Securing I-MATH account with MFA

There are two different options to secure access:

1. SSH private/public keys

2. MFA authentication

Both can be used in parallel.

Option (1) is most secure and very handy if you use always the same computer to login to I-MATH hosts.

Option (2) is fine as well, but on the first login of a period, you have to provide a one-time-token (OTP).

The second factor is required to access the ssh server if there is no ssh private/public key setup. In next future it will be also implemented for ThinLinc.

OTP login process

The I-MATH account can be protected with one-time passwords authentication.

• After providing the password, the user is queried for a six-digit one-time token

  • 0-~> ssh username@ssh.math.uzh.ch
    (username@ssh.math.uzh.ch) Password: 
    (username@ssh.math.uzh.ch) One-time token (see https://wiki.math.uzh.ch/public/MFA/IMathAccount): 123456

The configuration is managed with the authenticator command.

Configuring MFA via OTP

The configuration must be from your ThinLinc account.

• Login to your ThinLinc account

• Type the following command in the terminal:

  • $ authenticator init

• Scan the QR code with your authenticator app or use the secret key displayed below the code to configure the app manually
• Enter a six-digit code from the authenticator app into the terminal to confirm the configuration
• The terminal lists 5 recovery codes: store them in a secure place. You can use those codes anytime to gain access, i.e. when you forgot/lost/changed your phone.

Warning Use with care: running the command will overwrite any current configuration, invalidating your current authenticating device!

Restoring/regenerating recovery codes

The recovery codes can be regenerated with authenticator refresh and displayed with authenticator show codes.

Late configuration of authenticator apps

If you no longer have the QR code, you can still configure most authenticator apps with the OTP secret. It is printed with the command authenticator show secret.