2-Factor Authentication (2FA), sometimes referred to as two-factor verification, is a security method in which users provide **two different authentication factors** to verify themselves.
2-Factor Authentication (2FA), sometimes referred to as two-factor verification, is a security method in which users provide **two different authentication factors** to verify themselves.
This process is **performed to better protect** both the user's credentials and the resources that the user can access.
This process is **performed to better protect** both the user's credentials and the resources that the user can access.
In the **first step**, it starts with the usual entry of a good password. The service then confirms the correctness of the password entered.
In the **first step**, it starts with the usual entry of a good password. The service then confirms the correctness of the password entered.
This does not, however, lead directly to the desired entrance - but to a further barrier.
This does not, however, lead directly to the desired entrance - but to a further barrier.
The **second step** prevents unauthorized third parties from gaining access to your account just because they have stolen your password.
The **second step** prevents unauthorized third parties from gaining access to your account just because they have stolen your password.
A quite common 2nd-factor is a time-based one-time **confirmation code** generated by a **2fa-generator app** you install and initialize once one of your personal devices.
A quite common 2nd-factor is a time-based one-time **confirmation code** generated by a **2fa-generator app** you install and initialize once one of your personal devices.
This 2fa-generator app then provides (in our case every 30 seconds) a new confirmation code you enter on the login page.
This 2fa-generator app then provides (in our case every 30 seconds) a new confirmation code you enter on the login page.
These two factors for authentication combine the building blocks **knowledge** and **possession** in the login procedure.
These two factors for authentication combine the building blocks **knowledge** and **possession** in the login procedure.
-**knowledge** - the secret knowledge is the password you enter.
-**knowledge** - the secret knowledge is the password you enter.
-**possession** - With the confirmation code you show that you are in possession of a certain device (e.g. your smartphone), because only a *2fa-generator app*, installed on that device, can generate the necessary *confirmation code*.
-**possession** - With the confirmation code you show that you are in possession of a certain device (e.g. your smartphone), because only a *2fa-generator app*, installed on that device, can generate the necessary *confirmation code*.
<divstyle="clear:both"></div>
<divstyle="clear:both"></div>
<div>
<div>
<pstyle="float:right">Quelle: Bundesamt für Sicherheit in der Informationstechnik</p>
<pstyle="float:right">Source: Bundesamt für Sicherheit in der Informationstechnik</p>
The **2fa-generator app** calculates the current personal **confirmation code** completely autonomously from the outside world using a standardized and open algorithm for the generation of **Time-based One-Time Passwords (TOTP)**.
The **2fa-generator app** calculates the current personal **confirmation code** completely autonomously from the outside world using a standardized and open algorithm for the generation of **Time-based One-Time Passwords (TOTP)**.
The TOTP algorithm was published in 2011 by the [Internet Engineering Task Force (IETF)](https://www.ietf.com) as [RFC 6238](https://tools.ietf.org/html/rfc6238). The TOTP algorithm is a hash function in which a secret code is hashed together with the current time.
The TOTP algorithm was published in 2011 by the [Internet Engineering Task Force (IETF)](https://www.ietf.com) as [RFC 6238](https://tools.ietf.org/html/rfc6238). The TOTP algorithm is a hash function in which a secret code is hashed together with the current time.
Behind the hash function is the HMAC-based One-time Password Algorithm according to [RFC 4226](https://tools.ietf.org/html/rfc4226) - in simple terms nothing more than a standard that forms a hash in a certain way.
Behind the hash function is the HMAC-based One-time Password Algorithm according to [RFC 4226](https://tools.ietf.org/html/rfc4226) - in simple terms nothing more than a standard that forms a hash in a certain way.
The calculation includes both a **"secret initialization code"**, that is known to both the server and the client, and the **current time**.
The calculation includes both a **"secret initialization code"**, that is known to both the server and the client, and the **current time**.
The final one-time *confirmation code* is generated from these two inputs and is valid for a certain period of time. (in our case for **30 seconds**).
The final one-time *confirmation code* is generated from these two inputs and is valid for a certain period of time. (in our case for **30 seconds**).
