"Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are such as a biometric like a fingerprint or voice print)....A good example from everyday life is the withdrawing of money from a cash machine; only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out"  (Source: Wikipedia)

CCR provides the ability to enable two factor authentication in the identity management portal so users have an extra layer of protection and security on their accounts.  For our implementation, the two factors we are requiring are your password and a randomly generated code using an app on your smartphone such as Duo, Google Authenticator or FreeOTP (something you have).  

See this article for info on logging in to CCR resources with two factor authentication enabled

How do I turn on two factor authentication?

Login to the IDM portal and click on the "Two-Factor Auth" link.

Then click on the "Enable Two-Factor TOTP" 

NOTE: though this screenshot and the IDM portal don't specify this, the Duo app used by UBIT is also supported by CCR.

When you click the Enable button a QR code will be displayed.  Use the authentication app on your phone to scan the QR code.  If your phone does not have a camera or you are not using a smart phone app, you can click the "Show URI" link underneath the QR code.  This will display a long code that needs to be entered into the Authenticator app.  

You can view your OTP tokens as well as add and remove them by clicking on "OTP Tokens"

You can manage TOTP on your account by clicking the Two-Factor Auth link:

Once TOTP is enabled, every time you login to CCR resources, you'll need to enter your username, password, and then a one-time password code generated in the app you chose during setup. Go to your phone, start the app, and enter both your password and the OTP code into the password box or when prompted for a password at the command line. There should be no spaces or special characters between your password and the OTP code.

NOTE: some of the apps (i.e. Google Authenticator) display the 6 digit code with a space separating the first 3 numbers with the second set.  When logging in to CCR resources, do NOT enter the space.


What apps do you support for two factor authentication?

Currently, CCR supports the following apps for time-based one-time passwords.  However, you are welcome to try others.  Please send us feedback if you find other freely available applications that work!  NOTE: you can only use one at a time so no need to install all the apps

Duo Mobile (for iOS and Android) - currently in use by UBIT for all faculty/staff/student accounts

FreeOTP (for iOS and Android)

Google Authenticator (for iOS and Android)

Microsoft Authenticator (for Windows phones)

Sailfish (SailOTP)

A note about Duo:

The Duo app is currently used by UB for providing one-time tokens for UB accounts.  It's very convenient to use this app for CCR accounts too.  However, the CCR systems do not provide PUSH notifications, like the UB systems do.  To login to your CCR account, launch the Duo app and touch the CCR account to generate a one time token.

How do I turn it off?

Login to the IDM portal and click on the "Two-Factor Auth" link.  Then click on the "Disable Two-Factor TOTP"

Click the Disable button and you should see the status is now set to OFF

You can re-enable it at any time following the steps detailed above.

What if I have two-factor auth enabled and SSH keys uploaded?

When you have enabled two-factor authentication for your account and uploaded SSH keys to our system, the keys will be used first when trying to login to servers that support SSH.  If the key doesn't work for some reason or you're logging into a web portal or other service that doesn't support SSH keys, you'll be prompted for your password and one-time token (OTP) generated from your mobile app.  More details on SSH keys can be found here:  Managing SSH keys in the Identity Management Portal