Struggling to set up 2FA?
First, make sure you've read through this Guide. We have compiled a list of Frequently Asked Questions below and will continue to add to it.
General
Which tokens should I set up?
Ideally, set up one OTP token and one WebAuthn token. This way if you lose one token you will be able to reset it using the other.
I've lost my phone and can't log in with 2FA - help!
If you have registered a WebAuthn token, you can authenticate with it to the Users' Portal, reset your OTP settings and register for OTP again. Otherwise, raise a ticket with the Service Desk who will check your identity and reset your OTP settings.
Sometimes the SSO mentions that I'm already logged in
In case multiple browser tabs are opened for SSO protected websites before logging in, the active tab used for logging in to the SSO will redirect to the requested page while the message "You are already logged in" will be displayed in the other tabs. We recommend that you open additional tabs to SSO protected websites after logging in. The issue is followed up with the upstream provider of the SSO Identity Provider software used (Keycloak).
Preferred 2nd factor
You can choose your preferred 2nd factor, either OTP or Yubikey, on the Users' Portal. Goto "Configure Multifactor" and make your pick at "Default login method" below. That shortens the login experience.
How can I limit the number of times that I need to log in?
In order to limit the number of times you need to log in, use one browser consistently for your work and do not close it. Your login will be valid for 12 hours in a browser that remains open.
Do I need to have an Internet connection for my phone?
The smartphone TOTP apps are basically pocket calculators. After first initialization they work independently and autonomously calculating your TOTP based on the local time (this is why it is important that your smartphone is synchronized with global time) and some "seed" transferred during the initialization phase. No need for an Internet connection. Nor GSM. Neither Data, Roaming, nor WiFi.
One-Time-Password Applications (OTP)
Which OTP application should I download?
- Aegis Authenticator for Android
- ente Authenticator for iOS and Android
Other OTP applications may also work. Please make sure to download the application from a trusted App Store.
How long is the token displayed on TOTP?
A new TOTP token is generated every 30 seconds. A count-down informs about the remaining time. It is perfectly fine to wait for a new TOTP token if time runs out for you.
Why is my OTP code not working?
If you get an "Invalid authenticator code" error when entering your OTP code, it may be due to your phone's time not being set correctly. If this is the case, go to the "Date and Time" settings on your phone and set it to use the network-provided time.
Some OTP apps, such as Google Authenticator, allow synchronizing the clock time from within the app. To synchronize your clock go to: "Settings" -> "Time correction for codes" and press the "Sync now" button.
If it is still not working please double check that you do not have an existing OTP registration for CERN SSO. Some OTP applications do not replace existing configuration correctly and can cause invalid codes to be generated. You should be able to delete a previous OTP registration within your application.
I'm changing phones, will OTP work on my new phone?
Yes, but you need to transfer your OTP secrets from the old to the new phone:
- Some OTP authenticator applications will allow you to migrate between devices (export OTP secrets from one phone, and import them into another phone) - look up specific instructions for whichever OTP authenticator application you are using.
- Other authenticator apps store the secrets used to generate the OTP codes in the cloud. That makes switching devices or using the same codes on multiple devices a lot easier. The downside being that depending on the actual implementation of the cloud component, the risk of those secrets getting leaked could be considerably increased.
Alternatively, you can just reset your OTP, and configure it on the new phone. To do that, go to Users' Portal, "Configure 2FA" and click on "Reset OTP" button. Next time you log in to CERN Single Sign-On, you will be asked to configure OTP again - you can use your new phone to do that. (Note however that OTP on the old phone will stop working.)
If you have any issues, or got stuck in the process, please raise a ticket with the Service Desk who will check your identity and reset your OTP settings.
Hardware Tokens (WebAuthn)
What can I use as a WebAuthn token?
There is an ever-increasing number of WebAuthn token generators, falling into either biometrics or hardware categories. Your device may already feature a fingerprint reader, or facial recognition technology that supports WebAuthn. An alternative is to get a Yubikey, see KB0006587.
My Yubikey doesn't work for SSO
If you own a very old Yubikey (USB Type-A, without any symbol on the golden contact, used for SSH 2FA), you will need to have it replaced at the IT secretariat with a new one (you have a choice between USB Type-A, USB Type-C, and USB Type-C with NFC support). In particular, NFC-enabled Yubikey make logins on mobile devices even faster. Note that you will need to register any new Yubikey you get (see KB0006587).
How can I enable WebAuthn but not OTP?
In this case please raise a ticket Service Desk who will configure the settings so that WebAuthn is enabled and requires initialisation.
How can I set up my fingerprint reader?
Certain fingerprint readers on Windows laptops and Macbooks, but also biometric sensors on some smartphones, can be used as (convenient) 2FA hardware. However, their support strongly depends on your device, its operating system, and the browser you use.
