= Securing I-MATH account with MFA =

There are two different options to secure access:

 1. SSH private/public keys [[ssh#Quick_Start]]
 1. MFA authentication

'''Both''' can be used in '''parallel'''. 

Option (1) is most secure and very handy if you use always the same computer to login to I-MATH hosts. 

Option (2) is fine as well, but on the first login of a period, you have to provide a one-time-token (OTP).

== OTP login process ==

The I-MATH account can be protected with one-time passwords authentication.
 * After providing the password, the user is queried for a six-digit one-time token
   {{{
0-~> ssh username@ssh.math.uzh.ch
(username@ssh.math.uzh.ch) Password: 
(username@ssh.math.uzh.ch) One-time token (see https://wiki.math.uzh.ch/public/MFA/IMathAccount): 123456
}}}

The configuration is managed with the `authenticator` command.

''The second factor is required to access the [[ssh]] server if there is no ssh private/public key setup. In next future it will be also implemented for [[thinlinc|ThinLinc]].''

== Configuring MFA ==

 * Type the following command in the terminal:
   {{{
$ authenticator init
}}}
 * Scan the QR code with your authenticator app or use the secret key displayed below the code to configure the app manually
 * Enter a six-digit code from the authenticator app into the terminal to confirm the configuration
 * The terminal lists 5 recovery codes: store them in a secure place. You can use those codes anytime to gain access, i.e. when you forgot/lost/changed your phone.

'''Warning''' Use with care: running the command will overwrite any current configuration, invalidating your current authenticating device!

== Restoring/regenerating recovery codes ==

The recovery codes can be regenerated with `authenticator refresh` and displayed with `authenticator show codes`.