Skip to content

Two factor authentication

Two factor authentication adds an extra layer of security on top of your password, usualy requiring access to a physical personal device like your smartphone or a security key.

To log in using two-factor authentication, click on "Log in with Two-factor" in the CERN SSO page. Some applications will only allow access if you logged in using this option.

Recent changes

In March 2020, we are upgrading from Keycloak 7 to 8. As part of this upgrade, we moved away from the legacy FIDO-U2F standard to the newer WebAuthn. We can't migrate existing FIDO-U2F credentials to the new standard, so if you were using a Yubikey you will have to set it up again. This change only applies to the Single Sign-On, and not to SSH credentials.

After this upgrade, FIDO compliant Yubikeys will still be supported, and you will be able to set up other compatible devices such as some fingeprint readers or Google Titan keys.

Actions needed

  1. Users of only Authenticator App: No action needed.
  2. Users of only Yubikey: Log in using the Two-factor option and follow the instructions to set up the Yubikey again.
  3. Users of Authenticator App and Yubikey: Your default second factor method is now OTP (previously known as Authenticator App). Follow the steps below (Setting up WebAuthn for a Yubikey) if you want to enable the WebAuthn option for logging in with the Yubikey.
  4. New users: Follow the guides below to set up second factor credentials of your choice.

Naming changes

  • Authenticator App has been renamed to OTP.
  • Yubikey has been renamed to WebAuthn.

Setting up OTP for Smartphones

One Time Password is the default method for second factor authentication. You will need a smartphone and a TOTP compatible application. We support these applications for the CERN SSO:

On Android:

On iPhone:

Once you installed a compatible application, log in using the "Log in with Two-factor" option. Follow the instructions in the login page: you will have to scan a QR code using the application and type the single use code from your phone.

Every time you log in again using this option, you will be asked to type a new single use code from your application.

Setting up WebAuthn for a Yubikey

Please make sure that you already have your own Yubikey or compatible device before enabling WebAuthn for your account. You can test device compatibility here: https://webauthn.io/

  1. Make sure you are logged out and go to: https://users-portal.web.cern.ch
  2. Log in using the Two-factor option.
  3. Type your OTP code or set up OTP credentials. This step is required for the first login, but you can disable OTP later if you prefer not to use it. If you don't have a smartphone, there are two available alternatives:
    1. Oficial support: open a ticket to the SSO Service to change your second factor method to WebAuthn.
    2. Try Yubico Authenticator for desktop (not officially supported).
  4. On the top bar, click on Accounts.
  5. Click on your CERN account.
  6. You will see options for Second Factor Authentication at the bottom of the page.
  7. Toggle on Enable WebAuthn credentials.

You will now be able to use both OTP and WebAuthn credentils as second factor. If you prefer to completely disable OTP, toggle off Enable One Time Password credentials.

  1. Log out and go back to: https://users-portal.web.cern.ch
  2. Log in using the Two-factor option and follow the steps to configure your Yubikey.