Skip to content

Struggling to set up 2FA?

First, make sure you've read through this Guide. We have compiled a list of Frequently Asked Questions below and will continue to add to it.

General

Which tokens should I set up?

Ideally, set up one OTP token (e.g. andOTP, Aegis Authenticator, Google Authenticator for Android or Raivo OTP, OTP Auth, Google Authenticator for iOS) and one WebAuthn token (e.g. a Yubikey). This way if you lose one token you will be able to reset it using the other.

I've lost my phone and can't log in with 2FA - help!

If you have registered a WebAuthn token, you can authenticate with it to the Users' Portal, reset your OTP settings and register for OTP again. Otherwise, raise a ticket with the Service Desk who will check your identity and reset your OTP settings.

Sometimes the SSO mentions that I'm already logged in

In case multiple browser tabs are opened for SSO protected websites before logging in, the active tab used for logging in to the SSO will redirect to the requested page while the message "You are already logged in" will be displayed in the other tabs. We recommend that you open additional tabs to SSO protected websites after logging in. The issue is followed up with the upstream provider of the SSO Identity Provider software used (Keycloak).

One-Time-Password Applications (OTP)

How long is the token displayed on TOTP?

A new TOTP token is generated every 30 seconds. A count-down informs about the remaining time. It is perfectly fine to wait for a new TOTP token if time runs out for you.

Why is my OTP code not working?

If you get an "Invalid authenticator code" error when entering your OTP code, it may be due to your phone's time not being set correctly. If this is the case, go to the "Date and Time" settings on your phone and set it to use the network-provided time.

Some OTP apps, such as Google Authenticator, allow synchronizing the clock time from within the app. To synchronize your clock go to: "Settings" -> "Time correction for codes" and press the "Sync now" button.

I'm changing phones, will OTP work on my new phone?

The secrets stored in some TOTP authenticator applications are not transferable between phones, for example in the case of Google Authenticator. Some, however, allow you to migrate between devices (look up specific instructions for whichever TOTP authenticator application you are using). Some other authenticator apps store the secrets used to generate the TOTP codes into the cloud. That makes switching devices or using the same codes on multiple devices a lot easier. The downside being that depending on the actual implementation of the cloud component, the risk of those secrets getting leaked could be considerably increased. The recommended option is to register a WebAuthn token for yourself (e.g. a Yubikey) in the Users' Portal - once it is set up you will be able to reset your OTP settings yourself and register an OTP application on your new phone. If you are still not able, please raise a ticket with the Service Desk who will check your identity and reset your OTP settings.

WebAuthn

What can I use as a WebAuthn token?

There are an ever increasing number of WebAuthn token generators, falling into either biometrics or hardware categories. Your device may already feature a fingerprint reader, or facial recognition technology that supports WebAuthn. An alternative is to get a Yubikey, see KB0006587.

Mobile support

Choice of 2nd factors

The recommended 2nd factor to be used on mobile devices is TOTP via an authenticator application (it's pretty straightforward to switch between the web browser and the authenticator application in order to copy the TOTP code). USB Type-C Yubikeys are available from the IT Secretariat and should be usable on smartphones. We are looking into the possibility of providing Yubikey USB Type-C token with NFC support to make it even easier to use Yubikeys on mobile devices.

2FA for SSH

Will you provide general purpose integrations for using 2FA on the command-line?

Many command line tools can't differentiate between 1FA and 2FA logins. For example, many tools rely on Kerberos for authentication, but there is no standard for obtaining a Kerberos ticket using 2FA, nor there is any standard for encoding the fact that the Kerberos ticket has been issued using 2FA. As such, the decision was taken to restrict the usage of most command line AI tools from aiadm only and to require 2FA logins to aiadm nodes.

Will 2FA logins be required for LXPLUS?

There are no plans for that in the immediate term. Administrators of computing services are advised to use AIADM (2FA protected) instead of LXPLUS. For tunneling into CERN LXTUNNEL should be preferred.