2FA Tips - Authentication and Authorization Service

<!doctype html> <html lang="en" class="no-js"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <link rel="icon" href="../../assets/images/favicon.png"> <meta name="generator" content="mkdocs-1.3.1, mkdocs-material-8.5.3"> <title>2FA Tips - Authentication and Authorization Service</title> <link rel="stylesheet" href="../../assets/stylesheets/main.7a952b86.min.css"> <link rel="stylesheet" href="../../assets/stylesheets/palette.cbb835fc.min.css"> <link rel="stylesheet" href="../../stylesheets/fonts.css"> <link rel="stylesheet" href="../../stylesheets/kuri-kuri.css"> <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script> </head> <body dir="ltr" data-md-color-scheme="" data-md-color-primary="none" data-md-color-accent="none"> <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off"> <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off"> <label class="md-overlay" for="__drawer"></label> <div data-md-component="skip"> <a href="#struggling-to-set-up-2fa" class="md-skip"> Skip to content </a> </div> <div data-md-component="announce"> </div> <header class="md-header" data-md-component="header"> <nav class="md-header__inner md-grid" aria-label="Header"> <a href="../.." title="Authentication and Authorization Service" class="md-header__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> <label class="md-header__button md-icon" for="__drawer"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg> </label> <div class="md-header__title" data-md-component="header-title"> <div class="md-header__ellipsis"> <div class="md-header__topic"> <span class="md-ellipsis"> Authentication and Authorization Service </span> </div> <div class="md-header__topic" data-md-component="header-topic"> <span class="md-ellipsis"> 2FA Tips </span> </div> </div> </div> <label class="md-header__button md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> </label> <div class="md-search" data-md-component="search" role="dialog"> <label class="md-search__overlay" for="__search"></label> <div class="md-search__inner" role="search"> <form class="md-search__form" name="search"> <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required> <label class="md-search__icon md-icon" for="__search"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </label> <nav class="md-search__options" aria-label="Search"> <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg> </button> </nav> </form> <div class="md-search__output"> <div class="md-search__scrollwrap" data-md-scrollfix> <div class="md-search-result" data-md-component="search-result"> <div class="md-search-result__meta"> Initializing search </div> <ol class="md-search-result__list"></ol> </div> </div> </div> </div> </div> <div class="md-header__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> </nav> </header> <div class="md-container" data-md-component="container"> <main class="md-main" data-md-component="main"> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0"> <label class="md-nav__title" for="__drawer"> <a href="../.." title="Authentication and Authorization Service" class="md-nav__button md-logo" aria-label="Authentication and Authorization Service" data-md-component="logo"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg> </a> Authentication and Authorization Service </label> <div class="md-nav__source"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs" title="Go to repository" class="md-source" data-md-component="source"> <div class="md-source__icon md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg> </div> <div class="md-source__repository"> authzsvc-docs </div> </a> </div> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../.." class="md-nav__link"> CERN Authentication and Authorization Services </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" > <label class="md-nav__link" for="__nav_2"> User authentication <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="User authentication" data-md-level="1"> <label class="md-nav__title" for="__nav_2"> <span class="md-nav__icon md-icon"></span> User authentication </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../user-documentation/authentication-options/" class="md-nav__link"> Authentication options </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/two-factor-authentication/" class="md-nav__link"> Two factor authentication </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/kerberos-authentication/" class="md-nav__link"> Kerberos </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/time-limits/" class="md-nav__link"> Time limits </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/autologon/" class="md-nav__link"> Autologon </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/account-lifecycle/" class="md-nav__link"> Account Lifecycle </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/unconfirmed-identities/" class="md-nav__link"> Unconfirmed