Using Two-Factor Authentication_old

Objective of this tutorial is to describe what two-factor authentication is, why we use it at ARCC, and demonstrate how it gets used. We use the same methods that UWIT uses for second factor tokens and instructions on how to enroll can be found on their knowledgebase article.

Contents

Expected Outcomes

If you want to login to the UWYO VPN, ARCC’s Globus Endpoints, FastX, Teton, or any auxiliary services ARCC offers you will need to use Two-Factor Authentication. By then end of this tutorial you should know why ARCC requires it and how to use Two-Factor Authentication on ARCC services.

Introduction

Two-factor authentication or 2FA is an electronic authentication method in which a device user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows, like a password), possession (something only the user has, like a one-time code), and inherence (something only the user is, like an account that has access). From Wikipedia

Why ARCC uses 2FA

ARCC uses 2FA on every service we offer and is therefore one of our prerequisites for using them. One of those being High Performance Computing (HPC) services. Our HPC system is outside of the University of Wyoming Firewall on a network colloquially called a Science DMZ and thus we require 2FA to provide additional security.

Types of 2FA Tokens

One misconception that often comes up regarding 2FA is that is requires users to have a smartphone in order to use it. It is true that the Duo Mobile smartphone app with a push notification is the most common method for 2FA on ARCC services. However, there are more methods to use that does not require a smart device and an application that you must download. The methods for 2FA are:

• Accept a push notification using the Duo app - This method requires the Duo Mobile app but with this all you need to do is tap the ‘approve’ button once you open the notification on the Duo app.

• Generate a passcode using the Duo app - This requires a smart device and the Duo Mobile app to generate the passcode.

• Landline - You can enroll any phone number that you have access to for your second factor to be a phone call to the phone number you enroll.

• Text - This method requires you to enroll a phone number, but the only requirement is that this device must be able to receive text messages.

• A physical USB fob called a YubiKey - This method requires you to purchase a fob from UWIT, but gives you a 2FA method that does not require a phone number.

Step-By-Step Tutorials

Now that we have covered why ARCC uses 2FA and the various methods you can use to provide a second factor token let’s cover the steps on how to use each of them. Keep in mind that ARCC uses UWYO IT to manage user accounts so on any ARCC service, your password is the same as your UWYO password. In the following examples we will use the fake password of ‘password123’.

2FA by push notification on the Duo app

In order to use the Duo mobile app you will need to download it to whatever mobile platform you prefer to use like the Apple App Store for iPhone, iPad, etc. or Google Play on Android Devices as well as have it configured to UWyo following the guide in the UWIT Knowledgebase article on enrolling your device. Once that is done, follow these steps:

1. Go to the ARCC service you’d like to login to

2. Enter your UWYO username & password

3. Open the notification and push the ‘Approve’ button

This example from ‘the ACME web corp’ is similar to what we describe:

Open

You will then be logged in and able to use the service that you logged into.

Alternative method for 2FA by push notification on the Duo app

If for some reason you do not receive a push (maybe you didn’t mark it as your preferred method during setup on Wyosecure) you can ensure a push will be sent with alternative method to get a push with your password and a comma:

1. Your password

2. A comma

3. The word ‘push’ using only lowercase letters

If our password is ‘password123’ we will then add the comma and the the word ‘push’ on the same line, with no spaces. See the example below:

Please notice that if the password is hidden what you type will be your password plus five more characters. In our example it will be a total of 16 characters. See what it looks like with using Globus to access data on Teton:

Open

Once you accept the push notification, you will then be logged in and able to use the service that you logged into.

