Watch our short (less than 2 minutes!) video demonstrating this process


Or a slightly longer step-by-step demo 


HINT:  Both are guaranteed to save you a TON of time.  If you go wrong with this setup your account gets locked and you will need to verify your identity with CCR help in order to get it unlocked.  Save the pain and watch at least one of these videos first!




"Multi-factor authentication (MFA) is a method of computer access control in which a user is only granted access after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are such as a biometric like a fingerprint or voice print)....A good example from everyday life is the withdrawing of money from a cash machine; only the correct combination of a bank card (something that the user possesses) and a PIN (personal identification number, something that the user knows) allows the transaction to be carried out"  (Source: Wikipedia)


CCR provides the ability to enable two factor authentication in the identity management portal so users have an extra layer of protection and security on their accounts.  For our implementation, the two factors we are requiring are your password and a randomly generated code using an app on your smartphone such as Duo or Google Authenticator (something you have), an application installed on your desktop or a programmable hardware security key.  


See this article for info on logging in to CCR resources with two factor authentication enabled






FIRST - INSTALL AN AUTHENTICATION APP ON YOUR SMART PHONE


Apps we support for two factor authentication:

Most time-based one-time password apps work with CCR accounts.  However, we recommend you use Duo, since that is also what UBIT uses for their accounts.  Google Authenticator is another good option.  NOTE: you can only use one at a time so no need to install all the apps

Duo Mobile (for iOS and Android) - currently in use by UBIT for all faculty/staff/student accounts

Google Authenticator (for iOS and Android)

Authy (for iOS, Android, MacOS, Windows, Linux)


Other apps - anything that support TOTP or HOTP tokens:

FreeOTP (for iOS and Android)

Microsoft Authenticator (for Windows phones)

Sailfish (SailOTP)


Don't want to use a smart phone?  There are alternatives but you can NOT use the UBIT hardware token with your CCR account



NEXT - Turn on two factor authentication


Login to the IDM portal and click on the "Two-Factor Auth" link.



Then click on the "Enable Two-Factor TOTP" 


NOTE:  Most one-time passcode generators work with CCR accounts.  However, we recommend Duo or Google Authenticator.  This article contains specific Duo setup information




When you click the Enable button a QR code will be displayed.  Use the authentication app on your phone to scan the QR code.  If your phone does not have a camera or you are not using a smart phone app, you can click the "Show URI" link underneath the QR code.  This will display a long code that needs to be entered into the authentication app.  



What happens if I don't see the QR code?

If you previously enabled two factor authentication on your account, you will already have at least one OTP token on your account.  The QR code will not display when re-enabling 2FA.  If you do not have an app configured with the OTP token(s) on your account, you should disable two factor auth.  Then click on the "OTP Tokens" menu item and delete the token(s) listed for your account.  Return back to "Two-Factor Auth" and enable it.  You will then see the QR code display and you can scan it in your app or click "Show URI" to copy the long secret into your desktop app.




You can view your OTP tokens as well as add and remove them by clicking on "OTP Tokens"


You can manage two factor auth on your account by clicking the Two-Factor Auth link:



Once 2FA is enabled, every time you login to CCR resources, you'll need to enter your username, password, and then a one-time password code generated in the app you chose during setup. Go to your phone, start the app, and enter both your password and the OTP code into the password box or when prompted for a password at the command line. There should be no spaces or special characters between your password and the OTP code.

NOTE: some of the apps (i.e. Google Authenticator) display the 6 digit code with a space separating the first 3 numbers with the second set.  When logging in to CCR resources, do NOT enter the space.


 



A note about Duo:

The Duo app is currently used by UB for providing one-time tokens for UB accounts.  It's very convenient to use this app for CCR accounts too.  However, the CCR systems do not provide PUSH notifications, like the UB systems do.  To use Duo with your CCR account, please follow these instructions and remember, your CCR account is SEPARATE from your UBIT account in Duo.

To login to your CCR account, launch the Duo app and touch the CCR account to generate a one time token.



How do I turn it off? 

Login to the IDM portal and click on the "Two-Factor Auth" link.  Then click on the "Disable Two-Factor TOTP"


Click the Disable button and you should see the status is now set to OFF


You can re-enable it at any time following the steps detailed above.  Please note that users can not login to anything else at CCR without having two factor auth enabled.




How do I login with 2FA enabled?


Note:  This is different than our UBIT accounts so please watch this 50 second video!




See this article for more details on logging in to CCR resources with two factor authentication enabled


Adding more devices to your CCR account or what to do if you have to switch phones