Skip to content
Snippets Groups Projects
Commit f7dca4da authored by Jens Henrik Goebbert's avatar Jens Henrik Goebbert
Browse files

minor changes

parent 9cdde39e
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
001-Jupyter/Activate_JupyterJSC_2-factor-authentication.ipynb
+ 8
8
View file @ f7dca4da
%% Cell type:markdown id: tags:
![jsc-logo.jpg](attachment:67258d94-84e6-4a0c-ae8f-c74332ec082e.jpg)
------------------------------------
%% Cell type:markdown id: tags:
# 2-Factor Authentication (2FA)
<div>
<img src=http://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img01.png title="2-factor-authentication" width="320" style="float:left"/>
<!-- <img src=images/jupyter-jsc_2fa_img01.png title="2-factor-authentication" width="320" style="float:left"/> -->
</div>
## Introduction
2-Factor Authentication (2FA), sometimes referred to as two-factor verification, is a security method in which users provide **two different authentication factors** to verify themselves.
This process is **performed to better protect** both the user's credentials and the resources that the user can access.
2-Factor Authentication (2FA), sometimes referred to as two-factor verification, is a security method in which you provide **two different authentication factors** to identify yourself at login.
This process is **performed to better protect** both your credentials and the resources that you can access.
In the **first step**, it starts with the usual entry of a good password. The service then confirms the correctness of the password entered.
In the **first login step**, you start with the usual entry of a good password. The service then confirms the correctness of the password entered.
This does not, however, lead directly to the desired entrance - but to a further barrier.
The **second step** prevents unauthorized third parties from gaining access to your account just because they have stolen your password.
A quite common 2nd-factor is a time-based one-time **confirmation code** generated by a **2fa-generator app** you install and initialize once one of your personal devices.
This 2fa-generator app then provides (in our case every 30 seconds) a new confirmation code you enter on the login page.
The **second login step** prevents unauthorized third parties from gaining access to your account just because they might have stolen your password.
A quite common 2nd-factor is a time-based one-time **confirmation code** generated by a **2fa-generator app** you installs and initializes once on one of your personal devices.
This 2fa-generator app then provides (in our case every 30 seconds) a new confirmation code that needs to be entered on the login page.
<div style="clear:both"></div>
%% Cell type:markdown id: tags:
<div>
<video controls src="https://multimedia.gsb.bund.de/BSI/Video/2-Faktor-Authentisierung_SD.conv.mp4" width=480 style="float:right"/>
</div>
## Basic Principle
These two factors for authentication combine the building blocks **knowledge** and **possession** in the login procedure.
- **knowledge** - the secret knowledge is the password you enter.
- **possession** - With the confirmation code you show that you are in possession of a certain device (e.g. your smartphone), because only a *2fa-generator app*, installed on that device, can generate the necessary *confirmation code*.
- **possession** - With the confirmation code you show that you are in possession of a certain device (e.g. your smartphone), because only the *2fa-generator app*, installed on that device, can generate the necessary *confirmation code*.
<div style="clear:both"></div>
<div>
<p style="float:right">Source: Bundesamt für Sicherheit in der Informationstechnik</p>
</div>
%% Cell type:markdown id: tags:
<div>
<img src=http://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img02.png title="2-factor-authentication" width="320" style="float:left"/>
<!-- <img src=images/jupyter-jsc_2fa_img02.png title="2-factor-authentication" width="320" style="float:left"/> -->
</div>
## Algorithm
The **2fa-generator app** calculates the current personal **confirmation code** completely autonomously from the outside world using a standardized and open algorithm for the generation of **Time-based One-Time Passwords (TOTP)**.
The TOTP algorithm was published in 2011 by the [Internet Engineering Task Force (IETF)](https://www.ietf.com) as [RFC 6238](https://tools.ietf.org/html/rfc6238). The TOTP algorithm is a hash function in which a secret code is hashed together with the current time.
Behind the hash function is the HMAC-based One-time Password Algorithm according to [RFC 4226](https://tools.ietf.org/html/rfc4226) - in simple terms nothing more than a standard that forms a hash in a certain way.
The calculation includes both a **"secret initialization code"**, that is known to both the server and the client, and the **current time**.
The final one-time *confirmation code* is generated from these two inputs and is valid for a certain period of time. (in our case for **30 seconds**).
The procedure can be implemented in such a way that slight differences in time between client and server are accepted.
Hence, any confirmation code is time-based, calculated locally, and always unique.
<div style="clear:both"></div>
------------------
%% Cell type:markdown id: tags:
# How to get started with 2FA
<div>
<img src=http://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img03.png title="2-factor-authentication" width="320" style="float:right"/>
<!-- <img src=images/jupyter-jsc_2fa_img03.png title="2-factor-authentication" width="320" style="float:right"/> -->
</div>
## Preparation
To get ready to use 2-Factor Authentication (2FA) for Jupyter-JSC you have to **prepare** it ONCE:
- (1) **request 2FA** for Jupyter-JSC,
- login, send request, check emails
- (2) **activate 2FA** for Juypter-JSC,
- (a) install a **2fa-generator app**, which supports the TOTP algorithm,
- (b) communicate the **secret initialization code** to this 2fa-generator app, and
- (c) test a first **confirmation code** generated.