identities </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" > <label class="md-nav__link" for="__nav_3"> Securing applications <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Securing applications" data-md-level="1"> <label class="md-nav__title" for="__nav_3"> <span class="md-nav__icon md-icon"></span> Securing applications </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../applications/application-configuration/" class="md-nav__link"> Configuring your application </a> </li> <li class="md-nav__item"> <a href="../../applications/adding-application/" class="md-nav__link"> Adding your application to the service </a> </li> <li class="md-nav__item"> <a href="../../applications/permission-scheme/" class="md-nav__link"> Defining the permissions scheme </a> </li> <li class="md-nav__item"> <a href="../../applications/role-based-permissions/" class="md-nav__link"> Role based permissions (recommended) </a> </li> <li class="md-nav__item"> <a href="../../applications/group-based-permissions/" class="md-nav__link"> Group based permissions </a> </li> <li class="md-nav__item"> <a href="../../applications/sso-registration/" class="md-nav__link"> Registering your application to SSO </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_7" type="checkbox" id="__nav_3_7" > <label class="md-nav__link" for="__nav_3_7"> SAML <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="SAML" data-md-level="2"> <label class="md-nav__title" for="__nav_3_7"> <span class="md-nav__icon md-icon"></span> SAML </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../user-documentation/saml/saml/" class="md-nav__link"> About </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/saml/config/" class="md-nav__link"> Configuration </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/saml/shibboleth-integration/" class="md-nav__link"> Shibboleth integration </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/saml/shibboleth-migration/" class="md-nav__link"> Shibboleth migration from the old SSO </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3_8" type="checkbox" id="__nav_3_8" > <label class="md-nav__link" for="__nav_3_8"> OIDC <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="OIDC" data-md-level="2"> <label class="md-nav__title" for="__nav_3_8"> <span class="md-nav__icon md-icon"></span> OIDC </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../user-documentation/oidc/oidc/" class="md-nav__link"> About </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/token-requests/" class="md-nav__link"> Token Requests </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/scopes/" class="md-nav__link"> Scopes </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/config/" class="md-nav__link"> OIDC configuration and usage </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/apache/" class="md-nav__link"> Apache configuration </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/securing-apis/" class="md-nav__link"> Securing APIs </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/api-access/" class="md-nav__link"> API Access </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/exchange-for-api/" class="md-nav__link"> Token Exchange </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/device-code/" class="md-nav__link"> Device Code </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/oidc/libraries/" class="md-nav__link"> Suggested libraries </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../applications/examples/" class="md-nav__link"> Examples </a> </li> <li class="md-nav__item"> <a href="../../applications/qa-environment/" class="md-nav__link"> QA Environment </a> </li> <li class="md-nav__item"> <a href="../../applications/command-line-tools/" class="md-nav__link"> Command line tools </a> </li> <li class="md-nav__item"> <a href="../../user-documentation/faqs/" class="md-nav__link"> FAQs </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" > <label class="md-nav__link" for="__nav_4"> Group Management System <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Group Management System" data-md-level="1"> <label class="md-nav__title" for="__nav_4"> <span class="md-nav__icon md-icon"></span> Group Management System </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../roadmap/group-missing-features/" class="md-nav__link"> Missing features </a> </li> <li class="md-nav__item"> <a href="../../groups/special-groups/" class="md-nav__link"> Special groups </a> </li> <li class="md-nav__item"> <a href="../../groups/dynamic-guidance/" class="md-nav__link"> Dynamic groups </a> </li> <li class="md-nav__item"> <a href="../../groups/csv/" class="md-nav__link"> CSV </a> </li> <li class="md-nav__item"> <a href="../../groups/e-groups-to-gms-sync-scenario/" class="md-nav__link"> E-Groups to GMS transition </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" > <label class="md-nav__link" for="__nav_5"> Resources lifecycle and eligibility <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Resources lifecycle and eligibility" data-md-level="1"> <label class="md-nav__title" for="__nav_5"> <span class="md-nav__icon md-icon"></span> Resources lifecycle and eligibility </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../resources/resources/" class="md-nav__link"> Introduction </a> </li> <li class="md-nav__item"> <a href="../../resources/resource-lifecycle-integration/" class="md-nav__link"> Integration </a> </li> <li class="md-nav__item"> <a href="../../resources/resource-states/" class="md-nav__link"> Resource States </a> </li> <li class="md-nav__item"> <a href="../../resources/push-rest-api/" class="md-nav__link"> Resources REST API (push) </a> </li> <li class="md-nav__item"> <a href="../../resources/policies/" class="md-nav__link"> Custom Resource Policies </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" > <label class="md-nav__link" for="__nav_6"> Documents <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Documents" data-md-level="1"> <label class="md-nav__title" for="__nav_6"> <span class="md-nav__icon md-icon"></span> Documents </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../documents/why-keycloak/" class="md-nav__link"> Why Keycloak </a> </li> <li class="md-nav__item"> <a href="../../documents/presentations/" class="md-nav__link"> Presentations </a> </li> <li class="md-nav__item"> <a href="../../documents/our-contributions/" class="md-nav__link"> Our contributions to Keycloak </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" > <label class="md-nav__link" for="__nav_7"> Services <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Services" data-md-level="1"> <label class="md-nav__title" for="__nav_7"> <span class="md-nav__icon md-icon"></span> Services </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../services/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../services/instances/" class="md-nav__link"> Links to instances </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_3" type="checkbox" id="__nav_7_3" > <label class="md-nav__link" for="__nav_7_3"> Authorization Service API <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Authorization Service API" data-md-level="2"> <label class="md-nav__title" for="__nav_7_3"> <span class="md-nav__icon md-icon"></span> Authorization Service API </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../authzsvc/overview/" class="md-nav__link"> Overview </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/managed-applications/" class="md-nav__link"> Managing applications for other users </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/roles/" class="md-nav__link"> Role definitions </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/model/" class="md-nav__link"> Model (attributes) </a> </li> <li class="md-nav__item"> <a href="../../authzsvc/examples/" class="md-nav__link"> Examples </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8" type="checkbox" id="__nav_8" checked> <label class="md-nav__link" for="__nav_8"> Help <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Help" data-md-level="1"> <label class="md-nav__title" for="__nav_8"> <span class="md-nav__icon md-icon"></span> Help </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../edugain-authentication/" class="md-nav__link"> eduGAIN Authentication </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc"> <label class="md-nav__link md-nav__link--active" for="__toc"> 2FA Tips <span class="md-nav__icon md-icon"></span> </label> <a href="./" class="md-nav__link md-nav__link--active"> 2FA Tips </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#general" class="md-nav__link"> General </a> <nav class="md-nav" aria-label="General"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#which-tokens-should-i-set-up" class="md-nav__link"> Which tokens should I set up? </a> </li> <li class="md-nav__item"> <a href="#ive-lost-my-phone-and-cant-log-in-with-2fa-help" class="md-nav__link"> I've lost my phone and can't log in with 2FA - help! </a> </li> <li class="md-nav__item"> <a href="#sometimes-the-sso-mentions-that-im-already-logged-in" class="md-nav__link"> Sometimes the SSO mentions that I'm already logged in </a> </li> <li class="md-nav__item"> <a href="#preferred-2nd-factor" class="md-nav__link"> Preferred 2nd factor </a> </li> <li class="md-nav__item"> <a href="#how-can-i-limit-the-number-of-times-that-i-need-to-log-in" class="md-nav__link"> How can I limit the number of times that I need to log in? </a> </li> <li class="md-nav__item"> <a href="#do-i-need-to-have-an-internet-connection-for-my-phone" class="md-nav__link"> Do I need to have an Internet connection for my phone? