<<TableOfContents>>

= Securing I-MATH account with MFA =

There are two different options to secure access:

 1. SSH private/public keys
 1. MFA OTP authentication

'''Both''' can be configured in '''parallel''' and it is useful to configure both. 

== SSH via private/public key ==

 * + Is most secure.
 * + Handy if you use the same computer to login to I-MATH hosts. 
 * - Needs to be configured on each device which is used for SSH connection.
 * [[ssh#Quick_Start|Setup]]

== SSH via Time-based One-Time Password (TOTP) ==

 * On the first login of a period, you have to provide a one-time-token (TOTP).
 * + One Setup can be used on multiple devices
 * - Needs manual interaction on each new session (=connection).

''The second factor is required to access the [[ssh]] server if there is no ssh private/public key setup.''

=== TOTP login process ===

 * Step 1: Connect to a SSH server with the username.
 * Step 2: Provide the password.
 * Step 3: The user is queried for a six-digit one-time token
   {{{
0-~> ssh username@ssh.math.uzh.ch
(username@ssh.math.uzh.ch) Password: 
(username@ssh.math.uzh.ch) One-time token (see https://wiki.math.uzh.ch/public/MFA/IMathAccount): 123456
}}}

=== Preparation: Configuring MFA via TOTP ===

 * Login to [[thinlinc|ThinLinc]].
 * Open a terminal: click on the menu in the lower left corner, type 'terminal'.
   {{{
$ authenticator init
}}}
 * Open Microsoft Authenticator or Google Authenticator or KeepassXC or any other authenticator app which is capable to generate TOTP token.
 * Scan the QR code with the app  or use the secret key displayed below the code.
 * First time use: 

   * Enter a six-digit code from the app into the terminal to confirm the configuration.
   * The terminal lists 5 recovery codes: store them in a secure place. You can use those codes anytime to gain access, i.e. when you forgot/lost/changed your phone.

'''Warning''' Use with care: running the command will overwrite any current configuration, invalidating your current authenticating device!


=== Restoring/regenerating recovery codes ===

The recovery codes can be regenerated with `authenticator refresh` and displayed with `authenticator show codes`.

=== Late configuration of authenticator apps ===

If you no longer have the QR code, you can still configure most authenticator apps with the OTP secret. It is printed with the command `authenticator show secret`.