’ll need to enroll a token via the SelfService.
Activation of 2FA
How do I enable 2FA?
Visit https://selfservice.mpcdf.mpg.de and log in
In the menu bar at the top of the page, click “My account > Security”
Select “Configure 2FA” and provide your password
Choose a primary token type
Validate the token by providing a valid OTP
Choose a secondary token type
Important: if you don’t validate your primary token you will not be able to use it for authentication.
How do I enroll and use an app token?
This method works with any device on which you can install an OTP app (see “What app do I need to install?”). Hence, you can also use your tablet instead of your smartphone. We recommend to use a smartphone because of the form factor.
Important: The algorithm for OTP generation depends on the current time. Make sure the clock on your device has the correct time set. If you like to keep your clock set to a different time see “How to use 2FA on a phone with a time shift”.
Log in to https://selfservice.mpcdf.mpg.de
In the menu bar at the top of the page, click on “My account > Security”
Select “Configure 2FA” and provide your password
If you already have a token: click on “Replace existing or enroll additional token”
Click on “App token” (you will only see this option if you dont have a hardware token yet)
Scan the QR code with the OTP app you installed on your phone. Depending on the app you usually need to tap on a round button with a “+”.
In case your app asks: it is important to set the following parameters:
type: TOTP
hashlib: SHA-1
timestep: 30 seconds
digits: 6 Depending on the app you may have to provide these details and click “Add” or “Ok”
Your new token should now be visible as an entry in the app. It has your username and its serial starting with “TOTP” for a name.
The token generates a new 6-digit numeric OTP every 30 seconds. Depending on the app you may have to tap on the token entry to reveal the OTP.
Activate the token by clicking on the large blue button above the QR code and providing the OTP that the token is currently presenting to you. You will not be able to use the token without this step.
What app do I need to install?
You can choose from a plethora of different OTP apps. We recommend using an app that’s open-source to ensure the app doesn’t do anything shady. Unfortunately, there are not many open-source options for iOS users.
If the open-source solutions mentioned below are not to your taste or you already have one of these closed-source apps installed you can also use Google Authenticator, Microsoft Authenticator, Authy, etc.
App | OS | Source | Features |
---|---|---|---|
Aegis Authenticator | Android | Github | Backup, Encryption, Authentication with fingerprint |
andOTP | Android | Github | Backup, Encryption |
FreeOTP+ | Android | Github | Backup, Encryption |
PrivacyIDEA Authenticator | Android, iOS | Github | Push tokens (not yet supported by us) |
If you can’t or don’t want to use the Google Play Store to install apps you can use the F-Droid repository to install most of the aforementioned apps. F-Droid is a platform for android that provides open-source apps exclusively.
How do I register my existing token?
If you already own a hardware TOTP token you can register it so that it works with our services. We only support TOTP tokens (OTP changes every 30 or 60 seconds). HOTP is not supported.
Log in to https://selfservice.mpcdf.mpg.de
In the menu bar at the top of the page, click on “My account > Security”
Select “Configure 2FA” and provide your password
If you already have a token: click on “Replace existing or enroll additional token”
Click on “Register token”
Provide the details for your token. All the information must match your token properties exactly except the serial which only serves for easier identification of the token in your token list.
If you don’t know your seed please refer to your token supplier
After form submission you’ll need to confirm the token by entering a valid OTP
How do I enroll and use a secondary/backup token?
Log in to https://selfservice.mpcdf.mpg.de
In the menu bar at the top of the page, click on “My account > Security”
Select “Configure 2FA” and provide your password
If you don’t see a list with existing tokens you need to enroll a primary token first (app or hardware)
Click on “Replace existing or enroll additional token” below the token list
Choose your preferred token type from the secondary methods (TAN list, SMS, or email)
The following is only relevant for SMS and email tokens:
If we don’t have an external email address or mobile phone number from you yet you will be asked to provide it.
You should be redirected to the token list where you should see your new backup token
Whenever you don’t have your primary token available you can now request an OTP to be sent via your backup method:
On the SelfService: Click the according button below the OTP prompt
On an SSH machine: Leave the OTP field empty and press “Enter” to trigger an OTP to be sent to you
The following is only relevant for TAN lists:
Store the list in a secure place like a lockable cabinet or an encrypted file
Do not store the OTPs in your password manager since this would create a single point of failure
You can use each OTP once in an arbitrary order
Why can’t I have both an app token and a hardware token?
This is both a technical limitation and a policy decision. Since both app and hardware tokens are of the same type (“totp”) and only one token per type is possible you will need to choose between one of those options.
2FA Tips and Tricks
Do I have to type in an OTP every time I access the secured systems?