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#one-time-password-applications-otp" class="md-nav__link"> One-Time-Password Applications (OTP) </a> <nav class="md-nav" aria-label="One-Time-Password Applications (OTP)"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#which-otp-application-should-i-download" class="md-nav__link"> Which OTP application should I download? </a> </li> <li class="md-nav__item"> <a href="#how-long-is-the-token-displayed-on-totp" class="md-nav__link"> How long is the token displayed on TOTP? </a> </li> <li class="md-nav__item"> <a href="#why-is-my-otp-code-not-working" class="md-nav__link"> Why is my OTP code not working? </a> </li> <li class="md-nav__item"> <a href="#im-changing-phones-will-otp-work-on-my-new-phone" class="md-nav__link"> I'm changing phones, will OTP work on my new phone? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#hardware-tokens-webauthn" class="md-nav__link"> Hardware Tokens (WebAuthn) </a> <nav class="md-nav" aria-label="Hardware Tokens (WebAuthn)"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#what-can-i-use-as-a-webauthn-token" class="md-nav__link"> What can I use as a WebAuthn token? </a> </li> <li class="md-nav__item"> <a href="#my-yubikey-doesnt-work-for-sso" class="md-nav__link"> My Yubikey doesn't work for SSO </a> </li> <li class="md-nav__item"> <a href="#how-can-i-enable-webauthn-but-not-otp" class="md-nav__link"> How can I enable WebAuthn but not OTP? </a> </li> <li class="md-nav__item"> <a href="#how-can-i-set-up-my-fingerprint-reader" class="md-nav__link"> How can I set up my fingerprint reader? </a> </li> <li class="md-nav__item"> <a href="#can-i-have-several-hardware-tokens" class="md-nav__link"> Can I have several hardware tokens? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#passkeys" class="md-nav__link"> Passkeys </a> </li> <li class="md-nav__item"> <a href="#mobile-support" class="md-nav__link"> Mobile support </a> <nav class="md-nav" aria-label="Mobile support"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#choice-of-2nd-factors" class="md-nav__link"> Choice of 2nd factors </a> </li> <li class="md-nav__item"> <a href="#how-can-i-speed-up-logins-on-mobile-devices" class="md-nav__link"> How can I speed up logins on mobile devices? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#2fa-for-ssh" class="md-nav__link"> 2FA for SSH </a> <nav class="md-nav" aria-label="2FA for SSH"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#will-you-provide-general-purpose-integrations-for-using-2fa-on-the-command-line" class="md-nav__link"> Will you provide general purpose integrations for using 2FA on the command-line? </a> </li> <li class="md-nav__item"> <a href="#will-2fa-logins-be-required-for-lxplus" class="md-nav__link"> Will 2FA logins be required for LXPLUS? </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../privacy-notice/" class="md-nav__link"> Privacy notice </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle" data-md-toggle="__nav_10" type="checkbox" id="__nav_10" > <label class="md-nav__link" for="__nav_10"> Migration notes <span class="md-nav__icon md-icon"></span> </label> <nav class="md-nav" aria-label="Migration notes" data-md-level="1"> <label class="md-nav__title" for="__nav_10"> <span class="md-nav__icon md-icon"></span> Migration notes </label> <ul class="md-nav__list" data-md-scrollfix> <li class="md-nav__item"> <a href="../../migrations/keycloak24/" class="md-nav__link"> Keycloak 24 </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="../../contact/" class="md-nav__link"> Contact </a> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" > <div class="md-sidebar__scrollwrap"> <div class="md-sidebar__inner"> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class="md-nav__title" for="__toc"> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix> <li class="md-nav__item"> <a href="#general" class="md-nav__link"> General </a> <nav class="md-nav" aria-label="General"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#which-tokens-should-i-set-up" class="md-nav__link"> Which tokens should I set up? </a> </li> <li class="md-nav__item"> <a href="#ive-lost-my-phone-and-cant-log-in-with-2fa-help" class="md-nav__link"> I've lost my phone and can't log in with 2FA - help! </a> </li> <li class="md-nav__item"> <a href="#sometimes-the-sso-mentions-that-im-already-logged-in" class="md-nav__link"> Sometimes the SSO mentions that I'm already logged in </a> </li> <li class="md-nav__item"> <a href="#preferred-2nd-factor" class="md-nav__link"> Preferred 2nd factor </a> </li> <li class="md-nav__item"> <a href="#how-can-i-limit-the-number-of-times-that-i-need-to-log-in" class="md-nav__link"> How can I limit the number of times that I need to log in? </a> </li> <li class="md-nav__item"> <a href="#do-i-need-to-have-an-internet-connection-for-my-phone" class="md-nav__link"> Do I need to have an Internet connection for my phone? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#one-time-password-applications-otp" class="md-nav__link"> One-Time-Password Applications (OTP) </a> <nav class="md-nav" aria-label="One-Time-Password Applications (OTP)"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#which-otp-application-should-i-download" class="md-nav__link"> Which OTP application should I download? </a> </li> <li class="md-nav__item"> <a href="#how-long-is-the-token-displayed-on-totp" class="md-nav__link"> How long is the token displayed on TOTP? </a> </li> <li class="md-nav__item"> <a href="#why-is-my-otp-code-not-working" class="md-nav__link"> Why is my OTP code not working? </a> </li> <li class="md-nav__item"> <a href="#im-changing-phones-will-otp-work-on-my-new-phone" class="md-nav__link"> I'm changing phones, will OTP work on my new phone? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#hardware-tokens-webauthn" class="md-nav__link"> Hardware Tokens (WebAuthn) </a> <nav class="md-nav" aria-label="Hardware Tokens (WebAuthn)"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#what-can-i-use-as-a-webauthn-token" class="md-nav__link"> What can I use as a WebAuthn token? </a> </li> <li class="md-nav__item"> <a href="#my-yubikey-doesnt-work-for-sso" class="md-nav__link"> My Yubikey doesn't work for SSO </a> </li> <li class="md-nav__item"> <a href="#how-can-i-enable-webauthn-but-not-otp" class="md-nav__link"> How can I enable WebAuthn but not OTP? </a> </li> <li class="md-nav__item"> <a href="#how-can-i-set-up-my-fingerprint-reader" class="md-nav__link"> How can I set up my fingerprint reader? </a> </li> <li class="md-nav__item"> <a href="#can-i-have-several-hardware-tokens" class="md-nav__link"> Can I have several hardware tokens? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#passkeys" class="md-nav__link"> Passkeys </a> </li> <li class="md-nav__item"> <a href="#mobile-support" class="md-nav__link"> Mobile support </a> <nav class="md-nav" aria-label="Mobile support"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#choice-of-2nd-factors" class="md-nav__link"> Choice of 2nd factors </a> </li> <li class="md-nav__item"> <a href="#how-can-i-speed-up-logins-on-mobile-devices" class="md-nav__link"> How can I speed up logins on mobile devices? </a> </li> </ul> </nav> </li> <li class="md-nav__item"> <a href="#2fa-for-ssh" class="md-nav__link"> 2FA for SSH </a> <nav class="md-nav" aria-label="2FA for SSH"> <ul class="md-nav__list"> <li class="md-nav__item"> <a href="#will-you-provide-general-purpose-integrations-for-using-2fa-on-the-command-line" class="md-nav__link"> Will you provide general purpose integrations for using 2FA on the command-line? </a> </li> <li class="md-nav__item"> <a href="#will-2fa-logins-be-required-for-lxplus" class="md-nav__link"> Will 2FA logins be required for LXPLUS? </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-content" data-md-component="content"> <article class="md-content__inner md-typeset"> <a href="https://gitlab.cern.ch/authzsvc/docs/authzsvc-docs/-/blob/master/docs/trouble-shooting/2fa-tips.md" title="Edit this page" class="md-content__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg> </a> <h1 id="struggling-to-set-up-2fa">Struggling to set up 2FA?</h1> <p>First, make sure you've read through this <a href="../../user-documentation/two-factor-authentication/">Guide</a>. We have compiled a list of Frequently Asked Questions below and will continue to add to it.</p> <h2 id="general">General</h2> <h3 id="which-tokens-should-i-set-up">Which tokens should I set up?</h3> <p>Ideally, set up one OTP token and one WebAuthn token. This way if you lose one token you will be able to reset it using the other.</p> <h3 id="ive-lost-my-phone-and-cant-log-in-with-2fa-help">I've lost my phone and can't log in with 2FA - help!</h3> <p>If you have registered a WebAuthn token, you can authenticate with it to the <a href="https://users-portal.web.cern.ch">Users' Portal</a>, reset your OTP settings and register for OTP again. Otherwise, raise a ticket with the <a href="https://cern.service-now.com/service-portal/">Service Desk</a> who will check your identity and reset your OTP settings.</p> <h3 id="sometimes-the-sso-mentions-that-im-already-logged-in">Sometimes the SSO mentions that I'm already logged in</h3> <p>In case multiple browser tabs are opened for SSO protected websites before logging in, the active tab used for logging in to the SSO will redirect to the requested page while the message "You are already logged in" will be displayed in the other tabs. We recommend that you open additional tabs to SSO protected websites after logging in. The issue is followed up with the upstream provider of the SSO Identity Provider software used (Keycloak).