What is Multi-Factor Authentication?
Single factor authentication, such as typing a password, is increasingly an insufficient protection for online accounts. The combination of phishing, malware, and brute-force guessing present a formidable threat to single factor authentication. Unauthorized access to your account can have significant harm, both to you personally (financial harm for example) and to the mission and reputation of Berkeley Lab.
Multi-Factor Authentication (MFA) requires more than one factor to authenticate. Most commonly, MFA requires typing a password (first factor) and entering a one-time code (second factor) generated by a device, such as Google Authenticator on your phone. With MFA, an attacker will not be able access your account simply by stealing your password. The attacker must also steal device capable of generating a code, a much more difficult task from afar.
How to use MFA at Berkeley Lab?
MFA at Berkeley Lab enables you to have a second factor protecting your Lab account. When you login into enterprise applications (behind the Shibboleth Single Sign-On), you will first be prompted for username and password then prompted for a one-time code, as follows:
Most people already use MFA at Berkeley Lab and/or to secure their personal accounts. It is highly effective at preventing unauthorized access to your accounts.
Operations Divisions
Since May 2018, MFA has been required for Operations users logging into Berkeley Lab enterprise applications (Gmail, LETS, FMS, etc.) in May 2018
Scientific Divisions
Beginning September 2018, Scientific division users can opt-in to use MFA for Berkeley Lab enterprise applications.
MFA Frequently Asked Questions (FAQ)
- How do I opt-in to MFA?
- How do I add/remove a Google Authenticator token?
- How do I login if my MFA device is lost or stolen?
- How do I add/remove a Yubikey token?
- How do I install Google Authenticator?
Other MFA resources
- MFA for FMS and HRIS - Required and opt-in MFA users must also use MFA to access FMS and HRIS.
- MFA for Windows Workstations (Operations Divisions only) - Operations users logging into Windows Active Directory computers must use MFA.
- MFA for Privileged Accounts (IT Division only) - Privileged accounts used for IT infrastructure management must use MFA
- MFA for HPCS (HPCS users only) - Users of HPCS must use MFA
If you have questions regarding MFA enrollment, please submit a help ticket or contact the IT Help Desk at 4357.