Doc::MFA: Difference between revisions

From Computer Science Wiki
Jump to navigation Jump to search
Carnold (talk | contribs)
Carnold (talk | contribs)
No edit summary
Line 2: Line 2:


== Introduction ==
== Introduction ==
Computer Science login using a simple form of multi-factor authentication (MFA) by sending a one time use token (OTP) to an email address that you have configuredMost all cell phone carriers provide a way to receive an email as a text message so you can set up your CS MFA to utilize your cell phone to authenticate.  The OTP can only be used once, additionally the OTP is only valid for 5 minutesYou can "resend" the token if you run out of time.
Computer Science uses Google Authenticator time based one-time password (TOTP) second factor login.  See this article for more information on using the service: https://support.google.com/accounts/answer/1066447 We recommend using the official Google Authenticator app on your Android or iOS smart phone, however many apps and devices are compatible with Google TOTPWe allow and recommend registering multiple Google Authenticator devices.


== Change your CS MFA email address ==
== Enable MFA ==
* Your CS Profile: https://admin.cs.vt.edu/my-profile/
Currrently, participation in Computer Science MFA is optional.  You can go to https://admin.cs.vt.edu/my-profile to enable or disable MFA for your CS account.  Not all services currently support MFA login, for example SSH to rlogin.  
By default, CS MFA uses your "preferred" email address that is configured in your profile.  If you set the "MFA Email" field in your profile, then it will use that address instead.  Use caution when changing your MFA email, you could lock yourself out of your CS account if the address does not workYou should leave your profile page open, and then in a new "Private/Incognito" browser go to https://2fa.admin.cs.vt.edu to test your change, and make sure you can log in.


== Email to SMS ==
== Registering Devices ==
Most all major cell providers offer a service that will receive a text message from a special email addressFor example, if the phone number is 123-456-7890 and the carrier is AT&T, the email address is <code>1234567890@txt.att.net</code>.  Even 3rd party cell providers will use the network's gateway address.  For example, Visible and Total Wireless both run on the Verizon network and would use the @vtext.com address.
The first time you log into your account after turning MFA on, you will be prompted to register a Google Authenticator deviceThis is done using either a QR code or a secret key, both are display on the screen. Both the QR code and secret key are sensitive, so keep them safe!  Printing the QR code is a great way to keep a hard copy backup of your MFA code.  
 
{| class="wikitable" sytle="margin:auto;border=1"
|+ Here are the SMS and MMS gateways for the major carriers in the United States.
|-
!Carrier !!SMS Gateway !!MMS Gateway
|-
|AT&T ||@txt.att.net ||@mms.att.net
|-
|Boost Mobile ||@sms.myboostmobile.com ||@myboostmobile.com
|-
|Cricket Wireless ||@sms.cricketwireless.net ||@mms.cricketwireless.net
|-
|T-Mobile ||@tmomail.net ||@tmomail.net
|-
|UScellular ||@email.uscc.net ||@mms.uscc.net
|-
|Verizon ||@vtext.com ||@vzwpix.com
|}
Don’t know your carrier? Use a website like https://freecarrierlookup.com/ to look it up.


== Trusted Devices ==
== Trusted Devices ==
Line 34: Line 14:


== Tips ==
== Tips ==
* Be sure not use a MFA email address that is accessible from your CS account.  For example, do not use <code><pid>@cs.vt.edu</code> or <code><pid>@vt.edu</code> that forwards to your <code><pid>@cs.vt.edu</code> address.  If a hacker got your password, then they could login to your email to retrieve the OTP.
* Make sure to backup your Google Authenticator codes, and transfer them to any new phone you get
* The OTP is formatted such as <code>CASMFA-123456</code>  Entering the "CASMFA-" part is optional.  You can save time by just entering the numbers.
* You can use a printout of our QR code as a hard copy backupMake sure to keep this safe!
* Your MFA email can only be a single addressIf you want to use multiple email addresses for redundancy, then Techstaff can create an email alias that can go to multiple addresses.
* If you get locked out of your account because of MFA, [[Contact Techstaff]]
* Use caution when updating your MFA email address, you can accidentally lock yourself out of your account.  Test your change in a private/incognito window before closing your profile page.
* As a fail-safe, you can login into your CS account without MFA if you are connected to the VT VPN.

Revision as of 10:15, 26 August 2024

Computer Science Multi-factor Authentication

Introduction

Computer Science uses Google Authenticator time based one-time password (TOTP) second factor login. See this article for more information on using the service: https://support.google.com/accounts/answer/1066447 We recommend using the official Google Authenticator app on your Android or iOS smart phone, however many apps and devices are compatible with Google TOTP. We allow and recommend registering multiple Google Authenticator devices.

Enable MFA

Currrently, participation in Computer Science MFA is optional. You can go to https://admin.cs.vt.edu/my-profile to enable or disable MFA for your CS account. Not all services currently support MFA login, for example SSH to rlogin.

Registering Devices

The first time you log into your account after turning MFA on, you will be prompted to register a Google Authenticator device. This is done using either a QR code or a secret key, both are display on the screen. Both the QR code and secret key are sensitive, so keep them safe! Printing the QR code is a great way to keep a hard copy backup of your MFA code.

Trusted Devices

After you successfully log in with CS MFA, you have the option to remember the device for a certain amount of time. This means CS MFA won't ask you to enter your OTP again from this specific "device" until it expires. You should only do this on machines that you trust, such as your desktop/laptop. The "device" is specific to the machine and browser that you are using. For example, if you have Firefox on your laptop saved as a trusted device, then you log in from Chrome on the same machine, it will still ask for your OTP.

Tips

  • Make sure to backup your Google Authenticator codes, and transfer them to any new phone you get
  • You can use a printout of our QR code as a hard copy backup. Make sure to keep this safe!
  • If you get locked out of your account because of MFA, Contact Techstaff