For the systems you access via SSH you can configure a ControlMaster setup. Allowing you to conveniently type in your password and OTP only once a day. After that an SSH tunnel will be kept open for the day that can be used without having to retype your credentials.
Windows
Windows Subsystem for Linux
Unfortunately, the Windows SSH client doesn’t support ControlMaster setups. You’ll need to use one of the graphical clients to avoid having to retype your password and OTP.
PuTTY
We assume here that you already know how to work with PuTTY. If not, please refer to its user manual. Alternatively, you can check our step-by-step guide.
To directly connect to a destination server via a gateway machine follow these steps:
Create and save a connection to the gateway machine (e.g. gate1.mpcdf.mpg.de) as you would any other. Choose the name of the target server (e.g. raven.mpcdf.mpg.de) as the connection’s name.
Select this connection from the list and click “Load”
In the left-hand tree menu choose “Connection > SSH > Tunnels”
Enter 22 as the source port
Enter the name and port of the destination host (e.g. raven.mpcdf.mpg.de:22) as the destination
Click “Add”
In the tree menu go back to “Session”, choose the gateway connection, and click “Save”
Click “Open”
To avoid having to retype your password and OTP do the following:
In the tree menu on the left of the window go to “Connection > SSH”
Check the box “Share SSH connections if possible” under “Sharing an SSH connection between PuTTY tools”
As long as you keep the initial SSH window open you’ll be able to reuse that connection in other windows
MobaXterm
We assume here that you already know how to work with MobaXterm. If not, please refer to its documentation.
Go to “Settings > SSH” and activate the checkbox “Use 2-factor authentication for SSH gateways”.
You’ll need to configure a session the first time you want to connect to a given destination host and can use it in the future without doing the following steps over again:
Create a new session by clicking on “Session > SSH”
Enter the name of the remote host you want to access (e.g. raven.mpcdf.mpg.de) and optionally your username
Go to the “Network settings” tab below and click “SSH gateway (jump host)”
Under “Gateway host” enter the gate machine you’d like to use (e.g. gate1.mpcdf.mpg.de) and your username
Click “Ok” twice and enter your password
You should be directly connected to your target server via the gate machine
MobaXterm reuses existing SSH connections by default so no additional setup is required to avoid typing OTPs multiple times.
Weekly reboots
Our SSH gateway machines are rebooted weekly to avoid long-standing SSH tunnels for security reasons.
2FA Troubleshooting
I need to factory-reset my phone. How can I preserve my app token?
After the factory reset you can still log in to the SelfService with one of your secondary tokens. If you don’t have one yet please see the according FAQ.
You can then safely reset your phone and afterwards follow these steps:
Log in to https://selfservice.mpcdf.mpg.de using one of your secondary tokens
Navigate to “My Account > Security > Configure 2FA > Replace existing or enroll additional token”
Create a new app token by clicking “App token”
Scan the QR code with an OTP app on you new phone
Enter a valid OTP in the next step
This will delete your old token from our server and register the one on your new phone.
Alternatively, some apps (e.g. Aegis Authenticator) offer a backup and restore option. Just create a backup before the reset, store it on the SD card in your phone (NOT the internal storage!), and restore it after the reset using the same app you used to create the backup.
How do I transfer my token to a new phone?
You will need the token on your old phone for this. If you don’t have it anymore, please use one of your secondary tokens for login or contact our helpdesk if you don’t have any.
Log in to https://selfservice.mpcdf.mpg.de using the token on your old phone or one of your secondary tokens
Navigate to “My Account > Security > Configure 2FA > Replace existing or enroll additional token”
Create a new app token by clicking “App token”
Scan the QR code with an OTP app on you new phone
Enter a valid OTP in the next step
This will delete your old token from our server and register the one on your new phone. You can then safely delete the old token from the old phone.
Alternatively, some apps (e.g. Aegis Authenticator) offer a backup and restore option. Just create a backup, copy it to your new phone, and restore it using the same app you used to create the backup.
I can’t validate/activate the token I just scanned (“Wrong OTP”)
Please make sure you’re entering the 6-digit numeric code that changes every 30 seconds and is shown by your token (you may have to tap your app token once to reveal the OTP)
Make sure you’re entering and submitting the OTP while it is visible. It expires as soon as it is not visible anymore.
App token only: the algorithm for OTP generation depends on the current time. Make sure the clock on your device has the correct time set.
App token only: try using a different device
If you still can’t validate your token contact support. 2FA won’t be enabled for your account as long as you have no active token.
I can’t log in to the SelfService anymore
If your password gets rejected
Check if you can still log into other MPCDF services
If not, your account may be locked temporarily because of too many failed attempts. Try again after 10 Minutes.
If you still can’t log in your account may be suspended or your password expired. Please contact support.
