To protect our accounts from phishing attacks and other password stealing methods, we are providing the possibility to use MFA (multi-factor authentication) for (some of) our systems.
What is MFA?
By using MFA, you not only authenticate with your password, but with at least another method. Such methods could be tokens provided by SMS and/or app, per-created codes (“TAN”) on paper and/or biometric identification like fingerprints.
More details can be found on Wikipedia.
MFA at IST Austria
The following systems/services already support multi-factor authentication:
- All services authenticating via our SSO (Shibboleth), this includes the ISTCloud, the intranet, ICP, PPMS (for IST users), and many more. (Webmail will be integrated into SSO in the next weeks.)
- Our bastion-server for accessing internal services (mainly used by external companies, for providing support)
- Services only reachable via VPN or Remote Desktop are also considered to be protected by an additional security layer.
Using MFA for SSO (Shibboleth)
If you would like to protect your account by enabling MFA, you need:
- A mobile phone, and an installed app which supports TOTP (Time based One Time Passwords) or HOTP (Event based One Time Passwords). Examples for such apps are:
- A token set via https://privacy.ist.ac.at/ (only accessible via VPN/Remote Desktop connection or at IST Austria.)
You will only be presented by an additional factor, if you have a token generated, and if you have to type in Username/Password and see the following mask:
When you get logged in automatically, by a method called “kerberos authentication”, which is only working for IST devices when those are connected to the IST network, MFA is not needed, and therefor not activated.
If you do not have a token set, MFA is disabled for you, and you just login with username/password.
Creating a TOTP token with Google Authenticator
- Please install Google Authenticator for your phone. (Screenshots are taken from a Android phone, so experience may differ on iOS.)
- Go to https://privacy.ist.ac.at/, and login with ISTUsername and ISTPassword. (only available via VPN/Remote Desktop or if you are on campus)
- You are now logged in to our PrivacyIDEA instance, and at the first login you see no tokens enrolled.
- Select the Token enrollment wizard.
You can add a Description, like “Token for Google Authenticator”, and click Enroll Token.
- You’re now presented with a QR-code, which you need to scan with your Google Authenticator on your phone.
- When scanned, you should have a new entry in your Google Authenticator:
The number (for security reasons not visible) will change over time, and is your token to be typed in, when asked:
The black bar hides your username, please make sure it’s yours!
- When you login again to the https://privacy.ist.ac.at/, you’ll see your newly enrolled token.
You can have as many tokens you like, also by using different types and on different systems/phones – all will be valid as your second factor.