======Two-Factor Authentication (2FA) @ STRW======
{{ services:2fa_graphic.jpg?nolink&400|}}
Please read this document carefully or jump to
* [[:services:2fa#first_time_access|First Time Access]]
* [[:services:2fa#setup_ssh_keys|Setup ssh keys]]
=====Introduction======
* [[:services:2fa:introduction|why, where and how]]
[[:services:2fa:acronyms|Note on acronyms]]
======Working with 2FA =====
Below we describe in detail how to work with 2FA. It is quite straight forward once you get the hang of it.
=====First Time Access=====
Before you can use 2FA we and you need to setup a few things.
* **You should own a Smart Phone or Personal Computer**: Since during the 2FA process you need to generate **passcodes (a six digit number)** automatically based on a secret key you and the 2FA system have exchanged, you need a program to perform this action. This program can either be on a Smart Phone or Personal Computer.
* **Verify your private email address**: We also need a private email address to mail you the verification email during the 2FA setup. Please contact the helpdesk to verify that your private email address is known and correct.
First time access:
* [[services:2fa:smartphone|with a Smart Phone]] or
* [[services:2fa:computer|with a Personal Computer]]
* [[services:2fa:continued|remaining setup]]
=====Browser Extension=====
For several popular internet browsers (Edge, Firefox, Chrome, ...) there is a very convenient add-on/extension/plugin that can be installed on your Personal Computer to generate the 2FA passcodes. This also works for the Multi-Factor Authentication (MFA) of Leiden University uaccount services. After 2FA / MFA is activated, here are the steps to install and activate the browser extension:
* [[services:2fa:browserextension|Authenticator Extension]]
=====Regular use of 2FA=====
====WEB access====
Each time you access a WEB page that needs authentication, you will have to go through the 2FA procedure. We do have Single SignOn set up, which means that once logged in onto the local Observatory WEBsite you do not have to re-login if you hit another page that needs authentication.
\\
You have already experienced the 2FA redirection when first setting up 2FA for your account. So this screen should now be familiar to you. Make note of the fact that in the first part of the URL of this form is hows that you have been redirected to our Identity provider: ''idp.strw.leidenuniv.nl''. After successful login you are directed back to the original page you tried to access.
Fill in your STRW account credentials and click ''%%Sign in%%''.
\\
\\
\\
You are now presented with the second authentication window asking for your passcode. So get your smart phone, open the authentication APP and find the block name ''Leiden Observatory Intranet'' and your account name. Click that block to obtain the passcode. Or execute your computer program to obtain a passcode.
Transfer the presented passcode into the WEB form. Then complete your login by clicking the ''%%Sign in%%'' button.
\\
You should now end up at the page you tried to open in the first place.
In case of problems, look at the [[services:2fa#fa_problems|2FA Problem]] section at the end of this page.
====ssh====
After you have setup your 2FA secret key the systems will know that you have done so and within a period of at most 30 minutes the ''%%ssh%%'' remote login, and all associated programs using this protocols such as ''%%scp%%'' and ''%%sftp%%'', will start asking for your passcode as a second identity verification step.
Again it is straight forward to use 2FA in this case. Whatever program you use to ssh into the Observatory Computer system, you will be prompted for the passcode. So keep your smart phone or personal computer nearby always.
Here is a sample login:
# ssh -l
Password:
One-time password (OATH) for `':
Welcome to the Sterrewacht Leiden workstations
Access is allowed for authorized users only. Abuse will be tracked.
Helpdesk Room HL407 Tel 8444
Last login: Thu Mar 4 09:35:07 2021 from 132.229.xxx.yyy
where ''%%%%'' is the name of an Observatory desktop or server you want to access and ''%%%%'' is the name of your Observatory account. At the ''%%Password%%'' prompt you provide your personal account password and at the ''%%One-time password (OATH) for `':%%'' prompt you enter the passcode you get from the smart phone APP or computer program.
That is all!
In case of problems, look at the [[services:2fa#fa_problems|2FA Problem]] section at the end of this page.
====Making ssh operations easier====
Of course it is not very handy to have to authenticate each time you login between computers at the Observatory using the 2FA mechanism. Therefor, we have disabled 2FA for the case where you have implemented personal ssh keys. So if you setup ssh keys at the Observatory, you do not have to type in either your password, nor your passcode.
===Setup ssh keys====
Go to the [[:services:2fa:sshkeys|how to setup sshkeys]] page for a detailed description on ssh key configuration.
Also read the generic dokuwiki page on [[:SSH#ssh_keys|ssh]], section SSH Keys, on how to setup ssh keys in your Observatory account.
=====2FA Problems======
====New phone====
If you obtained a new phone and would like to use it to generate the passcodes, then you can obtain a copy of your secret code by visiting our [[https://intranet.strw.leidenuniv.nl/services/?node=43|STRW Self Service page]] (note that this page is on the intranet, so you need to login).
**If you lost your phone, you 2FA secret code has to be reset (see below)**
====Loss of or damaged to Smart Phone or Personal Computer====
It might happen that you loose your smart phone or personal computer, or otherwise may be deprived of your secret key. In that case you need to perform the following actions to reset 2FA in the given order:
* Contact the Observatory helpdesk
* Reset your password
* Re-initiate the 2FA process as described above in the 'First Time Access' section
====Error Message====
If you see **Two-factor authentication has not been setup for your account yet. Please refer to
the computer documentation on the institute webpage for the description and setup of 2FA**, this means your secret code has not trickled down to this system yet. It may take up to 30 minutes after setting up 2FA before all Observatory systems know about your secret key. Thus be patient ant try again in 30 minutes.
====Code not accepted====
Note that the passcodes have a lifespan of 30 seconds and that both the Observatory computers and your Smart Phone or personal computer need to be in time sync. You must enter the 2FA app settings and select "**Time synchronisation**". After this the codes should work again. You might also have been just a bit too late confirming your passcode. In that case repeat the process of creating the passcode en entering it into the prompt/web form.
In principle the system also allows passcodes that are from the previous or next timeslot. So you should have a total of 90 seconds to deliver a trusted passcode. This period is shortened if the Observatory time keeping differs slightly from your smart phone or personal computer time keeping.
====Secret is compromised====
You need to perform the following actions, in the given order, to reset 2FA and get a new key:
* Contact the Observatory helpdesk
* Reset your password
* Re-initiate the 2FA process as described above in the 'First Time Access' section