You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »


What is Token management/Authentication?

Security tokens are another method to authenticate the user to LBL's network. It provides an added level of security against unauthorized access. Token management will be used for those devices that use Active Directory, which includes Window-based machines and mobile phones.

What is the New Token Solution?

To better protect LBL's assets and intellectual property, we have continued to use a hardware and software approach to credential security. Hackers sometimes use keyloggers or packet sniffers to read a person's username and password. A proven way to protect against such attacks (but not guaranteed) is to use dynamic One-Time Passwords. Our implementation will be to continue to use software (Google Authenticator) and hardware (YubiKey) solutions.

What is Google Authenticator?

Google Authenticator is an software app that must be installed on your local device, typically your phone that can generate the OTP needed to log into LBL's systems. The token is valid for 30 seconds. A countdown timer is shown that can help you determine the expiration time. Should it expire, a new token is automatically generated, and this token is what should be used when you log in.

What is a YubiKey?

YubiKey is a hardware, OTP token generator that can also save a user's credentials. It is manufactured by Yubico and used by Facebook and Google. First, insert the YubiKey into a USB port on your computer before logging in. You may need to wait for the YubiKey to install the correct device drivers on first-use.To use this key during login into LBL's systems, enter your LBL username and password, and the YubiKey will insert the OTP into the appropriate field once you tap the gold contact. Then hit return. The "YubiKey 4" hard key is small (2" x 0.75") and can be carried on a key ring. The "YubiKey 4 Nano" is meant to be inserted into a computer's USB port. Each YubiKey is issued to a specific LBL user and registered by the IT department. You must know where your YubiKey because it is assigned specifically to you. Should you lose this device, you must report it to IT immediately.

What if I forget my YubiKey at home?

You can use Google Authenticator to log in instead.

What if I lose my YubiKey? 

 

 InstructionsView
1You will need to report the loss to IT Help Desk at x4357 or online, and wait for a new YubiKey to be assigned to you. 
2Go to the OTP Homepage, and click on "Lost (disable)" for that specfic YubiKey.
3Click "Disable" to permanently disable the hard key.

How Do I Register My Devices for OTP?


      Instructions View
    1 Go to the OTP Token Management webpage. Click the "Berkeley Lab login" button.
    2 If your YubiKey is registered, you will see it listed on your OTP Homepage as "BerkeleyLabKey ".
    3 In your first-use, insert your key into a USB slot on your computer. The required device drivers will automatically install.
    4 OPTIONAL: You may resync your YubiKey by clicking on the "Resync" link. You will need your YubiKey handy.
    5

    Insert the YubiKey into your computer, and while the cursor is on the "One-Time Password 1" field, tap the gold, circular "Y" symbol on the top of the YubiKey 4. A tap on the metal will generate an OTP key and auto-populate the field. Then, move the cursor to the second field, "One-Time Password 2" and press the gold, circular "Y" symbol on the top of the YubiKey 4. You will see an OTP key auto-populate the field.

    Note, if you are using the YubiKey 4 Nano, then press the rounded front of the key protruding from the USB port instead of pressing the gold, circular "Y".

    Then, click "Resync".
    6 OPTIONAL: On the OTP homepage, you may verify if the OTP is working by clicking on the "Test" link below your device's nickname.
    7 With the YubiKey in the USB port, press on the YubiKey's gold, circular "Y" symbol or the rounded front-end to generate the OTP. Click "Test Now". If it is successful, you will see the message, SUCCESS! You can test again or click "Done".
      Instructions View
    1

    Go to the OTP Token Management webpage. Click the "Berkeley Lab login" button.
    2 Click the "Add an LBL token" link.
    3

    Select the authorization method by which you can receive an authorization code.

    The choices are:

    Email: <personal email address on record>

    SMS: <personal phone number on record>

    For this example, the SMS (text messaging) is used.
    4

    Here is the text message with the Authorization Code sent to your mobile device.
    5 Type the Authorization code into the "Enter Authorization Code" field and give the registered device a meaningful nickname in the "Token Name" field. Click "Add Token." Note, there is a time limit that you must complete this step by. If time has expired, "Cancel" and retrieve a re-issued token.
    6 You will see a 2-D barcode on the screen that you must scan with your device. If you have not done so, install the "Google Authenticator" app from the Google Play Store.
    7 To install the Google Authenticator app, please go to the Google Play Store on your phone. (This image is from a Samsung Galaxy 6S Android phone)
    8 Find the Google Authenticator application and install it. Then open the app.
    9 Tap "Begin setup".
    10 Then, tap "Scan a barcode" or "Enter provided key". In our example, we will scan a barcode.
    11 Google Authenticator will check if you have a barcode scanner installed. If a barcode scanner is missing, the app will prompt you to install a suggested app.
    12 Tap "Install" to the suggested ZXing's "Barcode Scanner" app. Your device may select another suitable barcode scanner (which would also be sufficient). After installation has completed, close the app.
    13 Run the Google Authenticator by choosing the "Authenticator" icon on your device's icon gallery. Tap "Scan a barcode", which is where you left off earlier.
    14 Aim your phone's camera at the 2-D barcode on the browser when the barcode scanner runs inside of Google Authenticator. You may need to slowly adjust the distance and angle of your phone to allow the camera to auto-focus and capture the barcode image. You will only have ONE CHANCE to scan this code.
    15

    If the barcode scan is successful, you will see the 6-digit OTP (One-Time-Password) on your device. This code is valid for 30-seconds only. You must enter the token when you log in with your username and password. If you happen to take longer than 30 seconds, then use the most current auto-generated OTP.

    Note that there is a 30-second timer on screen.
    16 Your OTP dashboard should show all of your devices from which you will log into LBL's systems that require an OTP (including the one you just entered). Registration is complete now.
    17 OPTIONAL: On the OTP homepage, you may verify if the OTP is working by clicking on the "Test" link below your device's nickname.
    18

    Enter the Google Authenticator's time-sensitive OTP from your device into the "One-Time Password" field and click "Test Now".

    Note, once the time has expired, the token will be invalid. Only the newest OTP should be entered into the field for verification.
    19 You should see a Success! You can test again or click "Done" message if successful. If there is a problem, you may restart the registration or call the help desk at x4357.
    20 OPTIONAL: On the OTP dashboard, you may click on "Delete" if you decide to permanently stop using the device to access LBL assets that require an OTP.
    21 Click "Delete" to confirm the deletion.
    22 If you were using the Pledge application from Nordic Edge, you may uninstall it now.  
    • No labels