We will put a two-factor authentication page in front of the Roundcube WEB stack. This means that you will have to login twice: first login is the 2FA system, second login into Roundcube. We realize that this is cumbersome, but Roundcube is currently not two-factor authentication enabled. This will happen in the near future as the current candidate release for Roundcube is 2FA enabled. We expect that it will take a few months before the release candidate is accepted as a full release version. At that point you will only have one login screen.

On our local.strw web site there are several pages that are shielded from general view by a login requirement. All these pages will be converted to two-factor authentication. The following pages will change:

• Covid Room Reservations
• All pages linked from the 'Informational Pages' webpage

Pages that are under consideration, but will not immediately be 2FA enabled are:

• Helpdesk
• WEB calendar

For these page we will announce well in advance when 2FA will be enabled.

To login to the Sterrewacht Linux computers the SSH protocol is used. Several programs such as ssh, putty, MobaXterm, scp, WinSCP and Tunnelier are all using the SSH protocol to communicate with the remote Sterrewacht Linux computers. Any of these programs will require you to enter a One-time passcode once we have enabled two-factor authentication. You can however setup ssh key login which circumvents password and passcode entry upon login. See the ssh page for more detail.

The Virtual Desktop Service will also be two-factor authentication enabled. Instead of just login into the vdesk servers with just your username and password, you will also have to provide the 2FA One-time passcode to gain access to this service.

Each time to sit at your desk and want to login on the main screen(s) of your desktop computer, you need to authenticate yourself to the system. This too will be converted to two-factor authentication. We currently have a test setup and will investigate its stability and user friendliness before it will be rolled out to all desktops and VNC login screens. You will be informed well in advance when this change will be implemented system wide.

We are evaluating the current VPN setups at the different institutes, STRW, Physics and Institute Lorentz. The currently different implementation can best be interated to one service. Once that is done two-factor authetication will also be introduced here.

When you run your own mail client program, you are effectively autheticating yourself for each read and write operation to you mailbox folders. This is done through the imap and smtp protocols. We currently have a test environment setup to debug any problems introduced by 2FA on these protocols. When we are confident that this test server is ready for production, the configuration will be copied to the production mail server. It is at this moment unclear on what timescale this will happen.