</p> <h3 id="preferred-2nd-factor">Preferred 2nd factor</h3> <p>You can choose your preferred 2nd factor, either OTP or Yubikey, on the <a href="https://users-portal.web.cern.ch">Users' Portal</a>. Goto "Configure Multifactor" and make your pick at "Default login method" below. That shortens the login experience.</p> <h3 id="how-can-i-limit-the-number-of-times-that-i-need-to-log-in">How can I limit the number of times that I need to log in?</h3> <p>In order to limit the number of times you need to log in, use one browser consistently for your work and do not close it. Your login will be valid for 12 hours in a browser that remains open.</p> <h3 id="do-i-need-to-have-an-internet-connection-for-my-phone">Do I need to have an Internet connection for my phone?</h3> <p>The smartphone TOTP apps are basically pocket calculators. After first initialization they work independently and autonomously calculating your TOTP based on the local time (this is why it is important that your smartphone is synchronized with global time) and some "seed" transferred during the initialization phase. No need for an Internet connection. Nor GSM. Neither Data, Roaming, nor WiFi.</p> <h2 id="one-time-password-applications-otp">One-Time-Password Applications (OTP)</h2> <h3 id="which-otp-application-should-i-download">Which OTP application should I download?</h3> <ul> <li><a href="https://getaegis.app/">Aegis Authenticator</a> for <a href="https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis">Android</a></li> <li><a href="https://github.com/ente-io/ente/tree/main/auth#readme">ente Authenticator</a> for <a href="https://apps.apple.com/us/app/ente-authenticator/id6444121398">iOS</a> and <a href="https://play.google.com/store/apps/details?id=io.ente.auth">Android</a></li> </ul> <p>Other OTP applications may also work. Please make sure to download the application from a trusted App Store.</p> <h3 id="how-long-is-the-token-displayed-on-totp">How long is the token displayed on TOTP?</h3> <p>A new TOTP token is generated every 30 seconds. A count-down informs about the remaining time. It is perfectly fine to wait for a new TOTP token if time runs out for you.</p> <h3 id="why-is-my-otp-code-not-working">Why is my OTP code not working?</h3> <p>If you get an "Invalid authenticator code" error when entering your OTP code, it may be due to your phone's time not being set correctly. If this is the case, go to the "Date and Time" settings on your phone and set it to use the network-provided time.</p> <p>Some OTP apps, such as Google Authenticator, allow synchronizing the clock time from within the app. To synchronize your clock go to: "Settings" -> "Time correction for codes" and press the "Sync now" button.</p> <p>If it is still not working please double check that you do not have an existing OTP registration for CERN SSO. Some OTP applications do not replace existing configuration correctly and can cause invalid codes to be generated. You should be able to delete a previous OTP registration within your application. </p> <h3 id="im-changing-phones-will-otp-work-on-my-new-phone">I'm changing phones, will OTP work on my new phone?</h3> <p>Yes, but you need to transfer your OTP secrets from the old to the new phone:</p> <ul> <li>Some OTP authenticator applications will allow you to migrate between devices (export OTP secrets from one phone, and import them into another phone) - look up specific instructions for whichever OTP authenticator application you are using. </li> <li>Other authenticator apps store the secrets used to generate the OTP codes in the cloud. That makes switching devices or using the same codes on multiple devices a lot easier. The downside being that depending on the actual implementation of the cloud component, the risk of those secrets getting leaked could be considerably increased.</li> </ul> <p>Alternatively, you can just reset your OTP, and configure it on the new phone. To do that, go to <a href="https://users-portal.web.cern.ch">Users' Portal</a>, "Configure 2FA" and click on "Reset OTP" button. Next time you log in to CERN Single Sign-On, you will be asked to configure OTP again - you can use your new phone to do that. (Note however that OTP on the old phone will stop working.)</p> <p>If you have any issues, or got stuck in the process, please raise a ticket with the <a href="https://cern.service-now.com/service-portal/">Service Desk</a> who will check your identity and reset your OTP settings.</p> <h2 id="hardware-tokens-webauthn">Hardware Tokens (WebAuthn)</h2> <h3 id="what-can-i-use-as-a-webauthn-token">What can I use as a WebAuthn token?