NEW! Better security due to multi-factor authentication
Have you ever worried about using your password for logging into critical applications (like accelerator or experiment control systems), as an administrator for computing services, or for authorising expensive orders in EDH? You are right to worry. If your password is lost or stolen, the lucky finder or malicious thief might misuse your access rights to wreak severe havoc on the operation of the Organization.
Rubén Santamarta, a well-known security researcher, discovered a near-miss in 2011. He reported how he had uncovered a password that provided read access to the LHC cryo controls. This is as close as it can get to disaster. Fortunately, the password only allowed read access (but had no modification rights). And, of course, Santamarta was nice enough to share his findings with us.
In order to improve on that, the CERN Single Sign-On portal now provides the means for “Two-Factor Authentication”. "Authentication" is the process where you digitally prove who you are. Usually, your identity is verified when you type in your password. As you should never (!) share your password with anyone else, only you can provide the correct password to your digital identity. Your identity has been correctly authenticated. At CERN, you basically have one password that is attached to your CERN account and the CERN Single Sign-On portal is the central instance for authentication (see the screenshot below; some special applications might require additional accounts and passwords but we try to reduce them to a minimum, as remembering many different passwords is hard).
However, for the aforementioned critical applications or those currently used within the CERN Finance Department or in the CERN Computer Security Team, "just" knowing a password might not be sufficient as passwords are regularly stolen or lost*. "Two-Factor Authentication" is an enhanced method and requires you not only to know a password but also to have with you a piece of hardware. As there is no single second factor that suits all needs, the Single Sign-On portal allows you to authenticate with any of these four pieces of hardware (see screenshot below):
- your CERN mobile phone: you are asked to provide a unique 6-digit authentication code sent to this phone via SMS.
- your personal SmartPhone running the "Google Authenticator"-app: you are asked to provide a unique six-digit authentication code calculated by “Google Authenticator”.
- a Yubikey USB: pressing the only button on the Yubikey produces a long one-time password string.
- your CERN Access Card with a special integrated SmartChip: insert your card into a dedicated SmartCard reader, provide a PIN, and unlock the stored certificate.
It is up to you to select your preferred hardware(s). A CERN mobile phone can be obtained from the Telecom Lab; "Google Authenticator" can be downloaded from your favorite app store (e.g. iTunes); Yubikeys will soon be available from the CERN stores (for the time being, please contact the Computer Security Team); a compatible CERN Access Card with a visible "golden" SmartChip will soon be available from the Registration Service (for the time being, please contact the Computer Security Team).
The only remaining task before using your hardware tokens is to match them with your CERN account at one of the SSO self-service stations, e.g. at the Registration Service in building 55 (ground floor), at the Service Desk office in building 55 (2nd floor) or in the IT secretariat in building 31 2-017 (you will need your CERN access card at the last of these). Once configured, all your hardware preferences are listed in the "Account Management" section of the Resource Portal. From there, you can also delete them if, for example, the hardware has been lost or stolen, or if you simply do not need it any more.
* You might think of other critical applications and we encourage every service owner to reflect on whether two-factor authentication is an appropriate means to better protect their application.
For further information on multi-factor authentication, please have a look at our Computer Security recommendations or check out our website or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.