-
- Downloads
add "space"
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
|  |  | ||
| ------------------------------------ | ------------------------------------ | ||
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
| # 2-Factor Authentication (2FA) | # 2-Factor Authentication (2FA) | ||
| <div> | <div> | ||
| <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img01.png title="2-factor-authentication" width="320" style="float:left"/> | <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img01.png title="2-factor-authentication" width="320" style="float:left"/> | ||
| <!-- <img src=images/jupyter-jsc_2fa_img01.png title="2-factor-authentication" width="320" style="float:left"/> --> | <!-- <img src=images/jupyter-jsc_2fa_img01.png title="2-factor-authentication" width="320" style="float:left"/> --> | ||
| </div> | </div> | ||
| ## Introduction | ## Introduction | ||
| 2-Factor Authentication (2FA), sometimes referred to as two-factor verification, is a security method in which you provide **two different authentication factors** to identify yourself at login. | 2-Factor Authentication (2FA), sometimes referred to as two-factor verification, is a security method in which you provide **two different authentication factors** to identify yourself at login. | ||
| This process is **performed to better protect** both your credentials and the resources that you can access. | This process is **performed to better protect** both your credentials and the resources that you can access. | ||
| In the **first login step**, you start with the usual entry of a good password. The service then confirms the correctness of the password entered. | In the **first login step**, you start with the usual entry of a good password. The service then confirms the correctness of the password entered. | ||
| This does not, however, lead directly to the desired entrance - but to a further barrier. | This does not, however, lead directly to the desired entrance - but to a further barrier. | ||
| The **second login step** prevents unauthorized third parties from gaining access to your account just because they might have stolen your password. | The **second login step** prevents unauthorized third parties from gaining access to your account just because they might have stolen your password. | ||
| A quite common 2nd-factor is a **One-Time Password (OTP)** generated by a so-called **OPT-App** you installs and initializes once on one of your personal devices. | A quite common 2nd-factor is a **One-Time Password (OTP)** generated by a so-called **OPT-App** you installs and initializes once on one of your personal devices. | ||
| This *OPT-app* then provides (in our case every 30 seconds) a new *one-time password* that needs to be entered on the login page. | This *OPT-app* then provides (in our case every 30 seconds) a new *one-time password* that needs to be entered on the login page. | ||
| <div style="clear:both"></div> | <div style="clear:both"></div> | ||
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
| <div> | <div> | ||
| <video controls src="https://multimedia.gsb.bund.de/BSI/Video/2-Faktor-Authentisierung_SD.conv.mp4" width=480 style="float:right"/> | <video controls src="https://multimedia.gsb.bund.de/BSI/Video/2-Faktor-Authentisierung_SD.conv.mp4" width=480 style="float:right"/> | ||
| </div> | </div> | ||
| ## Basic Principle | ## Basic Principle | ||
| These two factors for authentication combine the building blocks **knowledge** and **possession** in the login procedure. | These two factors for authentication combine the building blocks **knowledge** and **possession** in the login procedure. | ||
| - **knowledge** - the secret knowledge is the password you enter. | - **knowledge** - the secret knowledge is the password you enter. | ||
| - **possession** - With the *one-time password* you show that you are in possession of a certain device (e.g. your smartphone), because only the *OTP-App*, installed on that device, can generate it. | - **possession** - With the *one-time password* you show that you are in possession of a certain device (e.g. your smartphone), because only the *OTP-App*, installed on that device, can generate it. | ||
| <div style="clear:both"></div> | <div style="clear:both"></div> | ||
| <div> | <div> | ||