... and then 2FA is ready to be used next time you log in.
### 1. Request 2FA
Please login to Jupyter-JSC as usual through https://jupyter-jsc.fz-juelich.de.
After login please visit the webpage **https://jupyter-jsc.fz-juelich.de/2fa**.
It will show the button **Request 2-Factor Authentication** which you must click to request 2FA for your account.
Now, please wait for the **email to confirm** your request. It includes a one-time link to the personal **activation webpage**.
### 2. Activate 2FA
The activation webpage in the confirmation email provides the **secret initialization code** as QR-Code (and string)
and requests a generated **verification code** before 2FA gets activation.
But first, you need to install a **2fa-generator app** on one of your personal devices, which you plan to use in the future to generate the **confirmation codes** for each time you log in.
<div style="clear:both"></div>
%% Cell type:markdown id: tags:
<div>
<img src=http://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img04.png title="2-factor-authentication" width="320" style="float:left"/>
<!-- <img src=images/jupyter-jsc_2fa_img04.png title="2-factor-authentication" width="320" style="float:left"/> -->
</div>
### a. Installation
There are a large number of different 2fa-generator apps available that implemented the TOTP algorithm.
You have to install **one of them** - for example, take one of the following:
- [**FreeOTP**](https://github.com/freeotp) ([iOS](https://apps.apple.com/de/app/freeotp-authenticator/id872559395), [Android](https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=de))
- [**Authy**](https://authy.com) ([iOS](https://apps.apple.com/de/app/authy/id494168017), [Android](https://play.google.com/store/apps/details?id=com.authy.authy), [Windows](https://authy.com/download/), [macOS](https://authy.com/download/), [Linux](https://snapcraft.io/authy))
- [**Protectimus Smart OTP**](https://www.protectimus.com/protectimus-smart) ([iOS](https://apps.apple.com/ie/app/protectimus-smart/id854508919), [Android](https://play.google.com/store/apps/details?id=com.protectimus.android))
- [**Google Authenticator**](https://de.wikipedia.org/wiki/Google_Authenticator) ([iOS](https://apps.apple.com/de/app/google-authenticator/id388497605), [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) )
- [**Microsoft Authenticator**](https://www.microsoft.com/en-us/account/authenticator) ([iOS](https://apps.apple.com/de/app/microsoft-authenticator/id983156458), [Android](https://play.google.com/store/apps/details?id=com.azure.authenticator), [Windows 10 Mobile](https://www.microsoft.com/en-us/p/microsoft-authenticator/9nblgggzmcj6))
The TOTP algorithm can also be implemented in hardware as a so-called "hardware token" (e.g. [Protectimus Tokens](https://www.protectimus.com/tokens/))
<div style="clear:both"></div>
%% Cell type:markdown id: tags:
<div>
<img src=http://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img05.png title="2-factor-authentication" width="320" style="float:left"/>
<!-- <img src=images/jupyter-jsc_2fa_img05.png title="2-factor-authentication" width="320" style="float:left"/> -->
</div>
### b. Initialization & Validation
Before you can use 2FA for Jupyter-JSC a random, user-specific, unique and **secret initialization code** must be known by both Jupyter-JSC and the users 2fa-generator app.
This *secret initialization code* gets generated by Jupyter-JSC and is shown as a **QR-Code** (or string) on the activation page.
The QR-Code provides the *secret initialization code* with the descriptive data (1) algorithm = TOTP, (2) period of validity = 30s.
Please ensure you set these descriptive dates manually in your 2fa-generator app **if you prefer to use the string** instead of the QR-Code.
Next, the 2fa-generates app provides now a **verification code** you have to enter on the activation webpage.
Jupyter-JSC now compares the *verification code* you provide with the one generated by Jupyter-JSC.
If they match, **2FA is now activated**.
<div style="clear:both"></div>
----------------------
%% Cell type:markdown id: tags:
<div>
<img src=http://jupyter-jsc.fz-juelich.de/hub/static/images/2fa/jupyter-jsc_2fa_img06.png title="2-factor-authentication" width="320" style="float:right"/>
<!-- <img src=images/jupyter-jsc_2fa_img06.png title="2-factor-authentication" width="320" style="float:right"/> -->
</div>
### 2FA-Login at Jupyter-JSC
Congratulation! You are now ready to use 2-Factor Authentication with Jupyter-JSC.
Login is now as simple as this
1. **Enter your password**
Each time you log in, you enter your password as usual.
2. **Enter the current confirmation code**
You will then be asked for a confirmation code that you can read from a generator app (e.g. on your smartphone).
You will then be asked for a confirmation code that you can read from your installed & initialized 2fa-generator app (e.g. on your smartphone).
**Remember me**
Jupyter-JSC can set a cookie to remember, that you have logged in from this device already.
Just check the "Remember me" **checkbox** where you enter confirmation code.
Jupyter-JSC **skips the evaluation** of the confirmation code in this browser on that device then for **one week**.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment