Two-Factor Authentication: Glossary/FAQ

Glossary

2FA
two-factor authentication
Challenge Response Authentication
The SIM-MFA web portal shows this message at login. Here, the second factor is required.
MFA
multi-factor authentication
The prompt on SuperMUC-NG may ask you to enter here the second factor.
OTP
one-time password, which serves as a second factor
Password
When asked to enter "password", please enter the password of your relevant LRZ account, which you have set in the LRZ IDM portal.
PIN
This is some kind of additional "password" assigned to the token. We do not recommend to set a PIN for a token!
PUSH
Push is a software token, which requires a mobile devices and an authenticator app. The app receives the push message from the 2FA server, which was triggered by the login procedure. This notification is accepted by the user to complete the login.
Response
At login to the SIM-MFA web portal, you are asked for the second factor (2FA) via this keyword.
Second Factor
This is a generic term for the credential generated by all 2FA methods (tokens), such as TOTP, PUSH, YubiKey or TAN list.
TAN
TAN is a token, which provides a list of OTPs, which may be printed on a sheet of paper.
Token
A "token" is a piece of hardware or software that serves as a second factor in authentication. Tokens for 2-factor authentication must first be registered on the SIM-MFA server at LRZ before they can be used for authentication on a LRZ service prepared for this purpose. The conventional login method uses ssh login with password or public-key authentication. The 2FA authentication will not replace that method. Rather, it will ask you for a second factor on top of the conventional login credentials. 
Token_Response
At login to the Linux Cluster, you are asked for the second factor (2FA) via this keyword.
TOTP
TOTP is a time-based one-time password. This is a software token, which requires a mobile devices and an authenticator app. The app regularly generates an OTP, e.g. every 30 seconds.
YubiKey
This is an individually configured USB-Key. When asked for the second factor at login (ssh or SIM-MFA portal), touching this hardware token will provide the second factor. The login procedure completes.

FAQ

General

Passwords and QR codes are secrets. As long as the associated token is valid, the other person might be able to abuse it. We recommend to disable or delete the token and generate a new one.

Yes! We recommend to have not only one token. See Token Recovery Procedure for details.

Yes, but this can be generated very easily in the SIM-MFA web portal (https://simmfa.sim.lrz.de) and scanned with the new smartphone. Done. And because simmfa is a central server, the 2FA login then works immediately on all 2FA-enabled LRZ services with the new smartphone.


SIM-MFA Web Portal

Recommendation: NO. Otherwise, when using the token for logging in, the PIN must be typed in each time before the one-time password. Currently, the 2FA prompts at SuperMUC-NG and Linux Cluster are not configured to manage this in a user-friendly way. It will work, but it is not intuitive.

However, the PIN is justified as additional security. Or if you have rolled out several tokens, the SIM-MFA server can check/trigger exactly the desired token instead of testing all tokens.

The key (seed) used to generate the OTPs.

An interesting note on the security of the rollout with the privacyIDEA app (as opposed to Google Authenticator or FreeOTP):

https://netknights.it/privacyidea-authenticator-der-bessere-smartphone-faktor/

Yes. However, currently, we cannot provide support for token types beyond those recommended in this documentation.

To get rid of a token, you can unassign it to your own identifier (the button at the very bottom of the token's page). Then the token is gone from the list and will be completely removed from the system after a certain time.

We have disabled the possibility to delete tokens immediately.

This is the case if an attempt was made to remove the token with Disable or Revoke. Please contact us so that we reactivate the token and remove the assignment.

This is not an error. Now the second factor is required to complete the login procedure. For example, just enter the TOTP into the input mask or accept the PUSH message.



Linux Cluster Access
 

It might happen that no push message appears. The reason is unclear. Try the following workaround:
Just hit <ENTER> once in the ssh-2FA prompt and check the push message again.

Possibly the problem is in the SIM MFA web portal. Have you set a PIN for your token?

a) Yes. We would ask you to delete it.

b) No. We would ask you to repeat the process of not setting a PIN again.

The procedure is identical for both case a) and b):
1. Select the token in the SIM MFA portal. A new menu opens.
2. Set the PIN again by explicitly leaving both PIN fields blank.


Please Contact Us and open a ticket. Please describe the setup of your workflow and the problems (e. g. errors) as detailed as possible.


SuperMUC-NG Access

It might happen that no push message appears. The reason is unclear. Try the following workaround:
Just hit <ENTER> once in the ssh-2FA prompt and check the push message again.

Possibly the problem is in the SIM MFA web portal. Have you set a PIN for your token?

a) Yes. We would ask you to delete it.

b) No. We would ask you to repeat the process of not setting a PIN again.

The procedure is identical for both case a) and b):
1. Select the token in the SIM MFA portal. A new menu opens.
2. Set the PIN again by explicitly leaving both PIN fields blank.

Please Contact Us and open a ticket. Please describe the setup of your workflow and the problems (e. g. errors) as detailed as possible.

Authenticator (PrivacyIdea) App | PUSH | TOTP
 

No. The user ID is included by default with every new token that is rolled out. But you can change that as follows:

  1. Swipe the token's line to the left.
  2. A menu appears. Tap the pen icon (Umbenennen/Rename).
  3. Now set a new name as desired.

Please try the following:

  • Swipe down in the app to trigger the update.
  • Clear the app cache.

The NetKnights company is aware of the problem. A solution is still pending, although they can only influence it themselves to a limited extent due to the Google Firebase backend.

We recommend to Contact Us for further advice by opening a ticket. Apart from technical issues, it is also possible that your account has been hacked and someone else initiated the Push message. It may also be advisable to reset the password of the affected user ID in the IDM portal.

Yes, but this does not help the attackers or thieves of the smartphone. The OTPs generated with it are only one of 2 factors. Simultaneously, the password of your identifier would also have to be hacked. And as soon as the associated token is deleted from the SIM-MFA server, this seed is worthless.

No. The app does not send this secret.

If you do not receive any PUSH message after setting up the PUSH token, you may check the log messages:

  1. Log in to the LRZ SIM-MFA web portal.
  2. On top of the page click on Audit and check the messages. There might be a message on a wrong PIN. This may accidently happen, even if you haven't set a PIN.
  3. Please reset the PIN by opening the list of your tokens (select Token on top of the page and then "Alle Token" in the menu on the left side). Select the affected token. The details page of this token appears. Make sure that the PIN input fields are empty. Then, click on "PIN setzen" ("Set PIN").
Yubikey
 

Running the command "ykman info" may succeed, but running the configuration fails with the given error.

Is the YubiKey directly connected to a USB port of your computer? If not, please do so and try again.

Background: The YubiKey may not work properly, if it is connected via a (long) cable or a docking station.

We recommend to deactivate this YubiKey in the SIM-MFA portal. However, you will need another 2FA token to access the web portal (e. g. PUSH token). Then, list all your tokens via the menu entry "All tokens" on the left side, select your YubiKey and click on the Disable button.

In any case, please Contact Us and report the issue.

We will help you

  • if you are no longer able to login to the web portal,
  • to finally remove the YubiKey from the SIM-MFA portal.




Workflows | Data Transfer
 
That might be an issue with old versions of WinSCP, which do not handle 2FA correctly. Please install the latest version of WinSCP.