| <p style="float:right">Source: Bundesamt für Sicherheit in der Informationstechnik</p> | <p style="float:right">Source: Bundesamt für Sicherheit in der Informationstechnik</p> | ||
| </div> | </div> | ||
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
| <div> | <div> | ||
| <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img02.png title="2-factor-authentication" width="320" style="float:left"/> | <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img02.png title="2-factor-authentication" width="320" style="float:left"/> | ||
| <!-- <img src=images/jupyter-jsc_2fa_img02.png title="2-factor-authentication" width="320" style="float:left"/> --> | <!-- <img src=images/jupyter-jsc_2fa_img02.png title="2-factor-authentication" width="320" style="float:left"/> --> | ||
| </div> | </div> | ||
| ## Algorithm | ## Algorithm | ||
| The **OTP-App** can calculate personal one-time passwords completely autonomously from the outside world using a standardized and open algorithm for the generation of **Time-based One-Time Passwords (TOTP)**. | The **OTP-App** can calculate personal one-time passwords completely autonomously from the outside world using a standardized and open algorithm for the generation of **Time-based One-Time Passwords (TOTP)**. | ||
| The *TOTP algorithm* was published in 2011 by the [Internet Engineering Task Force (IETF)](https://www.ietf.com) as [RFC 6238](https://tools.ietf.org/html/rfc6238). The *TOTP algorithm* is a hash function in which a secret code is hashed together with the current time. | The *TOTP algorithm* was published in 2011 by the [Internet Engineering Task Force (IETF)](https://www.ietf.com) as [RFC 6238](https://tools.ietf.org/html/rfc6238). The *TOTP algorithm* is a hash function in which a secret code is hashed together with the current time. | ||
| Behind the hash function is the HMAC-based One-time Password Algorithm according to [RFC 4226](https://tools.ietf.org/html/rfc4226) - in simple terms nothing more than a standard that forms a hash in a certain way. | Behind the hash function is the HMAC-based One-time Password Algorithm according to [RFC 4226](https://tools.ietf.org/html/rfc4226) - in simple terms nothing more than a standard that forms a hash in a certain way. | ||
| The calculation includes both a **"secret initialization code"**, that is known to both the server and the client, and the **current time**. | The calculation includes both a **"secret initialization code"**, that is known to both the server and the client, and the **current time**. | ||
| The final *one-time password* is generated from these two inputs and is valid for a certain period of time. (in our case for **30 seconds**). | The final *one-time password* is generated from these two inputs and is valid for a certain period of time. (in our case for **30 seconds**). | ||
| The procedure can be implemented in such a way that slight differences in time between client and server are accepted. | The procedure can be implemented in such a way that slight differences in time between client and server are accepted. | ||
| Hence, any *one-time password* is time-based, calculated locally, and always unique. | Hence, any *one-time password* is time-based, calculated locally, and always unique. | ||
| <div style="clear:both"></div> | <div style="clear:both"></div> | ||
| ------------------ | ------------------ | ||
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
| # How to get started with 2FA | # How to get started with 2FA | ||
| <div> | <div> | ||
| <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img03.png title="2-factor-authentication" width="320" style="float:right"/> | <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img03.png title="2-factor-authentication" width="320" style="float:right"/> | ||
| <!-- <img src=images/jupyter-jsc_2fa_img03.png title="2-factor-authentication" width="320" style="float:right"/> --> | <!-- <img src=images/jupyter-jsc_2fa_img03.png title="2-factor-authentication" width="320" style="float:right"/> --> | ||
| </div> | </div> | ||
| ## Preparation | ## Preparation | ||
| To get ready to use 2-Factor Authentication (2FA) for Jupyter-JSC you have to **prepare** it ONCE: | To get ready to use 2-Factor Authentication (2FA) for Jupyter-JSC you have to **prepare** it ONCE: | ||