The procedure can be implemented in such a way that slight differences in time between client and server are accepted.
The procedure can be implemented in such a way that slight differences in time between client and server are accepted.
Hence, any confirmation code is time-based, calculated locally, and always unique.
Hence, any confirmation code is time-based, calculated locally, and always unique.
To get ready to use 2-Factor Authentication (2FA) for Jupyter-JSC you to **prepare** it ONCE:
To get ready to use 2-Factor Authentication (2FA) for Jupyter-JSC you have to **prepare** it ONCE:
- (1) **request 2FA** for Jupyter-JSC,
- (1) **request 2FA** for Jupyter-JSC,
- login, send request, check emails
- login, send request, check emails
- (2) **activate 2FA** for Juypter-JSC,
- (2) **activate 2FA** for Juypter-JSC,
- (a) install a **2fa-generator app**, which supports the TOTP algorithm,
- (a) install a **2fa-generator app**, which supports the TOTP algorithm,
- (b) communicate the **secret initialization code** to this 2fa-generator app, and
- (b) communicate the **secret initialization code** to this 2fa-generator app, and
- (c) test a first **confirmation code** generated.
- (c) test a first **confirmation code** generated.
... and then 2FA is ready to be used next time you log in.
... and then 2FA is ready to be used next time you log in.
### 1. Request 2FA
### 1. Request 2FA
Please login to Jupyter-JSC as usual through https://jupyter-jsc.fz-juelich.de.
Please login to Jupyter-JSC as usual through https://jupyter-jsc.fz-juelich.de.
After login please visit the webpage **https://jupyter-jsc.fz-juelich.de/2fa**.
After login please visit the webpage **https://jupyter-jsc.fz-juelich.de/2fa**.
It will show the button **Request 2-Factor Authentication** which you must click to request 2FA for your account.
It will show the button **Request 2-Factor Authentication** which you must click to request 2FA for your account.
Now, please wait for the **email to confirm** your request. It includes a one-time link to the personal **activation webpage**.
Now, please wait for the **email to confirm** your request. It includes a one-time link to the personal **activation webpage**.
### 2. Activate 2FA
### 2. Activate 2FA
The activation webpage in the confirmation email provides the **secret initialization code** as QR-Code (and string)
The activation webpage in the confirmation email provides the **secret initialization code** as QR-Code (and string)
and requests a generated **verification code** before 2FA gets activation.
and requests a generated **verification code** before 2FA gets activation.
But first, you need to install a **2fa-generator app** on one of your personal devices, which you plan to use in the future to generate the **confirmation codes** for each time you log in.
But first, you need to install a **2fa-generator app** on one of your personal devices, which you plan to use in the future to generate the **confirmation codes** for each time you log in.
Before you can use 2FA for Jupyter-JSC a random, user-specific, unique and **secret initialization code** must be known by both Jupyter-JSC and the users 2fa-generator app.
Before you can use 2FA for Jupyter-JSC a random, user-specific, unique and **secret initialization code** must be known by both Jupyter-JSC and the users 2fa-generator app.
This *secret initialization code* gets generated by Jupyter-JSC and is shown as a **QR-Code** (or string) on the activation page.
This *secret initialization code* gets generated by Jupyter-JSC and is shown as a **QR-Code** (or string) on the activation page.
The QR-Code provides the *secret initialization code* with the descriptive data (1) algorithm = TOTP, (2) period of validity = 30s.
The QR-Code provides the *secret initialization code* with the descriptive data (1) algorithm = TOTP, (2) period of validity = 30s.
Please ensure you set these descriptive dates manually in your 2fa-generator app **if you prefer to use the string** instead of the QR-Code.
Please ensure you set these descriptive dates manually in your 2fa-generator app **if you prefer to use the string** instead of the QR-Code.
Next, the 2fa-generates app provides now a **verification code** you have to enter on the activation webpage.
Next, the 2fa-generates app provides now a **verification code** you have to enter on the activation webpage.
Jupyter-JSC now compares the *verification code* you provide with the one generated by Jupyter-JSC.
Jupyter-JSC now compares the *verification code* you provide with the one generated by Jupyter-JSC.
