Skip to content

Two factor authentication

Two factor authentication adds an extra layer of security on top of your password, usually requiring access to a physical personal device like your smartphone or a security key.

To log in using two-factor authentication, click on "Log in with Two-factor" in the CERN SSO page. Some applications will only allow access if you logged in using this option.

Subscribing to Always-on 2FA

Since 2022 CERN is migrating to an Always-on 2FA login flow, meaning 2FA will be mandatory for each user login. Users can voluntarily enrol to this new 2FA flow by subscribing to the 2fa-wins E-group.

Glossary

The guide below and the web portals may contain some technical words from the following list:

  • Authenticator app or Authenticator application: An application that has to be used, usually on a smartphone, for a second factor authentication step.
  • Security key: A physical hardware token that can be connected to your device to use it for a second factor authentication step.
  • Yubikey: A commercial security key from Yubico that you can request at CERN.
  • WebAuthn: A web standard for authentication compatible with many security keys, including the Yubikey.
  • One-time password (OTP): Any authentication mechanism where the user has to use a temporary password only once, usually as a second factor authentication step by using an Authenticator Application.

Some of the portals may use "OTP" to refer to the Authenticator Application method and "WebAuthn" or "Yubikey" for Security Key. These terms will usually have the same meaning when configuring your CERN account.

Setting up a 2nd factor authentication method

Getting a Yubikey

If you are part of the CERN IT department, just pass by the IT secretariat. For anyone else, please order your Yubikey via this ServiceNow request in order to have a TID created. The costs per Yubikey is less than 50CHF.

Using a private Security Key

It is possible to use your private Security Key with the SSO as long as it supports WebAuthn.

However, using your private Security Key for SSH requires custom-configuration and then sending the secrets to the security team.

Help! I've lost my phone/security key

If you have a second two-factor method already set up, you can use it to authenticate to the Users Portal and follow the reset procedure described in KB0006587.

If you do not have a second two-factor method already, please raise a ticket to the Service Desk who will perform the reset after a successful ID check.