Two factor authentication is now required by UBIT and is optional at CCR.  If you have it enabled at CCR you will need to know how to login to our various services properly.


Users can manage their two factor TOTP (time-based one-time password) configuration by logging onto the identity management portal.  When the user first navigates to the site they are required to login with their CCR username and password.  If the user has "two factor authentication" enabled they would be required to enter their username along with their "Password+OTP." The OTP (one time password) is a code generated in the app the user used when enabling two factor authentication on their CCR account.  CCR supports Duo, Google Authenticator, FreeOTP, Windows Authenticator, and SailOTP.  


It is important that users understand that they need to enter their password and OTP together in one string without any spaces or characters such as "+" in between them, or they won't be able to login.  These OTP codes are generated by the app and change every few minutes. 

NOTE: many of the apps (i.e. Google Authenticator and Duo) display the 6 digit code with a space separating the first 3 numbers with the second set.  When logging in to CCR resources, do NOT enter the space.


For example, if my password is: Henry45!

and my new generated OTP is: 123 456

I would enter this in the password field: Henry45!123456



OnDemandColdFrontand LakeEffect (research cloud) all utilize this same login method as they authenticate through the IDM portal.

More info on OnDemand can be found here

More info on ColdFront can be found here
More info on the LakeEffect research cloud can be
found here




Web portal logins


Some of our other web portals like WebMO, don't specify how to enter the OTP code when logging in.  Users must enter "Password+OTP" in the Password field, as one continuous line with no spaces or characters in between them.  See the example shown above for logging into the IDM portal, OnDemand and ColdFront.

NOTE: many of the apps (i.e. Google Authenticator and Duo) display the 6 digit code with a space separating the first 3 numbers with the second set.  When logging in to CCR resources, do NOT enter the space.




SSH client logins


If a user is using SSH to access CCR services, they will still have to enter their password and OTP in the same way as described above, with no special characters or spaces in between them. 

HINT: The characters you enter in the password entry while using a SSH client won't show up on the terminal.  Type your full password and OTP code, then hit the 'enter' button.


NOTE: many of the apps (i.e. Google Authenticator and Duo) display the 6 digit code with a space separating the first 3 numbers with the second set.  When logging in to CCR resources, do NOT enter the space.



More info on using SSH to login to CCR resources for your operating system can be found in the following articles:


SSH for Linux

SSH for Windows

SSH for MacOS


Using SSH keys?  When you have enabled two-factor authentication for your account and uploaded SSH keys to our system, the keys will be used first when trying to login to servers that support SSH.  If the key doesn't work for some reason or you're logging into a web portal or other service that doesn't support SSH keys, you'll be prompted for your password and one-time token (OTP) generated from your mobile app.  More details on SSH keys can be found here:  Managing SSH keys in the Identity Management Portal



How do I turn off two factor authentication?

To learn how to turn off or manage the two factor authentication on your CCR account, please view this article. In an event where a user has misconfigured their account or has switched to a new phone and does not have a paired app, they will not be able to remove or manage two factor authentication from their CCR account. Users must contact CCR help to turn this off.  Please see this policy for information about removing two factor authentication.