Table of Contents

Timeline two-factor authentication implementation STRW

2FA Week number
Service 11121314151617181920
Roundcube
other web
ssh
vdesk
Console
Mail client
VPN

Tuesday March 16, Roundcube

We will put a two-factor authentication page in front of the Roundcube WEB stack. This means that you will have to login twice: first login is the 2FA system, second login into Roundcube. We realize that this is cumbersome, but Roundcube is currently not two-factor authentication enabled. This will happen in the near future as the current candidate release for Roundcube is 2FA enabled. We expect that it will take a few months before the release candidate is accepted as a full release version. At that point you will only have one login screen.

Monday March 22, Other web pages

On our local.strw web site there are several pages that are shielded from general view by a login requirement. All these pages will be converted to two-factor authentication. The following pages will change:

Pages that are under consideration, but will not immediately be 2FA enabled are:

For these page we will announce well in advance when 2FA will be enabled.

Monday March 29, SSH protocol

To login to the Sterrewacht Linux computers the SSH protocol is used. Several programs such as ssh, putty, MobaXterm, scp, WinSCP and Tunnelier are all using the SSH protocol to communicate with the remote Sterrewacht Linux computers. Any of these programs will require you to enter a One-time passcode once we have enabled two-factor authentication. You can however setup ssh key login which circumvents password and passcode entry upon login. See the ssh page for more detail.

Monday April 12: vdesk service

The Virtual Desktop Service will also be two-factor authentication enabled. Instead of just login into the vdesk servers with just your username and password, you will also have to provide the 2FA One-time passcode to gain access to this service.

Monday April 19: Linux Console Login

Each time to sit at your desk and want to login on the main screen(s) of your desktop computer, you need to authenticate yourself to the system. This too will be converted to two-factor authentication. We currently have a test setup and will investigate its stability and user friendliness before it will be rolled out to all desktops and VNC login screens. You will be informed well in advance when this change will be implemented system wide.

TBD (more distant future): VPN services

We are evaluating the current VPN setups at the different institutes, STRW, Physics and Institute Lorentz. The currently different implementation can best be interated to one service. Once that is done two-factor authetication will also be introduced here.

TBD (near future): Mail Client access

When you run your own mail client program, you are effectively autheticating yourself for each read and write operation to you mailbox folders. This is done through the imap and smtp protocols. We currently have a test environment setup to debug any problems introduced by 2FA on these protocols. When we are confident that this test server is ready for production, the configuration will be copied to the production mail server. It is at this moment unclear on what timescale this will happen.