</h3> <p>There is an ever-increasing number of WebAuthn token generators, falling into either biometrics or hardware categories. Your device may already feature a fingerprint reader, or facial recognition technology that supports WebAuthn. An alternative is to get a Yubikey, see <a href="https://cern.service-now.com/service-portal?id=kb_article&n=KB0006587">KB0006587</a>. </p> <h3 id="my-yubikey-doesnt-work-for-sso">My Yubikey doesn't work for SSO</h3> <p>If you own a very old Yubikey (USB Type-A, without any symbol on the golden contact, used for SSH 2FA), you will need to have it replaced at the IT secretariat with a new one (you have a choice between USB Type-A, USB Type-C, and USB Type-C with NFC support). In particular, NFC-enabled Yubikey make logins on mobile devices even faster. Note that you will need to register any new Yubikey you get (see <a href="https://cern.service-now.com/service-portal?id=kb_article&n=KB0006587">KB0006587</a>). </p> <h3 id="how-can-i-enable-webauthn-but-not-otp">How can I enable WebAuthn but not OTP?</h3> <p>In this case please raise a ticket <a href="https://cern.service-now.com/service-portal/">Service Desk</a> who will configure the settings so that WebAuthn is enabled and requires initialisation.</p> <h3 id="how-can-i-set-up-my-fingerprint-reader">How can I set up my fingerprint reader?</h3> <p>Certain fingerprint readers on Windows laptops and Macbooks, but also biometric sensors on some smartphones, can be used as (convenient) 2FA hardware. However, their support strongly depends on your device, its operating system, and the browser you use. </p> <p>The following combinations are know to work with CERN SSO (perhaps others do, too):</p> <ul> <li><strong>Fingerprint reader on Macbooks</strong>: <ul> <li>Chrome browser (when asked during the registration process, choose <em>"Your Chrome profile"</em>. <em>"iCloud Keychain"</em> could also work, depending on your iCloud settings)</li> <li>other browsers to be confirmed</li> </ul> </li> <li><strong>Fingerprint reader on Windows</strong>: Edge, Chrome and Firefox browsers (when asked during the registration process, choose <em>"Windows Hello"</em>)</li> </ul> <p>To see if your hardware biometric sensor works on your device and browser, please test it first at <a href="https://webauthn.io">https://webauthn.io</a>:</p> <ol> <li>At the top of the page, type in any username and hit "Register" button</li> <li>Follow the instructions</li> <li>Once registered, test it by hitting "Authentication" button</li> </ol> <p>Once you confirm that your fingerprint reader (or other biometric sensor) works with your browser, you are ready to configure it for your CERN account on CERN SSO. </p> <div class="admonition warning"> <p class="admonition-title">Please note</p> <p>Once you start the process, you need to complete it (register a new WebAuthn token), otherwise you will <em>not</em> be able to log in via CERN SSO. For this reason, we strongly recommend that you do it during working hours, so that in case of any issues, you could ask <a href="mailto:service-desk@cern.ch">Service Desk</a> or <a href="https://cern.service-now.com/service-portal?id=it_sos">IT SOS</a> to disable WebAuthn for your account.</p> </div> <p>Steps:</p> <ol> <li>Log in to <a href="https://users-portal.web.cern.ch">https://users-portal.web.cern.ch</a> and go to <em>"Configure 2FA"</em>. </li> <li>If not set yet, <em>"Enable WebAuthn credentials for Yubikey or any compatible device"</em>. Else, just do a <em>"Reset WebAuthn"</em> using the button below. </li> <li>As stated in the popup message, open a new private/incognito window, keeping the current page open. This is important, as it will alow you to disable WebAuthn, in case you do not manage to complete the configuration.<ul> <li>If (and only if) registration in a new private/incognito window (as described above) doesn't work, log out and log in again using your normal browser. </li> </ul> </li> <li>Follow the online instructions to register your fingeprint reader, selecting the options e.g. <em>"Windows Hello"</em>, <em>"Your Chrome profile"</em>, <em>"Use Touch ID to sign in?"</em> etc. as listed below.</li> </ol> <p>Once the fingerprint reader is correctly registered, you may want to set it as your default 2FA authentication method. To do so, connect to <a href="https://users-portal.web.cern.ch">https://users-portal.web.cern.ch</a>, go to <em>"Configure 2FA"</em>, and change "Default login method" to WebAuthn. (When logging in from other devices without the fingerprint reader, you will still be able to log in with your existing OTP.)</p> <h3 id="can-i-have-several-hardware-tokens">Can I have several hardware tokens?</h3> <p>The <a href="https://users-portal.web.cern.ch/">Users Portal</a> currently supports only one WebAuthn (hardware) token at a time. At the same time, CERN SSO allows more than one WebAuthn device (e.g. both a Yubikey and a fingerprint reader). If you want to become a test user of that feature, contact <a href="https://cern.service-now.com/service-portal?id=sc_cat_item&name=request&se=SSO-Service">Service Desk</a> and ask to have a second hardware token enabled. Please note that this is currently a non-supported feature, to be enabled at your own risk.