MFA/IMathAccount

MFA/IMathAccount152025-11-29 12:45:18crose142025-11-29 12:44:57crose132025-11-29 12:44:27crose122025-11-29 12:43:21crose112025-11-29 12:43:04crose102025-11-29 12:42:43crose92025-11-29 12:41:39crose82025-11-29 11:33:51crose72025-10-06 09:32:14kputyr62025-06-19 07:59:10kputyr52025-05-16 10:57:30crose42025-05-16 10:10:44kputyr32025-05-16 09:22:29kputyr22025-05-16 09:20:24crose12025-05-16 08:52:21kputyr

Securing I-MATH account with MFAThere are two different options to secure access: SSH private/public keys MFA OTP authentication Both can be configured in parallel and it is useful to configure both.

SSH via private/public key+ Is most secure. + Handy if you use the same computer to login to I-MATH hosts. - Needs to be configured on each device which is used for SSH connection. Setup

SSH via Time-based One-Time Password (TOTP)On the first login of a period, you have to provide a one-time-token (TOTP). + One Setup can be used on multiple devices - Needs manual interaction on each new session (=connection). The second factor is required to access the ssh server if there is no ssh private/public key setup.

TOTP login processStep 1: Connect to a SSH server with the username. Step 2: Provide the password. Step 3: The user is queried for a six-digit one-time token ssh username@ssh.math.uzh.ch (username@ssh.math.uzh.ch) Password: (username@ssh.math.uzh.ch) One-time token (see https://wiki.math.uzh.ch/public/MFA/IMathAccount): 123456]]>

Preparation: Configuring MFA via TOTPLogin to ThinLinc. Open a terminal: click on the menu in the lower left corner, type 'terminal'. Open Microsoft Authenticator or Google Authenticator or KeepassXC or any other authenticator app which is capable to generate TOTP token. Scan the QR code with the app or use the secret key displayed below the code. First time use: Enter a six-digit code from the app into the terminal to confirm the configuration. The terminal lists 5 recovery codes: store them in a secure place. You can use those codes anytime to gain access, i.e. when you forgot/lost/changed your phone. Warning Use with care: running the command will overwrite any current configuration, invalidating your current authenticating device!

Restoring/regenerating recovery codesThe recovery codes can be regenerated with authenticator refresh and displayed with authenticator show codes.

Late configuration of authenticator appsIf you no longer have the QR code, you can still configure most authenticator apps with the OTP secret. It is printed with the command authenticator show secret.