2FA using a code from the Duo app

In order to use the Duo mobile app you will need to download it to whatever mobile platform you prefer to use like the Apple App Store for iPhone, iPad, etc. or Google Play on Android Devices as well as have it configured to UWyo following the guide in the UWIT Knowledgebase article on enrolling your device. Once that is done, follow these steps:

1. Open the Duo App

2. Find the UWYO logo

3. Click on the icon that will generate a six-digit passcode.

This example from George Mason University is similar to what we describe:

Once you have your six-digit code, you can then enter it with your password and a comma:

1. Your password

2. A comma

3. The passcode displayed on the app

If our password is ‘password123’ we will then add the comma and the code displayed on the Duo app on the same line, with no spaces. See the example below:

Please notice that if the password is hidden what you type will be your password plus seven more characters. In our example it will be a total of 18 characters. See what it looks like with using Globus to access data on Teton:

You will then be logged in and able to use the service that you logged into.

2FA using a Landline

When attempting to use the landline method for 2FA you will need to enter your password you will need to first enroll the phone number you’d like on the https://wyosecure.uwyo.edu web application. Once that is done, once you go to one of our services you will then need to type three things to use 2FA with that phone number:

1. Your password

2. A comma

3. The word ‘phone’ using only lowercase letters

If our password is ‘password123’ we will then add the comma and the word ‘phone’ all on the same line, with no spaces. See the example below:

Please notice that if the password is hidden what you type will be your password plus six more characters. In our example it will be a total of 17 characters. See what it looks like with using Globus to access data on Teton:

You will then receive a phone call to the number you enrolled. On that call there will be an automated message that says something similar to “Welcome to Duo” an then be instructed to press the pound sign (or hashtag) '#' to provide your second factor. You will then be logged in and able to use the service that you logged into.

2FA using a Text message

This method first requires you to login to the Wyosecure web app at https://wyosecure.uwyo.edu in addition to several other steps.

1. Logon to Wyosecure with your UWyo username & password:

   to sign into the app.

2. You will then see a screen that asks you for a second factor, but at the bottom of the screen, notice the button that says “Text me new codes”. If you push that button to request a text, one comes to your device from an unknown number.

   After you bush the button the message changes to “Successfully sent codes.”

   You should then recive a text message to the phone you have enrolled.

3. This message will include ten separate seven-digit codes.

   Keep in mind that you get a chance to use each of these codes only once. Once you attempt to login using one of the codes, you will need to try a different one the next time you try.

Once you have your codes, you can then enter it with your password and a comma:

1. Your password

2. A comma

3. One of passcodes you received in the text

If our password is ‘password123’ we will then add the comma and the first code in our text on the same line, with no spaces. See the example below:

Please notice that if the password is hidden what you type will be your password plus eight more characters. In our example it will be a total of 19 characters. See what it looks like with using Globus to access data on Teton:

You will then be logged in and able to use the service that you logged into.

2FA by using a YubiKey fob

This method does not require you to have a phone at all and provides you with a physical USB key to use as your second factor. To use this method you must first have purchased your YubiKey from UWIT and have it enrolled to your UWyo account. To purchase one please see the UWIT Knowledgebase article.

Once you have your YubiKey follow these steps:

1. Go to the ARCC service you wish to login to

2. enter your UWYO username

3. Enter your UWYO password

4. On the same line as the password enter a comma ','

5. Insert your YubiKey into a USB port on the device you are trying to login on and press the button

See this example if our password is ‘password123’ before we use the YubiKey type:

Please keep in mind that you will need to have your cursor on the same line as your password and comma. You won't need to press ‘enter’ or ‘return’ the YubiKey submits that for you and you will then be logged in and able to use the service that you logged into.

Summary

In summary, this tutorial covered the multiple ways you can use 2FA with ARCC services including:

• Why ARCC requires 2FA

• What you need to have to use 2FA

• How to use 2FA with the Duo push notifications

• How to use 2FA with the Duo generated passcode

• How to use 2FA with a landline

• How to use 2FA with a text message

• How to use 2FA with a YubiKey

Next Steps

The interfaces for all ARCC services are different and 2FA may look different between them but once you have this down, the next step is to find the service you with to use and login using 2FA. Or find the tutorial best suited to help you to use the service you wish.