</p> <h2 id="passkeys">Passkeys</h2> <p>"Passkey" is an idea and supporting technologies that allow authentication without a password, but just by using hardware biometric sensors (fingerprint reader, face recognition) or similar security features (see <a href="https://www.passkeys.io/">more</a> <a href="https://passkey.keycloak.ch/dashboard/">details</a>). (Note that the details of "passkeys" concept and implementations depend on the vendor, mobile operating system etc. - there is no single definition or common standard.)</p> <p>CERN SSO does not plan to offer password-less authentication. However, most of the solutions mentioned above (such as biometric sensors) rely on the WebAuthn standard, which is fully supported by CERN SSO as an option for 2FA (second factor authentication). In other words, <a href="#how-can-i-set-up-my-fingerprint-reader">fingerprint readers and face recognition can already be used as 2FA on CERN SSO</a> - provided that they are supported by your device, its operating system, and the browser you use.</p> <p>Looking more into the future, implementations of passkeys on different operating systems and mobile platforms will hopefully converge, and a standard will emerge. In parallel, Keycloak (the software behind CERN SSO) is increasing its support of passkeys. Consequently, it is likely that in the future, CERN SSO will support passkeys more natively, rather than via WebAuthn, as is the case today.</p> <h2 id="mobile-support">Mobile support</h2> <h3 id="choice-of-2nd-factors">Choice of 2nd factors</h3> <p>The recommended 2nd factor to be used on mobile devices is TOTP via an authenticator application (it's pretty straightforward to switch between the web browser and the authenticator application in order to copy the TOTP code). USB Type-C Yubikeys are available from the IT Secretariat and should be usable on smartphones. We are looking into the possibility of providing Yubikey USB Type-C token with NFC support to make it even easier to use Yubikeys on mobile devices.</p> <h3 id="how-can-i-speed-up-logins-on-mobile-devices">How can I speed up logins on mobile devices?</h3> <p>On your smartphone, most authenticator apps allow with a simple double-tap on your OTP code to easily copy/pasting it into the CERN SSO input field.</p> <h2 id="2fa-for-ssh">2FA for SSH</h2> <h3 id="will-you-provide-general-purpose-integrations-for-using-2fa-on-the-command-line">Will you provide general purpose integrations for using 2FA on the command-line?</h3> <p>Many command line tools can't differentiate between 1FA and 2FA logins. For example, many tools rely on Kerberos for authentication, but there is no standard for obtaining a Kerberos ticket using 2FA, nor there is any standard for encoding the fact that the Kerberos ticket has been issued using 2FA. As such, the decision was taken to restrict the usage of most command line AI tools from aiadm only and to require 2FA logins to aiadm nodes.</p> <h3 id="will-2fa-logins-be-required-for-lxplus">Will 2FA logins be required for LXPLUS?</h3> <p>2FA protection using your smartphone OTP app is <a href="https://cern.service-now.com/service-portal?id=outage&n=OTG0151290">now also available for LXPLUS/LXTUNNEL as a pilot</a>. A more comprehensive roll-out to LXPLUS/LXTUNNEL is planned for <a href="https://cern.service-now.com/service-portal?id=outage&n=OTG0071297">2025</a>. Administrators of computing services are still advised to use AIADM (2FA protected).</p> </article> </div> </div> </main> <footer class="md-footer"> <nav class="md-footer__inner md-grid" aria-label="Footer" > <a href="../edugain-authentication/" class="md-footer__link md-footer__link--prev" aria-label="Previous: eduGAIN Authentication" rel="prev"> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg> </div> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Previous </span> eduGAIN Authentication </div> </div> </a> <a href="../../privacy-notice/" class="md-footer__link md-footer__link--next" aria-label="Next: Privacy notice" rel="next"> <div class="md-footer__title"> <div class="md-ellipsis"> <span class="md-footer__direction"> Next </span> Privacy notice </div> </div> <div class="md-footer__button md-icon"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class="md-copyright"> Made with <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener"> Material for MkDocs </a> </div> </div> </div> </footer> </div> <div class="md-dialog" data-md-component="dialog"> <div class="md-dialog__inner md-typeset"></div> </div> <script id="__config" type="application/json">{"base": "../..", "features": [], "search": "../../assets/javascripts/workers/search.5bf1dace.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script> <script src="../../assets/javascripts/bundle.37e9125f.min.js"></script> </body> </html>

CINXE.COM

2FA Tips - Authentication and Authorization Service