What is multi-factor authentication?
Multi-factor authentication is method where a user is granted access to a resource once they have provided several separate pieces of evidence proving who they are. For example, think about accessing your bank accounts via an ATM machine. To prove to the bank who you are and that you can have access to your bank account, you insert your ATM card (something you have) and enter your PIN number (something you know). You have provided the bank with two forms of authentication enabling the bank to give you access to your accounts.
Why use multi-factor authentication?
Plain and simple, to secure resources against unauthorized personnel.
Security Tokens at Berkeley Lab
A methodology to implement multi-factor authentication requires the use of one-time passwords (OTP) or what we call security tokens. OTP can be provided either by software or hardware solutions. Berkeley Lab IT has opted from both methods. Software security tokens are generated from Google Authenticator and the issuance of hardware tokens with varying security privileges can be obtained from Berkeley Lab IT.
Multi-factor Authentication at Berkeley Lab
IT at Berkeley Lab has initiated multi-factor authenticaion in a few implementations this last year. They are:
- Strong-ID - requirement of multi-factor authentication for Operations personnel logging into Windows Active Directory
- HRIS OTP - requirement of multi-factor authentication to Berkeley Lab HR data
- MFA - requirement of multi-factor authentication for Shibboleth providing access to Berkeley Lab data resources like email, calendar, LETS, etc.
How do I get started using Multi-factor Authentication?
There are some basic steps that need to be performed and they are:
- Ensure that your "Account Notification Information" is up-to-date. This is the non-LBL email and a mobile phone number that Lab personnel provide for important account notifications and Lab alerts, see https://password.lbl.gov/#/.
- Obtain OTP/Security Tokens
- Software - Google Authenticator generated tokens
- Install Google Authenticator, see Install Google Authenticator on Mobile Device
- Manage my OTP Tokens, see Manage my StrongID (Note I would like to change this to Manage my OTP Tokens)
- Hardware
- Yubikey - USB key provided to all Lab personnel from Berkeley Lab IT by submitting a help ticket and for support documentation, see YubiKey
- Privileged Identity (This is now called Privileged StrongIDs but needs to be changed) - USB key provided to Lab personnel requiring escalated privileges to restricted Lab resources. Hardware token can be obtained by submitting a help ticket and for support documentation, see Using Privileged StrongIDs
- Software - Google Authenticator generated tokens
- Opt-In to MFA only after tokens have been generated, select the check box "Opt-in to MFA" on https://identity.lbl.gov/mfa/
- Confirm you have completed the MFA process by filling out the confirmation form, MFA for Berkeley Lab Identity Enrollment Confirmation