Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

e-INFRA CZ AAI offers multi-factor authentication using TOTP and WebAuthn. (Authentication and Authorization Infrastructure) offers MFA (Multi-Factor Authentication) using TOTP (Time-based One-Time Passwords) or WebAuthn (Web Authentication) standards.

Users may also generate backup OTP one-time codes for regaining access in case they lose their tokens. Detailed instructions can be found hereat the page https://perunaai.atlassian.net/wiki/spaces/EINFRACZ/pages/48824321/How+to+set+up+multi-factor+authentication?atlOrigin=eyJpIjoiMmU0ODE3OGVmNTBjNGY5ZGI0OTJlMDVhN2JjMGFhOWIiLCJwIjoiYyJ9 .

Contents

Table of Contents
minLevel2
maxLevel7

...

Performing MFA with a registered token

When accessing a service which requires Multi-Factor Authentication, the e-INFRA CZ AAI will forward the request to your home organization. If you can perform MFA there, you will do so. Otherwise, if you have registered for MFA in e-INFRA CZ AAI, you will be prompted to perform MFA in the e-INFRA CZ AAI context (or will be displayed an error message if you cannot fulfil this requirement).

The prompt to perform MFA in the e-INFRA CZ AAI context appears after you have logged in at your home organization and looks like on the following screen shot:

...

Available methods

TOTP

TOTP (Time-based One-Time Password) is a standard method for one-time code generation, defined in RFC 6238, and used by many commercial services. TOTP app has a shared secret with the server and generates time-constrained numerical codes based on that secret. The most common setting is with 6 digits and with validity of 30 seconds.

Expand
titleMore information ...

You may know this method by many alternative names, including “code from verification app”, “verification code”, “authentication code”, “code from authentication app”, “6 digit code from code generator”, “code from Google Authenticator” or “verification code from the Google Authenticator app”.

The advantage of this method is its versatility - you can copy the one-time code from the app in your smartphone to another app, type it on your PC or even a smart TV. The only requirement that the device you want to authenticate on needs to fulfil fulfill is the capability to enter digits.

You can use any TOTP app, for example one of those listed below andOTP, Aegis Authenticator, Google Authenticator, FreeOTP+. Alternatively you can use the TOTP capability of your password manager (e.g. BitWarden or LastPass Authenticator). If you already have a TOTP app installed, you do not have to install another one, you can just add MUNI Unified Logine-INFRA CZ AAI.

WebAuthn

WebAuthn, short for Web Authentication API, is a modern standard created by W3C and FIDO. This method offers a high level of security while protecting your privacy, it is also easy to use. WebAuthn is often a part of the operating system, so you do not need to install anything on most devices.

Expand
titleMore information ...

You may know this method by different names, including “FIDO2”, “U2F”, “security key verification”, “universal second factor” or simply “security key”.

The advantage of this method is its simplicity - you do not need to grab your smartphone, open an app and type in a code, you just confirm the authentication e.g. by pressing a button or using your thumb for fingerprint. You may register various devices and use a different method of authentication in each one depending on the device’s capabilities.

In order to use WebAuthn, you need to use one of the supported web browsers together with the operating system capability, an app or a physical authenticator (e.g. a YubiKey).All web browsers officially supported by MUNI Unified Login support WebAuthn authentication.

If you want to learn more, check out webauthn.io and webauthn.me.

Operating systems with WebAuthn built in

  • Windows 10+ (Windows Hello)

  • macOS 10.15+ (only some browsers depending on version)

  • Android 7+ (a screen lock has to be set - e.g. a fingerprint or face recognition))

  • iOS 14.5+ (Touch ID, Face ID)

  • For Linux, you can try Rust U2F or tpm-fido.

Performing the MFA with registered token

When accessing a service, which requires the Multi-Factor Authentication, the e-INFRA CZ AAI will forward this request to your home organization. If you can perform MFA there, you will do so as used to. Otherwise, if you have registered for an e-INFRA CZ AAI, you will be prompted to perform MFA in the e-INFRA CZ AAI context (or will be displayed an error message if you cannot fulfil this requirement).

The prompt to perform MFA in the e-INFRA CZ AAI context appears after you have logged in at your home organization and looks like the following:

...

WebAuthn on MS Windows

Use Windows Hello using a PIN, facial recognition, or fingerprint. Windows 10 build 1903 or later is required.

WebAuthn on Android

The screen lock functionality that uses a PIN, pattern, password, fingerprint or facial recognition can be used for MFA.

Alternatively a NFC or USB connected hardware token like Yubikey can be used.

WebAuth on MacOS

The Touch ID feature can be used.

WebAuthN on Linux PC with FIDO2-compatible hardware token

USB hardware tokens that support FIDO2, like Yubikey, can be used.

WebAuthN on Linux PC with Android phone used for the second factor

This use case requires a rather specific setup. The Linux PC must have Bluetooth enabled, Google Chrome browser must be used on the PC, and an Android phone with enabled Bluetooth and installed Chrome browser must be physically near the PC (so near that the PC and the phone can communicate over Bluetooth).

If the Chrome browser on the Android phone contains authenticated Google Account, the ways for unlocking screen lock will be used for second factor.

If the Chrome browser on the Android phone does not contain authenticated Google Account, scanning of a one-time QR code by the phone from the screen of the PC can be used.

Support

In case of any problem please let us know at : login@e-infra.cz.