Skip to content

Struggling to set up 2FA?

First, make sure you've read through this Guide. We have compiled a list of Frequently Asked Questions below and will continue to add to it.


Which tokens should I set up?

Ideally, set up one OTP token and one WebAuthn token. This way if you lose one token you will be able to reset it using the other.

I've lost my phone and can't log in with 2FA - help!

If you have registered a WebAuthn token, you can authenticate with it to the Users' Portal, reset your OTP settings and register for OTP again. Otherwise, raise a ticket with the Service Desk who will check your identity and reset your OTP settings.

Sometimes the SSO mentions that I'm already logged in

In case multiple browser tabs are opened for SSO protected websites before logging in, the active tab used for logging in to the SSO will redirect to the requested page while the message "You are already logged in" will be displayed in the other tabs. We recommend that you open additional tabs to SSO protected websites after logging in. The issue is followed up with the upstream provider of the SSO Identity Provider software used (Keycloak).

Preferred 2nd factor

You can choose your preferred 2nd factor, either OTP or Yubikey, on the Users' Portal. Goto "Configure Multifactor" and make your pick at "Default login method" below. That shortens the login experience.

How can I limit the number of times that I need to log in?

In order to limit the number of times you need to log in, use one browser consistently for your work and do not close it. Your login will be valid for 12 hours in a browser that remains open.

One-Time-Password Applications (OTP)

Which OTP application should I download?

For Android we recommend:

  • andOTP
  • Aegis Authenticator

For iOS (Apple) we recommend:

  • Raivo OTP
  • OTP Auth

Other OTP applications may also work. Please make sure to download the application from a trusted App Store.

How long is the token displayed on TOTP?

A new TOTP token is generated every 30 seconds. A count-down informs about the remaining time. It is perfectly fine to wait for a new TOTP token if time runs out for you.

Why is my OTP code not working?

If you get an "Invalid authenticator code" error when entering your OTP code, it may be due to your phone's time not being set correctly. If this is the case, go to the "Date and Time" settings on your phone and set it to use the network-provided time.

Some OTP apps, such as Google Authenticator, allow synchronizing the clock time from within the app. To synchronize your clock go to: "Settings" -> "Time correction for codes" and press the "Sync now" button.

If it is still not working please double check that you do not have an existing OTP registration for CERN SSO. Some OTP applications do not replace existing configuration correctly and can cause invalid codes to be generated. You should be able to delete a previous OTP registration within your application.

I'm changing phones, will OTP work on my new phone?

The secrets stored in some TOTP authenticator applications are not transferable between phones. Some, however, allow you to migrate between devices (look up specific instructions for whichever TOTP authenticator application you are using). Some other authenticator apps store the secrets used to generate the TOTP codes into the cloud. That makes switching devices or using the same codes on multiple devices a lot easier. The downside being that depending on the actual implementation of the cloud component, the risk of those secrets getting leaked could be considerably increased. The recommended option is to register a WebAuthn token for yourself (e.g. a Yubikey) in the Users' Portal - once it is set up you will be able to reset your OTP settings yourself and register an OTP application on your new phone. If you are still not able, please raise a ticket with the Service Desk who will check your identity and reset your OTP settings.


What can I use as a WebAuthn token?

There are an ever increasing number of WebAuthn token generators, falling into either biometrics or hardware categories. Your device may already feature a fingerprint reader, or facial recognition technology that supports WebAuthn. An alternative is to get a Yubikey, see KB0006587.

My Yubikey doesn't work for SSO

If you own a very old Yubikey (USB Type-A, without any symbol on the golden contact, used for SSH 2FA), you will need to have it replaced at the IT secretariat with a new one (you have a choice between USB Type-A and USB Type-C). Note that you will need to register it (see KB0006587). Soon, we will also have Yubikeys with NFC support, which will make logins on mobile devices even faster.

How can I enable WebAuthn but not OTP?

In this case please raise a ticket Service Desk who will configure the settings so that WebAuthn is enabled and requires initialisation.

Mobile support

Choice of 2nd factors

The recommended 2nd factor to be used on mobile devices is TOTP via an authenticator application (it's pretty straightforward to switch between the web browser and the authenticator application in order to copy the TOTP code). USB Type-C Yubikeys are available from the IT Secretariat and should be usable on smartphones. We are looking into the possibility of providing Yubikey USB Type-C token with NFC support to make it even easier to use Yubikeys on mobile devices.

How can I speed up logins on mobile devices?

On your smartphone, most authenticator apps allow with a simple double-tap on your OTP code to easily copy/pasting it into the CERN SSO input field.

2FA for SSH

Will you provide general purpose integrations for using 2FA on the command-line?

Many command line tools can't differentiate between 1FA and 2FA logins. For example, many tools rely on Kerberos for authentication, but there is no standard for obtaining a Kerberos ticket using 2FA, nor there is any standard for encoding the fact that the Kerberos ticket has been issued using 2FA. As such, the decision was taken to restrict the usage of most command line AI tools from aiadm only and to require 2FA logins to aiadm nodes.

Will 2FA logins be required for LXPLUS?

There are no plans for that in the immediate term. Administrators of computing services are advised to use AIADM (2FA protected) instead of LXPLUS. For tunneling into CERN LXTUNNEL should be preferred.