...
Contents
| Table of Contents |
|---|
Expected Outcomes
If you want to login to the UWYO VPN, ARCC’s Globus Endpoints, FastX, Teton, or any auxiliary services ARCC offers you will need to use Two-Factor Authentication. By then end of this tutorial you should know why ARCC requires it and how to use Two-Factor Authentication on ARCC services.
...
Introduction
Two-factor authentication or 2FA is an electronic authentication method in which a device user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows, like a password), possession (something only the user has, like a one-time code), and inherence (something only the user is, like an account that has access). From Wikipedia
Why ARCC uses 2FA
ARCC uses 2FA on every service we offer and is therefore one of our prerequisites for using them. One of those being High Performance Computing (HPC) services. Our HPC system is outside of the University of Wyoming Firewall on a network colloquially called a Science DMZ and thus we require 2FA to provide additional security.
Types of 2FA Tokens
One misconception that often comes up regarding 2FA is that is requires users to have a smartphone in order to use it. It is true that the Duo Mobile smartphone app with a push notification is the most common method for 2FA on ARCC services. However, there are more methods to use that does not require a smart device and an application that you must download. The methods for 2FA are:
Accept a push notification using the Duo app - This method requires the Duo Mobile app but with this all you need to do is tap the ‘approve’ button once you open the notification on the Duo app.
Generate a passcode using the Duo app - This requires a smart device and the Duo Mobile app to generate the passcode.
Landline - You can enroll any phone number that you have access to for your second factor to be a phone call to the phone number you enroll.
Text - This method requires you to enroll a phone number, but the only requirement is that this device must be able to receive text messages.
A physical USB fob called a YubiKey - This method requires you to purchase a fob from UWIT, but gives you a 2FA method that does not require a phone number.
...
Step-By-Step Tutorials
Now that we have covered why ARCC uses 2FA and the various methods you can use to provide a second factor token let’s cover the steps on how to use each of them. Keep in mind that ARCC uses UWYO IT to manage user accounts so on any ARCC service, your password is the same as your UWYO password. In the following examples we will use the fake password of ‘password123’.
2FA by push notification on the Duo app
In order to use the Duo mobile app you will need to download it to whatever mobile platform you prefer to use like the Apple App Store for iPhone, iPad, etc. or Google Play on Android Devices as well as have it configured to UWyo following the guide in the UWIT Knowledgebase article on enrolling your device. Once that is done, follow these steps:
...
You will then be logged in and able to use the service that you logged into.
Alternative method for 2FA by push notification on the Duo app
If for some reason you do not receive a push (maybe you didn’t mark it as your preferred method during setup on Wyosecure) you can ensure a push will be sent with alternative method to get a push with your password and a comma:
...
Once you accept the push notification, you will then be logged in and able to use the service that you logged into.
2FA using a code from the Duo app
In order to use the Duo mobile app you will need to download it to whatever mobile platform you prefer to use like the Apple App Store for iPhone, iPad, etc. or Google Play on Android Devices as well as have it configured to UWyo following the guide in the UWIT Knowledgebase article on enrolling your device. Once that is done, follow these steps:
...
You will then be logged in and able to use the service that you logged into.
2FA using a Landline
When attempting to use the landline method for 2FA you will need to enter your password you will need to first enroll the phone number you’d like on the https://wyosecure.uwyo.edu web application. Once that is done, once you go to one of our services you will then need to type three things to use 2FA with that phone number:
...
You will then receive a phone call to the number you enrolled. On that call there will be an automated message that says something similar to “Welcome to Duo” an then be instructed to press the pound sign (or hashtag) '#' to provide your second factor. You will then be logged in and able to use the service that you logged into.
2FA using a Text message
This method first requires you to login to the Wyosecure web app at https://wyosecure.uwyo.edu in addition to several other steps.
...
You will then be logged in and able to use the service that you logged into.
2FA by using a YubiKey fob
This method does not require you to have a phone at all and provides you with a physical USB key to use as your second factor. To use this method you must first have purchased your YubiKey from UWIT and have it enrolled to your UWyo account. To purchase one please see the UWIT Knowledgebase article.
...
Please keep in mind that you will need to have your cursor on the same line as your password and comma. You won't need to press ‘enter’ or ‘return’ the YubiKey submits that for you and you will then be logged in and able to use the service that you logged into.
...
Summary
In summary, this tutorial covered the multiple ways you can use 2FA with ARCC services including:
Why ARCC requires 2FA
What you need to have to use 2FA
How to use 2FA with the Duo push notifications
How to use 2FA with the Duo generated passcode
How to use 2FA with a landline
How to use 2FA with a text message
How to use 2FA with a YubiKey
...
Next Steps
The interfaces for all ARCC services are different and 2FA may look different between them but once you have this down, the next step is to find the service you with to use and login using 2FA. Or find the tutorial best suited to help you to use the service you wish.
...