If your OTP gets rejected (“Wrong OTP”)
Please make sure you’re entering the 6-digit numeric code that changes every 30 seconds and is shown by your token (you may have to tap your app token once to reveal the OTP)
Make sure you’re entering and submitting the OTP while it is visible. It expires as soon as it is not visible anymore.
App token only: make sure you’re entering the OTPs that are generated by the token you can also find in your token list on the SelfService (“My account > Security > Configure 2FA”). Compare the serial in the list to the name of the token in your app. If the name does not match you’ll need to enroll a new one.
App token only: the algorithm for OTP generation depends on the current time. Make sure the clock on your device has the correct time set.
You may try resyncing your token’s clock with that of our server by clicking on “Resync token”
If your OTP still gets rejected try logging in using one of your backup tokens. Click one of the buttons below the OTP prompt to trigger an OTP to be sent to you.
If you don’t see any buttons to trigger OTPs you don’t have any backup tokens enabled. Please contact support using your institute email address.
If you lost your token
I can’t log in to a gate machine via SSH
Try logging in without any local extra configuration
Try logging in to a different MPCDF service to see if your password is correct
Make sure you’ve actually enrolled and activated a token by checking if the SelfService asks you for an OTP at login. You need to activate all tokens after enrollment by entering a valid OTP.
Try logging in to the SelfService or other gate machines to see if the issue is specific to one machine
If you are sure it must be the OTP that’s getting rejected see the steps above under I can’t log in to the SelfService anymore > If your OTP gets rejected
I can’t access the HPC clusters through VNC anymore
If you are using vncviewer
with the -via
option to connect to an HPC
machine via a gate machine you will also need to obtain a 2FA token and provide
an OTP. See “How do I enable 2FA?”.
To avoid having to type in OTPs each time you connect please refer to the ControlMaster setup documentation.
Hardware and client support
How can I use my sshfs/rsync/scp/sftp GUI with 2FA?
Your client may natively support interactive or multi-factor authentication methods. However, many GUI programs do not have this functionality built in.
Known GUI applications that support 2FA natively:
FileZilla (see How can I use FileZilla with 2FA?)
WinSCP (see our step-by-step guide)
Known GUI applications that do not support 2FA natively:
KDE Dolphin file browser
Gnome Nautilus file browser
If your client software does not support 2FA natively you have three options:
Use one of the applications that do support 2FA
Switch to MPCDF DataShare for storing your data
Create an SSH tunnel before using the GUI program as described below
If you want to go with the latter option you can create an SSH tunnel and forward the remote port to localhost as described here:
ssh -L 2002:raven.mpcdf.mpg.de:22 USER@gate1.mpcdf.mpg.de
You’ll then be able to connect to localhost on port 2002 with your client software while this tunnel is open using something like this as the path:
sftp://USER@localhost:2002/u/USER
If paired with a ControlMaster setup you don’t even need to keep the terminal in which you ran the command open.
How can I use FileZilla with 2FA?
Choose the Logon Type “interactive” and it will ask you for your password and OTP. Also make sure to check “Limit number of simultaneous connections” under “Transfer Settings” and leave the default value of 1.
How to use 2FA on a phone with a time shift?
Note that this section does not talk about time zone related time shifts since they don’t influence the OTP algorithm and don’t require extra configuration.
Some people like having their phone’s clock set to some minutes in the future. You can still use our app tokens in such a scenario. During token validation after scanning the QR code you will see a button that lets you synchronize the clocks of your phone and our server. Click that button and provide two consecutive OTPs. If the OTPs were correct the time shift of your phone will get corrected on the server and your token will automatically be activated.
Do you or are you planning to support FIDO2/U2F/YubiKeys?
You can already use your YubiKey (NEO, 4, 5, and FIPS series) with our 2FA system by enrolling an app token and scanning the QR code with the Yubico Authenticator app. The device will then generate an OTP when touched or NFC-tapped and shows it on the screen of your mobile phone or automatically saves it to the system clipboard if plugged in to your computer. You then only need to paste the OTP into the input field. To further enhance the security of your YubiKey, we recommend adding a password to its OATH application. You can find more information on using the Yubico Authenticator on the Yubico website.
Other FIDO/U2F mechanisms are envisioned for the future but no date has been set for implementing them yet.
On security
If the seed is stored on the server, how secure is it?
The seeds are stored along with the token definitions in a database and are AES encrypted. Access to this server is strictly limited to the system administrators which need to use a separate 2FA-system and dedicated administrator accounts for authentication. Even if the database were leaked the secrets would still be encrypted and unreadable.
Where do the hardware tokens come from? Does the vendor know the seeds?
We obtain the hardware tokens directly from the manufacturer Feitian Technologies. For each token we generate the seed ourselves and program it onto the token via NFC. Only we know the seeds.