On the 20th of May 2025 we are enabling 2FA (second-factor-authentication) on the C&CZ services: DIY, Roundcube and SSH on the login servers.

In this article you can find information on this roll-out and how to activate 2Fa on your Science account.

As mentioned in an earlier news item, we’ve finished the tests and reached the following conclusions:

  • Anyone with a Science account can enable 2FA in DIY using this procedure.

  • For about 6 weeks you can enable 2FA in DIY. You must have activated 2FA by the 20th of May 2025 if you want to use: DIY, Roundcube or SSH on the login servers.

  • After this date we’ll make those services globally reachable again, we will remove the ip restrictions.

  • If you are using network storage, nothing will change.

  • Users with a new science account need to log in to DIY within 20 days to enable 2FA, see below for more details.

In summary: on the 20th of May 2025 we will require 2FA on DIY, Roundcube and SSH on login severs.

If you are currently using an SSH public key we will also ask for a 2FA. If you have automated scripts that run into trouble because of 2fa, come talk to us.

Enabling 2FA in DIY

This is the procedure on how to enable TOTP in DIY. Note that after you enable this you are forced to use 2FA when you login into DIY the next time.

Info

TOTP is an abbreviation for Time-Based One-Time Password

Yubi Key

If you own a Yubi key and you want to use that for authentication (as well as TOTP), then you need to email a blurp from the Yubi key to helpdesk@science.ru.nl, as it is not (yet) possible to add this yourself in DIY.

The 2FA TOTP authentication must also be enabled in DIY. Once that’s the case, both methods will work for 2FA.

Note that the Yubi key OTP relies on an external service from Yubico, which may not be available at all times, then you can still use the TOTP method.

Gitlab

The C&CZ Gitlab service also uses 2FA, but this is a separate implementation. It remains unclear whether we can bring GitLab under the same 2FA regime as your science account.

New Science Accounts

For a new Science account, the following procedure applies:

When creating the account, a temporary password is emailed to the new user’s external address. To make setting up 2FA practically workable, it is possible to log in without 2FA for 20 days. During this 20-day period, the new user can activate 2FA for themselves in DHZ. After this period, logging in without 2FA is no longer possible. This also applies to DIY. For assistance in resolving this, please don’t hesitate to contact us.