Doc::MFA: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
Carnold (talk | contribs)
Carnold (talk | contribs)
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Computer Science Multi-factor Authentication =
= Computer Science Multi-factor Authentication (MFA) =


== Introduction ==
== Introduction ==
Computer Science login using a simple form of multi-factor authentication (MFA) by sending a one time use token (OTP) to an email address that you have configuredMost all cell phone carriers provide a way to receive an email as a text message so you can set up your CS MFA to utilize your cell phone to authenticate.  The OTP can only be used once, additionally the OTP is only valid for 5 minutes.  You can "resend" the token if you run out of time.
Computer Science offers two different MFA options. 
* '''Google Authenticator''' time based one-time password (TOTP) login.  See this article for more information on using the service: https://support.google.com/accounts/answer/1066447 We recommend using the official ''DUO Mobile'' app '''OR''' ''Google Authenticator'' app on your Android or iOS smart phone, however many apps and devices are compatible with Google TOTP. 
* '''FIDO2 based passkey'''  We recommend using bio-metrics on your Android or iOS smart phone to securely store your passkeysSee https://it-training.apple.com/tutorials/support/sup540/ for iOS support or https://support.google.com/android/answer/14124480?hl=en for Android devices
The goal for MFA is to improve the security of your CS account without causing too much disruption to your workflow.


== Change your CS MFA email address ==
== Enable MFA ==
* Your CS Profile: https://admin.cs.vt.edu/my-profile/
Currrently, participation in Computer Science MFA is optional.  You can go to https://admin.cs.vt.edu/my-profile to enable or disable MFA for your CS account.  Not all services currently support MFA login, for example SSH to rlogin.
By default, CS MFA uses your "preferred" email address that is configured in your profile.  If you set the "MFA Email" field in your profile, then it will use that address instead.  Use caution when changing your MFA email, you could lock yourself out of your CS account if the address does not workYou should leave your profile page open, and then in a new "Private/Incognito" browser go to https://2fa.admin.cs.vt.edu to test your change, and make sure you can log in.


== Email to SMS ==
== Trusted Devices ==
Most all major cell providers offer a service that will receive a text message from a special email addressFor example, if the phone number is 123-456-7890 and the carrier is AT&T, the email address is <code>1234567890@txt.att.net</code>. Even 3rd party cell providers will use the network's gateway addressFor example, Visible and Total Wireless both run on the Verizon network and would use the @vtext.com address.
After you successfully log in with CS MFA, you have the option to remember the device for a certain amount of time.  This means CS MFA won't ask you to enter your OTP again from this specific "device" until it expires.  You should only do this on machines that you trust, such as your desktop/laptop.  The "device" is specific to the machine and browser that you are using.  For example, if you have Firefox on your laptop saved as a trusted device, then you log in from Chrome on the same machine, it will still ask for your OTP.
 
== Fail Safe ===
CS Login is configured to bypass MFA if you are connected to the official VT VPN.  If you get locked out of your account, you can connect to the VT VPN to access your account again.
 
== Google Authenticator ==
When Google Authenticator is enabled, CS login protected websites will follow this login flow:
* If you are logging in from a new or unknown computer and browser
** You are first prompted for your username and password
** After successful password login, you will be prompted to enter a token.
*** Open your Google Authenticator App and locate the Computer Science 6 digit tokenThe token changes every 30 seconds.
** Enter your token
** After successful token, you will be prompted if you want to register the device as "trusted."  You can choose to register or skip.  If you register, then you won't be prompted for the mfa token on this computer/browser combo for a certain amount of time.  If you skip, then you will be prompted again next login.
** After device registration, you should be taken to your destination site
 
Recommended steps for enabling CS MFA:
* Install Google Authenticator App on your smart phone device:  [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android] or [https://apps.apple.com/us/app/google-authenticator/id388497605 Apple]
* Go to https://admin.cs.vt.edu/my-profile and enable MFA
* Leave the "My Profile" page open, and use another web browser or new private window to https://admin.cs.vt.edu to register your device and test.  Doing this will allow you to disable MFA if you have trouble registering.
 
