...
Multi-Factor Authentication (MFA) requires you provide more than one factor to authenticate. Most commonly, MFA requires typing a password (first factor) and entering a one-time code (second factor) generated by a device, such as Google Authenticator on you phone. With With MFA, an attacker will not be able to impersonate you, even if they know your password, whether from hacking a database, or by phishing attack. Access will be denied because they will not have the physical token in their possession.
Integration of One-Time Passwords with User Credentials
For access to most Lab resources other than privileged server access, Berkeley Lab has implemented an MFA strategy requiring the use of your Berkeley Lab Identity credentials in conjunction with a one-time password (OTP). An OTP can be generated either by a software or hardware solution. Berkeley Lab IT has enabled the ability to use either. Software OTPs are generated using Google Authenticator, whereas hardware OTPs are generated from an authentication device known as a YubiKey. Berkeley Lab IT is the organization that issues the hardware authentication device.
MFA at Berkeley Lab
Berkeley Lab uses MFA for access to:
access your account simply by knowing your password. The attacker must also have the device capable of generating a code, a much more difficult tasks.
How to use MFA at Berkeley Lab?
Most people already use MFA at Berkeley Lab and/or to secure their personal accounts.
When using MFA at Berkeley Lab, after entering your username and password you will be prompted for a one-time code, as follows:
If you are a member of an Operations division, MFA was required to login Berkeley Lab enterprise applications (Gmail, LETS, FMS, etc.) in May 2018
If you are a member of a Scientific division, you can opt-in to use MFA for Berkeley Lab enterprise applications beginning September 2018.
MFA Frequently Asked Questions (FAQ)
- How do I opt-in to MFA?
- How can I manage my Google Authenticator MFA tokens?
- How do I manage my Yubikey MFA tokens? (Operations Only)
- I lost my MFA token and can't login?
Other MFA resources Berkeley Lab
- Multi-Factor Authentication for FMS and HRIS Multi Factor Authentication for FMS - MFA for FMS is required for any users that have been opted or required to use MFA
- Multi Factor Authentication for HRIS - MFA for HR personnel logging into Berkeley Lab HR databases and accessing Personally Identifiable Information (PII) data
- Multi Factor Authentication for Windows (StrongID) - MFA for Operations personnel logging into Windows Active Directory computers (sometimes known as StrongID)
- Multi Factor Authentication for Single Sign-On (SSO) - MFA for Single Sign-On providing Lab personnel access to Berkeley Lab resources like email, calendar, LETS, etc.Multi Factor Authentication for Privileged Server Access - MFA for access to critical servers and services via gateways (sometimes known as L4 Gateways, or L4 StrongID)
- Lawrencium HPC Cluster - MFA for HPCS Clusters
How do I get started using MFA?
- If you are a member of the Science staff, an affiliate, a student/post-doc, or otherwise not an Operations staff member, you should get started in MFA by following this link.
- If you are a member of the Operations staff, follow this link.
If you have questions regarding MFA enrollment, please submit a a help ticket.
| Pop away |
|---|