| - (1) **request 2FA** for Jupyter-JSC, | - (1) **request 2FA** for Jupyter-JSC, | ||
| - (a) login to [Jupyter-JSC](https://jupyter-jsc.fz-juelich.de) | - (a) login to [Jupyter-JSC](https://jupyter-jsc.fz-juelich.de) | ||
| - (b) visit https://jupyter-jsc.fz-juelich.de/2fa and request 2FA | - (b) visit https://jupyter-jsc.fz-juelich.de/2fa and request 2FA | ||
| - (c) wait for a *confirmation emails* and click the provided *activation link* | - (c) wait for a *confirmation emails* and click the provided *activation link* | ||
| - (2) **activate 2FA** for Juypter-JSC, | - (2) **activate 2FA** for Juypter-JSC, | ||
| - (a) install an **OTP-App**, which supports the TOTP algorithm | - (a) install an **OTP-App**, which supports the TOTP algorithm | ||
| - (b) communicate the **secret initialization code** to this *OTP-App* | - (b) communicate the **secret initialization code** to this *OTP-App* | ||
| - (c) test a first **one-time password** generated. | - (c) test a first **one-time password** generated. | ||
| ... and then 2FA is ready to be used next time you log in. | ... and then 2FA is ready to be used next time you log in. | ||
| ### 1. Request 2FA | ### 1. Request 2FA | ||
| Please login to Jupyter-JSC as usual through https://jupyter-jsc.fz-juelich.de | Please login to Jupyter-JSC as usual through https://jupyter-jsc.fz-juelich.de | ||
| and visit the webpage **https://jupyter-jsc.fz-juelich.de/2fa** for requesting 2FA. | and visit the webpage **https://jupyter-jsc.fz-juelich.de/2fa** for requesting 2FA. | ||
| Please read the notes on this webpage carefully and click the button **Request 2FA** to start. | Please read the notes on this webpage carefully and click the button **Request 2FA** to start. | ||
| A **confirmation email** including an **activation link** will be send to you directly. | A **confirmation email** including an **activation link** will be send to you directly. | ||
| ### 2. Activate 2FA | ### 2. Activate 2FA | ||
| Please follow this *activation link* to instruct Jupyter-JSC for preparation of your 2FA. | Please follow this *activation link* to instruct Jupyter-JSC for preparation of your 2FA. | ||
| You will be asked to re-login to your account to recieve a **secret initialization code** as QR-Code (and string) | You will be asked to re-login to your account to recieve a **secret initialization code** as QR-Code (and string) | ||
| for a required *OTP-App*. | for a required *OTP-App*. | ||
| So first, you need to install an **OTP-App** on one of your personal devices (if you haven´t done so already), | So first, you need to install an **OTP-App** on one of your personal devices (if you haven´t done so already), | ||
| which you plan to use in the future to generate the required **one-time passwords** for each time you log in: | which you plan to use in the future to generate the required **one-time passwords** for each time you log in: | ||
| <div style="clear:both"></div> | <div style="clear:both"></div> | ||
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
| <div> | <div> | ||
| <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img04.png title="2-factor-authentication" width="320" style="float:left"/> | <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img04.png title="2-factor-authentication" width="320" style="float:left"/> | ||
| <!-- <img src=images/jupyter-jsc_2fa_img04.png title="2-factor-authentication" width="320" style="float:left"/> --> | <!-- <img src=images/jupyter-jsc_2fa_img04.png title="2-factor-authentication" width="320" style="float:left"/> --> | ||
| </div> | </div> | ||
| <div> | <div> | ||
| <!-- <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img04-1.png title="2-factor-authentication" width="320" style="float:right"/>--> | <!-- <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img04-1.png title="2-factor-authentication" width="320" style="float:right"/>--> | ||
| <img src=https://raw.githubusercontent.com/FZJ-JSC/jupyter-jsc-notebooks/master/001-Jupyter/images/jupyter-jsc_2fa_img04-1.png title="2-factor-authentication" width="120" style="float:right"/> | <img src=https://raw.githubusercontent.com/FZJ-JSC/jupyter-jsc-notebooks/master/001-Jupyter/images/jupyter-jsc_2fa_img04-1.png title="2-factor-authentication" width="120" style="float:right"/> | ||
