ALL NPPS Members

["Ye, Shuwei" <yesw AT bnl.gov>]

 Dear all,

I would like to share with you the browser-based authenticator https://authenticator.cc, which works for all OS including Linux and the browser extension is available for browsers: Firefox, Chrome, and Edge. 

One nice feature I love: you need not to read and type the code anymore, just click on the code to copy into the system clipboard.

Another very useful feature is that it could display the saved QR image to allow adding the OTP token into other additional devices.

Cheers,

--Shuwei

---

From: Ye, Shuwei <yesw AT bnl.gov>
Sent: Friday, November 22, 2024 2:20 PM
To: bnl-shared-tier3-l AT lists.bnl.gov <bnl-shared-tier3-l AT lists.bnl.gov>
Subject: Re: How to Add Multiple Devices in CERN's 2FA

 

Dear all,

The guide of CERN 2FA setup does not recommend "Google Authenticator" as it comes with some security drawbacks:

The sync communication between endpoint and cloud is unencrypted and can be snooped on by adversaries.

If you have already used "Google Authenticator"  for the other 2FA's such as BNL account, you can get rid of this drawback by turning off the new syncing feature:

1. Open the Google Authenticator app on your device.

2. Tap on your profile photo in the top-right corner.

3. Select "Use without an account" from the menu options.

4. Tap "Continue" to confirm.

Cheers,

--Shuwei

---

From: Ye, Shuwei <yesw AT bnl.gov>
Sent: Friday, November 22, 2024 12:22 PM
To: bnl-shared-tier3-l AT lists.bnl.gov <bnl-shared-tier3-l AT lists.bnl.gov>
Subject: How to Add Multiple Devices in CERN's 2FA

 

Dear all,

CERN accounts are required to configure CERN's 2-factor authentication (2FA) by Feb 25th, 2025.

It would be more convenient to set up the 2FA code on multiple devices, including computers.

Here I would like to share the way to do that:

1. Go to https://users-portal.web.cern.ch/
2. Generate the QR Code as shown below.
3. Save the QR Code image.
4. Scan the QR Code into your 2FA authenticator app on your device.
5. Input the one-time code from your 2FA authenticator app, then submit.
6. You can scan the above QR Code image on additional devices as you like.

If you have already set up CERN's 2FA and did not save the QR Code, you can visit https://users-portal.web.cern.ch/, click on "Configure 2FA" under right the "Actions" section, to configure 2FA. Then repeat the above steps.

Cheers,

--Shuwei

---

From: Stefan Lueders <Stefan.Lueders AT cern.ch>
Sent: Friday, November 22, 2024 7:52 AM
To: eligibility-part (eligibility-part) <eligibility-part AT cern.ch>
Cc: Gaelle Duperrier <gaelle.duperrier AT cern.ch>
Subject: [PLEASE ENROLL] CERN's 2FA protection to come by Feb 25th 2025

 

Dear colleagues,

 

With this email I would like to kindly remind you to configure CERN's 2-factor authentication ("2FA")for your CERN account. "Just" follow this procedure in order to protect your work and that of CERN: https://cern.service-now.com/service-portal?id=kb_article&n=KB0006587. If you have your CERN 2FA already set-up, all good 🙂!

 
Actually, CERN is currently rolling out 2FA protection to most computing accounts of the Organization (so far, we enrolled 32.000+ accounts of CERN staff, employees and users). BY FEBRUARY 25TH, 2025, 2FA SHALL ALSO BE ENABLED TO YOUR CERN ACCOUNT.

Two-factor authentication ("2FA") implies that you log in in addition to your password ("something you know") with a hardware token like your smartphone or an USB dongle ("something you have") – the so-called 2^nd factor. This is considered to be a silver bullet in protecting computing accounts against any kind of abuse (more details at the end of this email) as it is much harder for an attacker to steal your hardware token (usually you always know where your smartphone is). In our latest phishing campaign in August last year 2000+(!) people provided their password to a fake login page. 2FA would have protected their accounts from any evil abuse (https://home.cern/news/news/computing/computer-security-room-top).

 

Technically this 2FA protection implies that in order to access CERN web applications protected by CERN's Single Sign-On (SSO), this CERN SSO will require your 2nd factor about every 12 hours when staying in the same browser session (websites behind the old SSO are not affected as this old SSO has to die; nor are SSH logins into LXPLUS affected). As without 2FA, separate browser sessions on the same or different devices require additional logins.

 

Thanks a lot for helping keeping the Organization secure. In case of questions, check out the resources below or contact Computer.Security AT cern.ch directly.

 

Cheers, S>>L

 

P.S. More information on 2FA:

   • Instructions to configure and set-up 2FA at CERN: https://cern.service-now.com/service-portal?id=kb_article&n=KB0006587

   • OTG: https://cern.service-now.com/service-portal?id=outage&n=OTG0071297

   • 2FA FAQ: https://auth.docs.cern.ch/trouble-shooting/2fa-tips/

   • "Log in. Click. Be secure": https://home.cern/news/news/computing/computer-security-log-click-be-secure

Dr. Stefan Lüders

CERN Computer Security Officer & Head of Computer Security

European Organization for Nuclear Research (CERN)

Phone +41 75 411 0207