Skip to content

Two-factor authentication

Two-factor authentication adds an extra layer of security on top of your password, usually requiring access to a physical personal device like your smartphone or a security key.

Some applications will only allow access if you logged in using this option.

Glossary

The guide below and the web portals may contain some technical words from the following list:

  • Authenticator app or Authenticator application: An application that has to be used, usually on a smartphone, for a second factor authentication step.
  • Security key: A physical hardware token that can be connected to your device to use it for a second factor authentication step.
  • Yubikey: A commercial security key from Yubico that you can request at CERN.
  • WebAuthn: A web standard for authentication compatible with many security keys, including the Yubikey.
  • One-time password (OTP): Any authentication mechanism where the user has to use a temporary password only once, usually as a second factor authentication step by using an Authenticator Application.

Some of the portals may use "OTP" to refer to the Authenticator Application method and "WebAuthn" or "Yubikey" for Security Key. These terms will usually have the same meaning when configuring your CERN account.

Setting up a 2nd factor authentication method

Getting a Yubikey

If you are part of the CERN IT department, just pass by the IT secretariat. For anyone else, please order your Yubikey via this ServiceNow request in order to have a TID created. The costs per Yubikey is less than 50CHF.

Using a private Security Key

It is possible to use your private Security Key with the SSO as long as it supports WebAuthn.

However, using your private Security Key for SSH requires custom-configuration and then sending the secrets to the security team.

Help! I've lost my phone/security key

If you have a second two-factor method already set up, you can use it to authenticate to the Users Portal and follow the reset procedure described in KB0006587.

If you do not have a second two-factor method already, please raise a ticket to the Service Desk who will perform the reset after a successful ID check.

"You should set up your 2-factor authentication"

If you start the 2FA registration process from the login form "You should set up your 2-factor authentication", the process will reset on next login in case you cannot complete it.