At the end of last year we’ve promised an update on how we are planning to make access to our services more secure. In this post we expand on those plans.

In short: we are going to deploy 2FA on Science accounts and make it mandatory for services that are reachable from the internet.

How this all works from an organizational standpoint is, at this point, not complete clear yet. Do we need a “in-person” vetting procedure? Or do we allow users to enable this themselves in DIY? Ideas on this will surface after the test period.

For the test we will need a few people willing to tryout 2FA, especially if you are a contact person for a few science accounts or good with SSH (not a hard requirement). If interested please let us know. The test period will run for about 6 weeks once we gathered enough people willing to help.

Background

We have started to implement Time-based One-time Password (TOTP) as a second factor in the new DIY. We first want to roll this out to a (small) subset of Science users to gain experience.

This TOTP uses a 6-digit code that is generated on your phone using an authenticator-app (like “Google Authenticator”, or “Microsoft Authenticator”). We have test this and are ready to enable it in the new DIY.

Other types of token, like hardware token, such as Yubikeys will probably also be supported in the future, but is less of a priority at the moment.

2FA on DIY

The current idea (and implementation), is that when logged with TOTP in DIY you are allowed more. One of the first things is the management of public SSH keys that are now required to log in on the LILOs. If you are a contact for other Science accounts you are also allowed to managed their public keys.

In the future, more things will be put “behind 2FA”; which ones will become clear during the test period.

2FA on RoundCube

RoundCube will be of the first services that will support 2FA. This support will become active at …