Two Factor Authentication

From IdentityVectorSolutionsWiki
Revision as of 19:58, 5 May 2012 by Phil (talk | contribs) (New page: ==Background== At identityVector, we are always working to provide the most secure services possible. We're pleased to offer user-initiated Two Factor Authentication to our SSH, SCP, and ...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Background

At identityVector, we are always working to provide the most secure services possible. We're pleased to offer user-initiated Two Factor Authentication to our SSH, SCP, and SFTP users. This service is OPTIONAL, and can be added or removed as you like. Note that this is considered an advanced feature, so please don't configure it without fully understanding the potential impacts.

Two-factor authentication (2FA) is an authentication mechanism that requires information from a physical token of some kind in addition to your password before granting access. This means that successful 2FA requires both "something you know" (password) and "something you have" (the token). identityVector has evaluated several solutions, and selected Google Authenticator as our 2FA provider.

Caveats

  • Currently, key-based authentication overrides 2FA on our systems. If you have a valid SSH key authorized for your IVS SSH account, 2FA is ignored entirely.
  • Our 2FA configuration is enabled for SSH, SCP, and SFTP access only. No other services have been configured to support 2FA at this time.
  • Client-specific nuances will be added to this page as they are discovered. If you find a particular client is not working, but one of our supported clients works with 2FA, please let us know the name of the client software.
  • The setup process will generate emergency scratch codes that will allow you to access IVS servers without the token. These should be maintained in a safe place. They may only be used once each. If you exhaust your emergency scratch codes, just re-accomplish the setup process.

Escape Clauses

  • If you wish to stop using 2FA with your IVS account, simply remove the "~/.google_authenticator" file at any time. Use one of your emergency scratch codes to access the system if needed. If you don't have access to the emergency scratch codes, contact us for help. Be advised that we'll need to authenticate you via phone or other similar means before disabling 2FA for your account. This may take several hours.
  • To start over, just remove the "~/.google_authenticator" file and re-accomplish the setup steps detailed below.

Setup Process

To enable 2FA for SSH access to the IVS system, follow these steps:

  1. SSH to the identityVector system:
Philip-Hagens-iMac:~ phil$ ssh phil@sftp.identityvector.com
This is a private computer system.  Unauthorized users are hereby notified that
there is no expectation of privacy for their actions on this system, and
authorize the system administrators to record all unauthorized traffic for the
purposes of subsequent law enforcement actions.
                                           -IdentityVector Solutions, LLC
Last login: Sat May  5 15:18:03 2012 from c-98-252-9-205.hsd1.de.comcast.net
[phil@quaff ~]$
Retrieved from "https://secure.identityvector.com/mediawiki/index.php?title=Two_Factor_Authentication&oldid=2046"