=== Registering Device ===
The first time you log into your account after turning MFA on, you will be prompted to register your MFA device.  This is done using either a QR code or a secret key, both are display on the screen. Both the QR code and secret key are sensitive, so keep them safe! Printing the QR code is a great way to keep a hard copy backup of your MFA codeOnce you have a enter the QR or secret key into your app, click on the "Confirm" button and it will prompt you for your TOTP key.  You can give the device a name which can only be set at the time of registration. You can register additional TOTP devices by going to https://login.cs.vt.edu/cas


{| class="wikitable" sytle="margin:auto;border=1"
== Passkey ==
|+ Here are the SMS and MMS gateways for the major carriers in the United States.
'''Warning''': Passkey support may vary a lot by all operating systems and devices.
|-
!Carrier !!SMS Gateway !!MMS Gateway
|-
|AT&T ||@txt.att.net ||@mms.att.net
|-
|Boost Mobile ||@sms.myboostmobile.com ||@myboostmobile.com
|-
|Cricket Wireless ||@sms.cricketwireless.net ||@mms.cricketwireless.net
|-
|T-Mobile ||@tmomail.net ||@tmomail.net
|-
|UScellular ||@email.uscc.net ||@mms.uscc.net
|-
|Verizon ||@vtext.com ||@vzwpix.com
|}
Don’t know your carrier? Use a website like https://freecarrierlookup.com/ to look it up.


== Trusted Devices ==
When Passkey is enabled, CS login protected websites will follow this login flow:
After you successfully log in with CS MFA, you have the option to remember the device for a certain amount of time.  This means CS MFA won't ask you to enter your OTP again from this specific "device" until it expires.  You should only do this on machines that you trust, such as your desktop/laptop. The "device" is specific to the machine and browser that you are usingFor example, if you have Firefox on your laptop saved as a trusted device, then you log in from Chrome on the same machine, it will still ask for your OTP.
* If you are logging in from a new or unknown computer and browser
** You are first prompted for your username and password
** After successful password login, you will be prompted to process your passkey
** Generally, an operating system window will pop up giving you the option to select your passkey device
** After successfully presenting your Passkey, you will be prompted if you want to register the device as "trusted."  If you register, then you won't be prompted for the mfa token on this computer/browser combo for a certain amount of time.  If you skip, then you will be prompted again next login.
** After device registration, you should be taken to your destination site
 
Recommended steps for enabling CS MFA:
* Go to https://admin.cs.vt.edu/my-profile and enable MFA
* Leave the "My Profile" page open, and use another web browser or new private window to https://admin.cs.vt.edu to register your device and testDoing this will allow you to disable MFA if you have trouble registering.
 
=== Registering Device ===
The first time you log into your account after turning MFA on, you will be prompted to register your MFA device.  Passkey device registration is handled by your operating system, so the process will vary greatly.  


== Tips ==
== Tips ==
* Be sure not use a MFA email address that is accessible from your CS account.  For example, do not use <code><pid>@cs.vt.edu</code> or <code><pid>@vt.edu</code> that forwards to your <code><pid>@cs.vt.edu</code> address.  If a hacker got your password, then they could login to your email to retrieve the OTP.
* Give your TOTP device a meaningful name when if you first register them
* The OTP is formatted such as <code>CASMFA-123456</code>  Entering the "CASMFA-" part is optionalYou can save time by just entering the numbers.
* Make sure to backup your Google Authenticator codes, and transfer them to any new phone you get.
* Your MFA email can only be a single address.  If you want to use multiple email addresses for redundancy, then Techstaff can create an email alias that can go to multiple addresses.
* You can use a printout of our QR code as a hard copy backupMake sure to keep this safe!
* Use caution when updating your MFA email address, you can accidentally lock yourself out of your account.  Test your change in a private/incognito window before closing your profile page.
* If your TOTP device fails to register for whatever reason, you will need to generate a new QR code by closing the browser and logging in again.
* As a fail-safe, you can login into your CS account without MFA if you are connected to the VT VPN.
* If you get locked out of your account because of MFA, [[Contact Techstaff]].
* You can review your registered and trusted devices by logging into https://login.cs.vt.edu/cas

Latest revision as of 07:53, 5 September 2024

Computer Science Multi-factor Authentication (MFA)

Introduction

Computer Science offers two different MFA options.

