Securing I-MATH account with MFA
There are two different options to secure access:
SSH private/public keys ssh#Quick_Start
- MFA authentication
Both can be used in parallel.
Option (1) is most secure and very handy if you use always the same computer to login to I-MATH hosts.
Option (2) is fine as well, but on the first login of a period, you have to provide a one-time-token (OTP).
OTP login process
The I-MATH account can be protected with one-time passwords authentication.
- After providing the password, the user is queried for a six-digit one-time token
0-~> ssh username@ssh.math.uzh.ch (username@ssh.math.uzh.ch) Password: (username@ssh.math.uzh.ch) One-time token (see https://wiki.math.uzh.ch/public/MFA/IMathAccount): 123456
The configuration is managed with the authenticator command.
The second factor is required to access the ssh server if there is no ssh private/public key setup. In next future it will be also implemented for ThinLinc.
Configuring MFA
- Type the following command in the terminal:
$ authenticator init
- Scan the QR code with your authenticator app or use the secret key displayed below the code to configure the app manually
- Enter a six-digit code from the authenticator app into the terminal to confirm the configuration
- The terminal lists 5 recovery codes: store them in a secure place. You can use those codes anytime to gain access, i.e. when you forgot/lost/changed your phone.
Warning Use with care: running the command will overwrite any current configuration, invalidating your current authenticating device!
Restoring/regenerating recovery codes
The recovery codes can be regenerated with authenticator refresh and displayed with authenticator show codes.