Account Management

Two-factor Authentication

Two-factor authentication means that in addition to a password, you need a key (typically a numeric PIN) generated by a device you have with you. Most people install an app on their cell phone to generate the key. Two-factor authentication can increase your security, although it's not a magic solution to all problems. See the next section for what it can and can't do.

There's one other thing that can be done to improve your security. We have a web page that can be used to reset your password. You login to it with your University password. That means that anyone who knows your University password can change your Computer Science password. For typical student users this is fine. However the two passwords are used in different ways. If you're concerned that your University password is more likely to be compromised than your CS password, you might want to protect your CS password from being reset in this way. It is possible to disable the web page that allows your password to be changed. Please send email to help@cs.rutgers.edu to request that. You will still be able to change your password using the normal Kerberos "kpasswd" command. Note however that if you disable the password reset page, and you forget your password, you'll need to come to the CORE building and show identification to a staff member to get it reset.

On our systems, individual users can enable two-factor authentication for their accounts. Once that's done, all logins using that username will need the extra key. (There's an exception for cron jobs, but you have to enable that exception on a host-by-host basis.)

Our Kerberos implementation supports three forms of two-factor authentication: TOTP, HOTP, and Yubikey. In addition, Google authenticator can be used, as in the past. (However we've had issues with the Google authenticator code. We may well not continue with it. If you're using Google authenticator, we suggest changing to the two-factor authentication described here.)

TOTP and HOTP both work with an application on your phone or other device. The application displays a 6-digit number, which you need to add at the end of your password to login.

TOTP and HOTP use slightly different algorithms. TOTP is based on the time. The code works for about 30 sec. HOTP is based on count. That is, the next number applies no matter when you use it. That means you can generate numbers from HOTP and keep them in your wallet. With TOTP you need your phone with you to login.

There are things to think about before using two-factor authentication. See the section at the end.

For more detailed documentation, see the Redhat one-time password documentation.

What Two-Factor Authentication Will and Won't Protect Against

Two-factor authentication primarily protects against people guessing or finding out your password. In practice this is the most common type of security problem at Rutgers. It includes things such as brute-force attempts to try common passwords, various software that can watch your interactions with the system, and someone seeing you type your password.

Historically, hackers have often found ways to become "root" (the privileged user). Once they can do that, they can install software to watch what you do. There are relatively recent attacks that allow even normal users to do that. If someone is able to watch what you do, they can get your password. Using a one-time password means that they won't be able to login as you in the future or on a different computer.

However one-time passwords don't protect you while you're logged in. If someone is able to become root on a system, they can access your files while you're logged in. They can also watch what you're doing. One-time passwords simply limit your exposure by making sure they can't login as you later and continue accessing your files, or login as you on a different computer.

For this reason, If you have sensitive material, it is best to limit your logins to systems used by only a few people. This is one reason we maintain two systems that only faculty can log in to.

Note that legally sensitive material, such as SSNs and medical information, should not be kept on our systems without special security arrangements. Our systems are probably secure enough, but medical information and credit card numbers have requirements to document policies, do staff training, etc, in a way that would take a lot of time. It's not worth doing that unless this is going to be a requirement for a significant number of users.
Mobile Device Clients

Clients for TOTP and HOTP are available for many devices. For IOS and Android, we recommend FreeOTP for full compatibility in the appropriate app store.

Because the TOTP and HOTP standards are also used by Google authenticator, you can also use a Google authenticator implementation on your device with some limitation (see Important note below). For devices other than IOS and Android, we recommend looking for a Google authenticator implementation (see Important note below). If you're using DUO for your University account, the DUO app can generate one-time passwords for our system. (We do not use the actual DUO technology. It's just that their app supports standards-based authenticatoin as well as their own technology.)

IMPORTANT: FreeOTP, DUO, Lastpass Authenticator, and 1Password have more complete implementations of the official specification than most other OTP applications. Other implementations, such as Google authenticator, Authy, or Authenticator browser extension may support only a weaker form of token hashing. If you're not using FreeOTP or another application on that list, it is safest to add the parameter "--algo=sha1" to the "ipa otptoken-add" command.
Enabling Two-factor Authentication

Two-factor authentication uses "tokens." For TOTP and HOTP, a token is simply an item that shows in your mobile app. The same mobile app can have tokens for many different systems. You can also have more than one token for a system, e.g. one for TOTP and one for HOTP.

Important: When adding Two-Factor, make sure you open your terminal windows wide, as the command will show QRCode on the screen for you to scan using your mobile app. Test your login before closing your existing terminal window or you could be locked out. If there are problems, remove the Two-Factor in Removing Two Factor Authentication section and try adding it again

To enable two-factor authentication, log into one of our systems. To add a TOTP token,

if you're using FreeOTP, DUO, Lastpass Authenticator, 1Password, or Sophos Authenticator

ipa otptoken-add
for other clients
ipa otptoken-add --algo=sha1
This command will display a QR code. In the phone app, hit the QR icon and use the camera to scan the QR code displayed. This uses TOTP. To add a HOTP token, use
ipa otptoken-add --type=hotp
If you are concerned about brute-force attempts to guess your password, it is somewhat safer to use --digits=8 with the otptoken-add command. The default is to generate a 6-digit random PIN.

Yubikey is a physical device that you carry with you and plug into a USB port. If you have a Yubikey, you can use it with our system. Insert your key, and then type the command

ipa otptoken-add-yubikey

If you use Yubikey, we recommend also using the other type of OTP, since Yubikey won't let you ssh from a non-CS system such as your home computer, unless you're done special software setup to integrate it with our system.

Using The Client

On your mobile device, open your choice of mobile app, it will display a 6 or 8 digits code. To login, type your CS password, adding the digits to the end.

If you're worried about forgetting or losing your phone, one approach is to add both HOTP and TOTP. Generate several keys using HOTP and keep them in your wallet. Then use TOTP for normal use. If you lose your phone, you can login with the keys from your wallet until you can replace it or remove two-factor authentication.

You can also set up two-factor on more than one portable device, e.g. your phone and a tablet.

Removing Two Factor Authentication If you decide to disable your Two factor Authentication, you have two options:

Option 1: if already have access to the system.

- Get UniqueID of OTP you have enabled using command line on a terminal by typing:

ipa otptoken-find

- Delete the otp token by typing this command.

ipa otptoken-del UniqueID
Option 2: if don't have access to the system.

If you can't log in because your token no longer works then come see one of the LCSR staff in person on Core 2nd floor, room 211 thru 217. Bring your Rutgers ID so we can verify it is you making the request.

 

For help with our systems or If you need immediate assistant, visit LCSR Operator at CoRE 235 or call 848-445-2443. Otherwise, see CS HelpDesk.   Don't forget to include your NetID along with descriptions of your problem.