Using Two-Factor Authentication_old
Objective of this tutorial is to describe what two-factor authentication is, why we use it at ARCC, and demonstrate how it gets used. We use the same methods that UWIT uses for second factor tokens and instructions on how to enroll can be found on their knowledgebase article.
This is a comprehensive guide, feel free to use the Table of Contents below and jump to the sections that are relevant to your use case or current step in your workflow.
Contents
Expected Outcomes
If you want to login to the UWYO VPN, ARCC’s Globus Endpoints, FastX, Teton, or any auxiliary services ARCC offers you will need to use Two-Factor Authentication. By then end of this tutorial you should know why ARCC requires it and how to use Two-Factor Authentication on ARCC services.
Introduction
Two-factor authentication or 2FA is an electronic authentication method in which a device user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows, like a password), possession (something only the user has, like a one-time code), and inherence (something only the user is, like an account that has access). From Wikipedia
Why ARCC uses 2FA
ARCC uses 2FA on every service we offer and is therefore one of our prerequisites for using them. One of those being High Performance Computing (HPC) services. Our HPC system is outside of the University of Wyoming Firewall on a network colloquially called a Science DMZ and thus we require 2FA to provide additional security.
Types of 2FA Tokens
One misconception that often comes up regarding 2FA is that is requires users to have a smartphone in order to use it. It is true that the Duo Mobile smartphone app with a push notification is the most common method for 2FA on ARCC services. However, there are more methods to use that does not require a smart device and an application that you must download. The methods for 2FA are:
Accept a push notification using the Duo app - This method requires the Duo Mobile app but with this all you need to do is tap the ‘approve’ button once you open the notification on the Duo app.
Generate a passcode using the Duo app - This requires a smart device and the Duo Mobile app to generate the passcode.
Landline - You can enroll any phone number that you have access to for your second factor to be a phone call to the phone number you enroll.
Text - This method requires you to enroll a phone number, but the only requirement is that this device must be able to receive text messages.
A physical USB fob called a YubiKey - This method requires you to purchase a fob from UWIT, but gives you a 2FA method that does not require a phone number.
Step-By-Step Tutorials
Now that we have covered why ARCC uses 2FA and the various methods you can use to provide a second factor token let’s cover the steps on how to use each of them. Keep in mind that ARCC uses UWYO IT to manage user accounts so on any ARCC service, your password is the same as your UWYO password. In the following examples we will use the fake password of ‘password123’.
2FA by push notification on the Duo app
In order to use the Duo mobile app you will need to download it to whatever mobile platform you prefer to use like the Apple App Store for iPhone, iPad, etc. or Google Play on Android Devices as well as have it configured to UWyo following the guide in the UWIT Knowledgebase article on enrolling your device. Once that is done, follow these steps:
Go to the ARCC service you’d like to login to
Enter your UWYO username & password
Open the notification and push the ‘Approve’ button
This example from ‘the ACME web corp’ is similar to what we describe:
You will then be logged in and able to use the service that you logged into.
Alternative method for 2FA by push notification on the Duo app
If for some reason you do not receive a push (maybe you didn’t mark it as your preferred method during setup on Wyosecure) you can ensure a push will be sent with alternative method to get a push with your password and a comma:
Your password
A comma
The word ‘push’ using only lowercase letters
If our password is ‘password123’ we will then add the comma and the the word ‘push’ on the same line, with no spaces. See the example below:
password123,push
Please notice that if the password is hidden what you type will be your password plus five more characters. In our example it will be a total of 16 characters. See what it looks like with using Globus to access data on Teton:
Once you accept the push notification, you will then be logged in and able to use the service that you logged into.
2FA using a code from the Duo app
In order to use the Duo mobile app you will need to download it to whatever mobile platform you prefer to use like the Apple App Store for iPhone, iPad, etc. or Google Play on Android Devices as well as have it configured to UWyo following the guide in the UWIT Knowledgebase article on enrolling your device. Once that is done, follow these steps:
Open the Duo App
Find the UWYO logo
Click on the icon that will generate a six-digit passcode.
