MFA/IMathAccount

There are two different options to secure access:

SSH private/public keys
MFA OTP authentication

Both can be configured in parallel and it is useful to configure both.

SSH via private/public key

+ Is most secure.
+ Handy if you use the same computer to login to I-MATH hosts.
- Needs to be configured on each device which is used for SSH connection.
Setup

SSH via Time-based One-Time Password (TOTP)

On the first login of a period, you have to provide a one-time-token (TOTP).
+ One Setup can be used on multiple devices
- Needs manual interaction on each new session (=connection).

The second factor is required to access the ssh server if there is no ssh private/public key setup.

TOTP login process

Step 1: Connect to a SSH server with the username.
Step 2: Provide the password.

Step 3: The user is queried for a six-digit one-time token

0-~> ssh username@ssh.math.uzh.ch
(username@ssh.math.uzh.ch) Password: 
(username@ssh.math.uzh.ch) One-time token (see https://wiki.math.uzh.ch/public/MFA/IMathAccount): 123456

Preparation: Configuring MFA via TOTP

Login to ThinLinc.
Open a terminal: click on the menu in the lower left corner, type 'terminal'.
- ```
$ authenticator init
```
Open Microsoft Authenticator or Google Authenticator or KeepassXC or any other authenticator app which is capable to generate TOTP token.
Scan the QR code with the app or use the secret key displayed below the code.
First time use:
- Enter a six-digit code from the app into the terminal to confirm the configuration.
- The terminal lists 5 recovery codes: store them in a secure place. You can use those codes anytime to gain access, i.e. when you forgot/lost/changed your phone.

Warning Use with care: running the command will overwrite any current configuration, invalidating your current authenticating device!

Restoring/regenerating recovery codes

The recovery codes can be regenerated with authenticator refresh and displayed with authenticator show codes.

Late configuration of authenticator apps