The goal for MFA is to improve the security of your CS account without causing too much disruption to your workflow.

Enable MFA

Currrently, participation in Computer Science MFA is optional. You can go to https://admin.cs.vt.edu/my-profile to enable or disable MFA for your CS account. Not all services currently support MFA login, for example SSH to rlogin.

Trusted Devices

After you successfully log in with CS MFA, you have the option to remember the device for a certain amount of time. This means CS MFA won't ask you to enter your OTP again from this specific "device" until it expires. You should only do this on machines that you trust, such as your desktop/laptop. The "device" is specific to the machine and browser that you are using. For example, if you have Firefox on your laptop saved as a trusted device, then you log in from Chrome on the same machine, it will still ask for your OTP.

Fail Safe =

CS Login is configured to bypass MFA if you are connected to the official VT VPN. If you get locked out of your account, you can connect to the VT VPN to access your account again.

Google Authenticator

When Google Authenticator is enabled, CS login protected websites will follow this login flow:

  • If you are logging in from a new or unknown computer and browser
    • You are first prompted for your username and password
    • After successful password login, you will be prompted to enter a token.
      • Open your Google Authenticator App and locate the Computer Science 6 digit token. The token changes every 30 seconds.
    • Enter your token
    • After successful token, you will be prompted if you want to register the device as "trusted." You can choose to register or skip. If you register, then you won't be prompted for the mfa token on this computer/browser combo for a certain amount of time. If you skip, then you will be prompted again next login.
    • After device registration, you should be taken to your destination site

Recommended steps for enabling CS MFA:

  • Install Google Authenticator App on your smart phone device: Android or Apple
  • Go to https://admin.cs.vt.edu/my-profile and enable MFA
  • Leave the "My Profile" page open, and use another web browser or new private window to https://admin.cs.vt.edu to register your device and test. Doing this will allow you to disable MFA if you have trouble registering.

Registering Device

The first time you log into your account after turning MFA on, you will be prompted to register your MFA device. This is done using either a QR code or a secret key, both are display on the screen. Both the QR code and secret key are sensitive, so keep them safe! Printing the QR code is a great way to keep a hard copy backup of your MFA code. Once you have a enter the QR or secret key into your app, click on the "Confirm" button and it will prompt you for your TOTP key. You can give the device a name which can only be set at the time of registration. You can register additional TOTP devices by going to https://login.cs.vt.edu/cas

Passkey

Warning: Passkey support may vary a lot by all operating systems and devices.

When Passkey is enabled, CS login protected websites will follow this login flow:

  • If you are logging in from a new or unknown computer and browser
    • You are first prompted for your username and password
    • After successful password login, you will be prompted to process your passkey
    • Generally, an operating system window will pop up giving you the option to select your passkey device
    • After successfully presenting your Passkey, you will be prompted if you want to register the device as "trusted." If you register, then you won't be prompted for the mfa token on this computer/browser combo for a certain amount of time. If you skip, then you will be prompted again next login.
    • After device registration, you should be taken to your destination site

Recommended steps for enabling CS MFA:

Registering Device

The first time you log into your account after turning MFA on, you will be prompted to register your MFA device. Passkey device registration is handled by your operating system, so the process will vary greatly.

Tips

  • Give your TOTP device a meaningful name when if you first register them
  • Make sure to backup your Google Authenticator codes, and transfer them to any new phone you get.
  • You can use a printout of our QR code as a hard copy backup. Make sure to keep this safe!
  • If your TOTP device fails to register for whatever reason, you will need to generate a new QR code by closing the browser and logging in again.
  • If you get locked out of your account because of MFA, Contact Techstaff.
  • You can review your registered and trusted devices by logging into https://login.cs.vt.edu/cas