This example from George Mason University is similar to what we describe:
Once you have your six-digit code, you can then enter it with your password and a comma:
Your password
A comma
The passcode displayed on the app
If our password is ‘password123’ we will then add the comma and the code displayed on the Duo app on the same line, with no spaces. See the example below:
password123,912136
Please notice that if the password is hidden what you type will be your password plus seven more characters. In our example it will be a total of 18 characters. See what it looks like with using Globus to access data on Teton:
You will then be logged in and able to use the service that you logged into.
2FA using a Landline
When attempting to use the landline method for 2FA you will need to enter your password you will need to first enroll the phone number you’d like on the https://wyosecure.uwyo.edu web application. Once that is done, once you go to one of our services you will then need to type three things to use 2FA with that phone number:
Your password
A comma
The word ‘phone’ using only lowercase letters
If our password is ‘password123’ we will then add the comma and the word ‘phone’ all on the same line, with no spaces. See the example below:
password123,phone
Please notice that if the password is hidden what you type will be your password plus six more characters. In our example it will be a total of 17 characters. See what it looks like with using Globus to access data on Teton:
You will then receive a phone call to the number you enrolled. On that call there will be an automated message that says something similar to “Welcome to Duo” an then be instructed to press the pound sign (or hashtag) '#' to provide your second factor. You will then be logged in and able to use the service that you logged into.
2FA using a Text message
This method first requires you to login to the Wyosecure web app at https://wyosecure.uwyo.edu in addition to several other steps.
Logon to Wyosecure with your UWyo username & password:
to sign into the app.
You will then see a screen that asks you for a second factor, but at the bottom of the screen, notice the button that says “Text me new codes”. If you push that button to request a text, one comes to your device from an unknown number.
After you bush the button the message changes to “Successfully sent codes.”
You should then recive a text message to the phone you have enrolled.
This message will include ten separate seven-digit codes.
Keep in mind that you get a chance to use each of these codes only once. Once you attempt to login using one of the codes, you will need to try a different one the next time you try.
Once you have your codes, you can then enter it with your password and a comma:
Your password
A comma
One of passcodes you received in the text
If our password is ‘password123’ we will then add the comma and the first code in our text on the same line, with no spaces. See the example below:
Please notice that if the password is hidden what you type will be your password plus eight more characters. In our example it will be a total of 19 characters. See what it looks like with using Globus to access data on Teton:
You will then be logged in and able to use the service that you logged into.
2FA by using a YubiKey fob
This method does not require you to have a phone at all and provides you with a physical USB key to use as your second factor. To use this method you must first have purchased your YubiKey from UWIT and have it enrolled to your UWyo account. To purchase one please see the UWIT Knowledgebase article.
Once you have your YubiKey follow these steps:
Go to the ARCC service you wish to login to
enter your UWYO username
Enter your UWYO password
On the same line as the password enter a comma ','
Insert your YubiKey into a USB port on the device you are trying to login on and press the button
See this example if our password is ‘password123’ before we use the YubiKey type:
Please keep in mind that you will need to have your cursor on the same line as your password and comma. You won't need to press ‘enter’ or ‘return’ the YubiKey submits that for you and you will then be logged in and able to use the service that you logged into.
Summary
In summary, this tutorial covered the multiple ways you can use 2FA with ARCC services including:
Why ARCC requires 2FA
What you need to have to use 2FA
How to use 2FA with the Duo push notifications
How to use 2FA with the Duo generated passcode
How to use 2FA with a landline
How to use 2FA with a text message
How to use 2FA with a YubiKey
Next Steps
The interfaces for all ARCC services are different and 2FA may look different between them but once you have this down, the next step is to find the service you with to use and login using 2FA. Or find the tutorial best suited to help you to use the service you wish.