The ultimate silver bullet to protect your account, computer and data is using a sufficiently complex and unique password combined with a second-factor token, i.e. in addition to the password you know, something you have, like your smartphone or a hardware token. This authentication process is known as two-factor authentication (“2FA”). It presents a huge hurdle for any attacker, as they would need to not only acquire your password, which can be achieved virtually (“CERN has been phished again”), but also physically steal your hardware token. As announced in the Bulletin of November 2021 (“Multifactor for the masses”), CERN is ready to roll out 2FA for part of the CERN community in the second quarter of 2022. Log in. Click. Be secure.

In 2020, CERN focused on rolling out 2FA for experts needing to access and administer certain computing services, i.e. those with access to critical control systems (e.g. via the BE department’s ROGs), IT systems (e.g. using Foreman) or sensitive data. However, this led to confusion among many users on when to use just their password and when to use multi-factor authentication. Also, this did not take full advantage of two-factor authentication, as thorough, coherent and profound 2FA deployment is seen as the silver bullet for achieving account security (as already employed by your bank and, possibly, used by you outside CERN).

Hence, as of the second quarter of 2022, using two-factor authentication when logging into any CERN web application will become mandatory for those aforementioned experts given their critical powers and the critical nature of their accounts. As of then, CERN’s new web-based Single Sign-On (SSO) portal will require them to authenticate with both their password and their second factor for any website behind CERN’s new web-based SSO*, regardless of whether it is to access a critical control system, administer a very important computing service or just browse the CERN phonebook or any other webpage behind the SSO.

Two hardware tokens are currently supported:

• a dedicated one-time password generation app for smartphones – making that smartphone the second hardware token – or
• a physical USB token (e.g. “Yubikey”) that uses a CERN-dedicated private/public keypair (https://webauthn.guide/) for the second authentication step.

Once authenticated correctly, work will continue as normal, as browser sessions will stay active for 12 hours or until the browser is closed, or another browser/device is used. This would give those experts, their accounts, their data and applications and – ultimately – CERN the best protection against identity theft and password exposure.

People who are using CERN computing facilities “only” for their research duties and scientific endeavours are not affected by this new feature deployment but are still invited to opt in through the IT User Portal, and we hope that as many people as possible value their protection highly enough to take this additional step – a step that is common when accessing your bank account, for instance.

Roll out of this “2FA-WithNewSSO” (“2FA-WINS”) feature has started and will pursue in a staged approach commencing today for all volunteers interested in better securing and protecting their account and digital life. Just subscribe to this e-group to join. For members of the CERN IT department, the usage of 2FA-logins on CERN’s new web-based SSO will become mandatory during Q2 2022, and, subsequently, followed by all experts holding critical access in the course of summer 2022. Check out all the details (like how to activate 2FA or what to do if you lose it) on our dedicated webpage. Log in. Click. Be secure.

*Non-web-based applications, like SSH bastion hosts, will continue to require 2FA only on a case-by-case basis. Similarly, logins via the old SSO are not affected as this old service is supposed to be phased-out.

_____

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.