What is multi-factor authentication?
Multi-factor authentication is the method where a user is granted access to a resource once they have provided several separate pieces of evidence proving who they are. For example, think about accessing your bank accounts via an ATM machine. To prove to the bank who you are and that you can have access to your bank account, you insert your ATM card (something you have) and enter your PIN number (something you know). You have provided the bank with two forms of authentication enabling the bank to give you access to your accounts.
Why use multi-factor authentication?
Plain and simple, to secure resources against unauthorized personnel and ensure only authorized users access appropriate resources.
Security Tokens at Berkeley Lab
A methodology to implement multi-factor authentication requires the use of one-time passwords (OTP) or what we call security tokens. OTP can be provided either by software or hardware solutions. Berkeley Lab IT has opted from both solutions. Software security tokens are generated from Google Authenticator and the issuance of hardware tokens with varying security privileges can be obtained from Berkeley Lab IT.
Multi-factor Authentication at Berkeley Lab
Berkeley Lab uses MFA on several systems, including:
- Windows login - requirement of multi-factor authentication for Operations personnel logging into Windows Active Directory computers (sometimes known as StrongID)
- HRIS (other than the website) - requirement of multi-factor authentication for HR personnel logging into Berkeley Lab HR databases
- Web-based single sign on (SSO) - requirement of multi-factor authentication for Shibboleth providing Lab personnel logging into Berkeley Lab resources like email, calendar, LETS, etc.
- Lawrencium HPC cluster - All HPCS Clusters require One Time Passwords (OTPs) for Authentication
- Privileged Server Access - Access to certain critical servers and services is done via gateways (sometimes known as L4 Gateways, or L4 StrongID)
How do I get started using Multi-factor Authentication?
The full process is outlined here. Please note that Berkeley Lab employees must submit a help ticket to obtain any hardware security OTP tokens.