Two-factor authentication
Two-factor authentication adds an extra layer of security on top of your password, usually requiring access to a physical personal device like your smartphone or a security key.
To log in using two-factor authentication, click on "Log in with Two-factor" in the CERN SSO page. Some applications will only allow access if you logged in using this option.
Subscribing to Always-on 2FA
Since 2022 CERN is migrating to an Always-on 2FA login flow, meaning 2FA will be mandatory for each user login. Users can voluntarily enrol to this new 2FA flow by subscribing to the 2fa-wins E-group.
Glossary
The guide below and the web portals may contain some technical words from the following list:
- Authenticator app or Authenticator application: An application that has to be used, usually on a smartphone, for a second factor authentication step.
- Security key: A physical hardware token that can be connected to your device to use it for a second factor authentication step.
- Yubikey: A commercial security key from Yubico that you can request at CERN.
- WebAuthn: A web standard for authentication compatible with many security keys, including the Yubikey.
- One-time password (OTP): Any authentication mechanism where the user has to use a temporary password only once, usually as a second factor authentication step by using an Authenticator Application.
Some of the portals may use "OTP" to refer to the Authenticator Application method and "WebAuthn" or "Yubikey" for Security Key. These terms will usually have the same meaning when configuring your CERN account.
Setting up a 2nd factor authentication method
- Step-by-step guide: KB0006587
Getting a Yubikey
If you are part of the CERN IT department, just pass by the IT secretariat. For anyone else, please order your Yubikey via this ServiceNow request in order to have a TID created. The costs per Yubikey is less than 50CHF.
Using a private Security Key
It is possible to use your private Security Key with the SSO as long as it supports WebAuthn.
However, using your private Security Key for SSH requires custom-configuration and then sending the secrets to the security team.
Help! I've lost my phone/security key
If you have a second two-factor method already set up, you can use it to authenticate to the Users Portal and follow the reset procedure described in KB0006587.
If you do not have a second two-factor method already, please raise a ticket to the Service Desk who will perform the reset after a successful ID check.
Error message: "First authenticated user is not the one authenticated by the Security key."
This error can occur if you set up a passkey for WebAuthn before your account was migrated to "always-on-2FA". Here's why:
- Passkeys and WebAuthn: When you set up WebAuthn, many systems try to push users to use passkeys (instead of physical security keys like a Yubikey). Passkeys are tied to the specific URL where they were created.
- URL Mismatch: If you created a passkey for the Two-factor authentication login form (before "always-on-2FA" was enabled), once your account is migrated to the main login form (which uses a different login URL), the passkey no longer matches the URL for authentication. This causes the login error.
Solution:
- Set up your passkey after your account is migrated to "always-on-2FA".
- Make sure to configure the passkey for the main login form, not on the secondary login form (labeled "Two-factor authentication").
- Configure you hardware token (Yubikey) instead of a passkey.