MFA Help Pages:
Children Display | ||
---|---|---|
|
Info |
---|
MFA is highly effective at preventing unauthorized access to your accounts. With MFA, an attacker will not be able access your account simply by stealing your password. The attacker must also steal your phone or Yubikey to access your account. Use of MFA is mandatory for all LBL staff and affiliates after 9 December 2019. |
What are my options to set up Multi-Factor Authentication?
- Self-Service Google Authenticator setup:
- The instructions to set up Google Authenticator on your own are here: Install Google Authenticator and Setup MFA
- If you need any assistance with the setup, you can contact the IT Help Desk at x4357
- Walk-in support with IT:
- Desktop Support is located at 46-125 between the hours of 8:00 AM and 5:00 PM. Yubikeys are $50 and you must provide a Project ID. There is no additional charge for Google Authenticator but you must bring your smartphone with you to 46-125.
- On-site support with IT:
- If on-site support is required, the hourly rate for technician work is $100/hour including travel time and ticket processing time. Yubikeys are an additional $50. You must provide a Project ID before a technician will be sent out. There is no additional charge for Google Authenticator but you must have your smartphone with you.
What exactly is Multi-Factor Authentication?
Single-factor authentication, such as typing a password, is increasingly an insufficient protection for online accounts. The combination of phishing, malware, and brute-force guessing presents a formidable threat to single-factor authentication. Unauthorized access to your account can have significant harm, both to you personally (financial harm for example) and to the mission and reputation of Berkeley Lab.
Multi-factor authentication (MFA) requires more than one factor to authenticate. Most commonly, MFA requires typing a password (first factor) and entering a one-time code (second factor) generated by Google Authenticator on your phone or a Yubikey plugged into your computer.
MFA at Berkeley Lab enables you to have a second factor protecting your Lab account. When you log into enterprise applications (behind the Shibboleth Single Sign-On), you will first be prompted for a username and password and then a one-time code.
If you have questions regarding MFA, please submit a help ticket or contact the IT Help Desk at 4357.
Pop away |
---|
What is Multi Factor Authentication?
Multi Factor Authentication (MFA) is an authentication strategy where a user must provide more than one type of identifying evidence (factor) in order to gain access to a resource. ATMs used to access bank accounts are a good example: you must insert your ATM card (something you have) and enter your PIN number (something you know) before you can access your account. In computing, MFA most frequently involves having a password (something you know) and a physical key or token (something you have).
Why use MFA?
Multi-factor authentication provides continued protection, even if a password has been compromised. With MFA, an attacker will not be able to impersonate you, even if they know your password, whether from hacking a database, or by phishing attack. Access will be denied because they will not have the physical token in their possession.
Integration of One-Time Passwords with User Credentials
For access to most Lab resources other than privileged server access, Berkeley Lab has implemented an MFA strategy requiring the use of your Berkeley Lab Identity credentials in conjunction with a one-time password (OTP). An OTP can be generated either by a software or hardware solution. Berkeley Lab IT has enabled the ability to use either. Software OTPs are generated using Google Authenticator, whereas hardware OTPs are generated from an authentication device known as a YubiKey. Berkeley Lab IT is the organization that issues the hardware authentication device.
MFA at Berkeley Lab
Berkeley Lab uses MFA for access to:
- Windows Login - MFA for Operations personnel logging into Windows Active Directory computers (sometimes known as StrongID)
- HRIS Login - MFA for HR personnel logging into Berkeley Lab HR databases and accessing Personally Identifiable Information (PII) data
- Web-based single sign on (SSO) - MFA for Single Sign-On providing Lab personnel access to Berkeley Lab resources like email, calendar, LETS, etc.
- Web-based sign on with Password and Appended Token - MFA for FMS and some similar Oracle Peoplesoft-based tools.
- Lawrencium HPC Cluster - MFA for HPCS Clusters
- Privileged Server Access - MFA for access to critical servers and services via gateways (sometimes known as L4 Gateways, or L4 StrongID)
How do I get started using MFA?
The full process is outlined here.
Please note that Berkeley Lab employees can self enroll into MFA using the Google Authenticator App without submitting a help ticket.
Users must submit a help ticket to obtain either a Yubikey or Privileged L4 Key.