The ultimate silver bullet to protect your account, computer and data is using a sufficiently complex and unique password combined with a second-factor token, i.e. in addition to the password you know, something you have, like your smartphone or a hardware token. This authentication process is known as two-factor authentication. It presents a huge hurdle for any attacker, as they would need to not only acquire your password, which can be achieved virtually (“CERN has been phished again”), but also physically steal your hardware token. And you would know if your smartphone got lost, wouldn’t you?
While, in 2020, CERN focused on rolling out two-factor authentication for experts needing to access and administer certain computing services, and while two-factor authentication will become mandatory for remote access to control systems installed on and connected to CERN’s Technical Network (“Protecting the accelerator from remote evil”), in 2022, we would like to take the next step: using two-factor authentication when logging into any CERN web application.
The idea behind this new two-factor option is that CERN’s web-based Single Sign-On (SSO) portal would require you to authenticate with both your password and your second factor for any website behind CERN’s web-based SSO[1], regardless of whether it’s to access a critical control system, administer a very important computing service or just browse the CERN phonebook or any other webpage behind the SSO. You can use a dedicated one-time password generation app on your smartphone – so your smartphone is that second hardware token – or a physical USB token (e.g. “Yubikey”) that uses a CERN-dedicated private/public keypair for that second authentication step. Once authenticated correctly, you can continue working as normal and your session will stay active for 12 hours or until you change your browser or log in from another device. This would give you, your account and your data the ultimate protection against identity theft and password exposure.
Deployment of this silver bullet will pave the way for a wider roll-out in the future, but it requires a fundamental change in how authentication is done technically today. Hence, starting in the second quarter of 2022, all experts with access to critical control systems (e.g. via the BE department’s ROGs), IT systems (e.g. using Foreman) or sensitive data, i.e. those experts already using two-factor authentication on CERN’s SSO for their work, will have this new two-factor web authentication feature enabled by default given the critical nature of their account (unless they opt out and also lose their privileged access). This will facilitate their login and avoid the need for multiple single- and multi-factor logins during the day. People who are using CERN computing facilities “only” for their research duties and scientific endeavours can opt into this feature through the IT User Portal, and we hope that as many people as possible value their protection highly enough to take this additional step – a step that is common when accessing your bank account, for instance. So, why not give it a try for the sake of security and the protection of your account and digital life? Check out all the details (like how to activate a second factor or what to do if you lose it) on our dedicated webpage.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help check our website or contact us at Computer.Security@cern.ch.
[1] Non-web-based applications, like SSH bastion hosts, will continue to require 2FA only on a case-by-case basis.