The following combinations are know to work with CERN SSO (perhaps others do, too):
- Fingerprint reader on Macbooks:
- Chrome browser (when asked during the registration process, choose "Your Chrome profile". "iCloud Keychain" could also work, depending on your iCloud settings)
- other browsers to be confirmed
- Fingerprint reader on Windows: Edge, Chrome and Firefox browsers (when asked during the registration process, choose "Windows Hello")
To see if your hardware biometric sensor works on your device and browser, please test it first at https://webauthn.io:
- At the top of the page, type in any username and hit "Register" button
- Follow the instructions
- Once registered, test it by hitting "Authentication" button
Once you confirm that your fingerprint reader (or other biometric sensor) works with your browser, you are ready to configure it for your CERN account on CERN SSO.
Please note
Once you start the process, you need to complete it (register a new WebAuthn token), otherwise you will not be able to log in via CERN SSO. For this reason, we strongly recommend that you do it during working hours, so that in case of any issues, you could ask Service Desk or IT SOS to disable WebAuthn for your account.
Steps:
- Log in to https://users-portal.web.cern.ch and go to "Configure 2FA".
- If not set yet, "Enable WebAuthn credentials for Yubikey or any compatible device". Else, just do a "Reset WebAuthn" using the button below.
- As stated in the popup message, open a new private/incognito window, keeping the current page open. This is important, as it will alow you to disable WebAuthn, in case you do not manage to complete the configuration.
- If (and only if) registration in a new private/incognito window (as described above) doesn't work, log out and log in again using your normal browser.
- Follow the online instructions to register your fingeprint reader, selecting the options e.g. "Windows Hello", "Your Chrome profile", "Use Touch ID to sign in?" etc. as listed below.
Once the fingerprint reader is correctly registered, you may want to set it as your default 2FA authentication method. To do so, connect to https://users-portal.web.cern.ch, go to "Configure 2FA", and change "Default login method" to WebAuthn. (When logging in from other devices without the fingerprint reader, you will still be able to log in with your existing OTP.)
Can I have several hardware tokens?
The Users Portal currently supports only one WebAuthn (hardware) token at a time. At the same time, CERN SSO allows more than one WebAuthn device (e.g. both a Yubikey and a fingerprint reader). If you want to become a test user of that feature, contact Service Desk and ask to have a second hardware token enabled. Please note that this is currently a non-supported feature, to be enabled at your own risk.
Passkeys
"Passkey" is an idea and supporting technologies that allow authentication without a password, but just by using hardware biometric sensors (fingerprint reader, face recognition) or similar security features (see more details). (Note that the details of "passkeys" concept and implementations depend on the vendor, mobile operating system etc. - there is no single definition or common standard.)
CERN SSO does not plan to offer password-less authentication. However, most of the solutions mentioned above (such as biometric sensors) rely on the WebAuthn standard, which is fully supported by CERN SSO as an option for 2FA (second factor authentication). In other words, fingerprint readers and face recognition can already be used as 2FA on CERN SSO - provided that they are supported by your device, its operating system, and the browser you use.
Looking more into the future, implementations of passkeys on different operating systems and mobile platforms will hopefully converge, and a standard will emerge. In parallel, Keycloak (the software behind CERN SSO) is increasing its support of passkeys. Consequently, it is likely that in the future, CERN SSO will support passkeys more natively, rather than via WebAuthn, as is the case today.
Mobile support
Choice of 2nd factors
The recommended 2nd factor to be used on mobile devices is TOTP via an authenticator application (it's pretty straightforward to switch between the web browser and the authenticator application in order to copy the TOTP code). USB Type-C Yubikeys are available from the IT Secretariat and should be usable on smartphones. We are looking into the possibility of providing Yubikey USB Type-C token with NFC support to make it even easier to use Yubikeys on mobile devices.
How can I speed up logins on mobile devices?
On your smartphone, most authenticator apps allow with a simple double-tap on your OTP code to easily copy/pasting it into the CERN SSO input field.
2FA for SSH
Will you provide general purpose integrations for using 2FA on the command-line?
Many command line tools can't differentiate between 1FA and 2FA logins. For example, many tools rely on Kerberos for authentication, but there is no standard for obtaining a Kerberos ticket using 2FA, nor there is any standard for encoding the fact that the Kerberos ticket has been issued using 2FA. As such, the decision was taken to restrict the usage of most command line AI tools from aiadm only and to require 2FA logins to aiadm nodes.
Will 2FA logins be required for LXPLUS?
There are no plans for that in the immediate term. Administrators of computing services are advised to use AIADM (2FA protected) instead of LXPLUS. For tunneling into CERN LXTUNNEL should be preferred.