| </div> | </div> | ||
| ### a. OTP-App Installation | ### a. OTP-App Installation | ||
| There are a large number of different *OTP-Apps* available that implemented the *TOTP algorithm*. | There are a large number of different *OTP-Apps* available that implemented the *TOTP algorithm*. | ||
| You have to install **one of them** - for example, take one of the following: | You have to install **one of them** - for example, take one of the following: | ||
| Recommended, free & open-source: | Recommended, free & open-source: | ||
| - [**FreeOTP**](https://freeotp.github.io) ([iOS](https://apps.apple.com/de/app/freeotp-authenticator/id872559395), [Android](https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=de)) | - [**FreeOTP**](https://freeotp.github.io) ([iOS](https://apps.apple.com/de/app/freeotp-authenticator/id872559395), [Android](https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=de)) | ||
| - [**KeeWeb**](https://keeweb.info)([Windows](https://keeweb.info), [macOS](https://keeweb.info), [Linux](https://keeweb.info), [online](https://keeweb.info)) | - [**KeeWeb**](https://keeweb.info) ([Windows](https://keeweb.info), [macOS](https://keeweb.info), [Linux](https://keeweb.info), [online](https://keeweb.info)) | ||
| Free, but closed source: | Free, but closed source: | ||
| - [**Authy**](https://authy.com/download/) ([iOS](https://apps.apple.com/de/app/authy/id494168017), [Android](https://play.google.com/store/apps/details?id=com.authy.authy), [Windows](https://authy.com/download/), [macOS](https://authy.com/download/), [Linux](https://snapcraft.io/authy)) | - [**Authy**](https://authy.com/download/) ([iOS](https://apps.apple.com/de/app/authy/id494168017), [Android](https://play.google.com/store/apps/details?id=com.authy.authy), [Windows](https://authy.com/download/), [macOS](https://authy.com/download/), [Linux](https://snapcraft.io/authy)) | ||
| - [**Protectimus Smart OTP**](https://www.protectimus.com/protectimus-smart) ([iOS](https://apps.apple.com/ie/app/protectimus-smart/id854508919), [Android](https://play.google.com/store/apps/details?id=com.protectimus.android)) | - [**Protectimus Smart OTP**](https://www.protectimus.com/protectimus-smart) ([iOS](https://apps.apple.com/ie/app/protectimus-smart/id854508919), [Android](https://play.google.com/store/apps/details?id=com.protectimus.android)) | ||
| - [**Google Authenticator**](https://de.wikipedia.org/wiki/Google_Authenticator) ([iOS](https://apps.apple.com/de/app/google-authenticator/id388497605), [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) ) | - [**Google Authenticator**](https://de.wikipedia.org/wiki/Google_Authenticator) ([iOS](https://apps.apple.com/de/app/google-authenticator/id388497605), [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) ) | ||
| - [**Microsoft Authenticator**](https://www.microsoft.com/en-us/account/authenticator) ([iOS](https://apps.apple.com/de/app/microsoft-authenticator/id983156458), [Android](https://play.google.com/store/apps/details?id=com.azure.authenticator), [Windows 10 Mobile](https://www.microsoft.com/en-us/p/microsoft-authenticator/9nblgggzmcj6)) | - [**Microsoft Authenticator**](https://www.microsoft.com/en-us/account/authenticator) ([iOS](https://apps.apple.com/de/app/microsoft-authenticator/id983156458), [Android](https://play.google.com/store/apps/details?id=com.azure.authenticator), [Windows 10 Mobile](https://www.microsoft.com/en-us/p/microsoft-authenticator/9nblgggzmcj6)) | ||
| The *TOTP algorithm* can also be implemented in hardware as a so-called "hardware token" (e.g. [Protectimus Tokens](https://www.protectimus.com/tokens/)) | The *TOTP algorithm* can also be implemented in hardware as a so-called "hardware token" (e.g. [Protectimus Tokens](https://www.protectimus.com/tokens/)) | ||
| <div style="clear:both"></div> | <div style="clear:both"></div> | ||
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
| <div> | <div> | ||
| <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img05.png title="2-factor-authentication" width="320" style="float:left"/> | <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img05.png title="2-factor-authentication" width="320" style="float:left"/> | ||
| <!-- <img src=images/jupyter-jsc_2fa_img05.png title="2-factor-authentication" width="320" style="float:left"/> --> | <!-- <img src=images/jupyter-jsc_2fa_img05.png title="2-factor-authentication" width="320" style="float:left"/> --> | ||
| </div> | </div> | ||
| ### b. OTP-App Initialization & Validation | ### b. OTP-App Initialization & Validation | ||
| Before you can use 2FA for Jupyter-JSC a random, user-specific, unique and **secret initialization code** must be known by both Jupyter-JSC and the your *OTP-App*. | Before you can use 2FA for Jupyter-JSC a random, user-specific, unique and **secret initialization code** must be known by both Jupyter-JSC and the your *OTP-App*. | ||
| This *secret initialization code* gets generated by Jupyter-JSC and is shown as a **QR-Code** (or string) on the activation page. | This *secret initialization code* gets generated by Jupyter-JSC and is shown as a **QR-Code** (or string) on the activation page. | ||
| The QR-Code provides the *secret initialization code* with the descriptive data (1) algorithm = TOTP, (2) period of validity = 30s. | The QR-Code provides the *secret initialization code* with the descriptive data (1) algorithm = TOTP, (2) period of validity = 30s. | ||
| **If you prefer to use the string** instead of the QR-Code, please ensure you set these descriptive dates manually in your *OTP-App*. | **If you prefer to use the string** instead of the QR-Code, please ensure you set these descriptive dates manually in your *OTP-App*. | ||
| Next, the *OTP-App* provides now a **verification code** you have to enter on the activation webpage. | Next, the *OTP-App* provides now a **verification code** you have to enter on the activation webpage. | ||
| Jupyter-JSC compares the *verification code* you provide with the one generated by Jupyter-JSC. | Jupyter-JSC compares the *verification code* you provide with the one generated by Jupyter-JSC. | ||
| If they match, **2FA is now activated**. | If they match, **2FA is now activated**. | ||
| <div style="clear:both"></div> | <div style="clear:both"></div> | ||
| ---------------------- | ---------------------- | ||
| %% Cell type:markdown id: tags: | %% Cell type:markdown id: tags: | ||
| <div> | <div> | ||
| <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img06.png title="2-factor-authentication" width="320" style="float:right"/> | <img src=https://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img06.png title="2-factor-authentication" width="320" style="float:right"/> | ||
| <!-- <img src=images/jupyter-jsc_2fa_img06.png title="2-factor-authentication" width="320" style="float:right"/> --> | <!-- <img src=images/jupyter-jsc_2fa_img06.png title="2-factor-authentication" width="320" style="float:right"/> --> | ||
| </div> | </div> | ||
| ### 2FA-Login at Jupyter-JSC | ### 2FA-Login at Jupyter-JSC | ||
| Congratulation! You are now ready to use 2-Factor Authentication with Jupyter-JSC. | Congratulation! You are now ready to use 2-Factor Authentication with Jupyter-JSC. | ||
| Login is now as simple as this | Login is now as simple as this | ||
| 1. **Enter your JSC-account password** | 1. **Enter your JSC-account password** | ||
| Each time you log in, you enter your JSC-account password as usual. | Each time you log in, you enter your JSC-account password as usual. | ||
| 2. **Enter the current one-time password** | 2. **Enter the current one-time password** | ||
| You will then be asked for a *one-time password* that you can read from your installed & initialized *OTP-App* (e.g. on your smartphone). | You will then be asked for a *one-time password* that you can read from your installed & initialized *OTP-App* (e.g. on your smartphone). | ||
| **Remember me** | **Remember me** | ||
| Jupyter-JSC can set a cookie to remember, that you have logged in from this device already. | Jupyter-JSC can set a cookie to remember, that you have logged in from this device already. | ||
| Just check the "Remember me" **checkbox** where you enter *one-time password* . | Just check the "Remember me" **checkbox** where you enter *one-time password* . | ||
| Jupyter-JSC **skips the request** of a *one-time password* in this browser on that device then for **one week**. | Jupyter-JSC **skips the request** of a *one-time password* in this browser on that device then for **one week**. | ||
| ... | ... |
Please register or sign in to comment