e-INFRA CZ AAI offers multi-factor authentication using TOTP and WebAuthn. (Authentication and Authorization Infrastructure) offers MFA (Multi-Factor Authentication) using TOTP (Time-based One-Time Passwords) or WebAuthn (Web Authentication) standards.
Users may also generate backup OTP one-time codes for regaining access in case they lose their tokens. Detailed instructions can be found hereat the page https://perunaai.atlassian.net/wiki/spaces/EINFRACZ/pages/48824321/How+to+set+up+multi-factor+authentication?atlOrigin=eyJpIjoiMmU0ODE3OGVmNTBjNGY5ZGI0OTJlMDVhN2JjMGFhOWIiLCJwIjoiYyJ9 .
Contents
Table of Contents | ||||
---|---|---|---|---|
|
...
Performing MFA with a registered token
When accessing a service which requires Multi-Factor Authentication, the e-INFRA CZ AAI will forward the request to your home organization. If you can perform MFA there, you will do so. Otherwise, if you have registered for MFA in e-INFRA CZ AAI, you will be prompted to perform MFA in the e-INFRA CZ AAI context (or will be displayed an error message if you cannot fulfil this requirement).
The prompt to perform MFA in the e-INFRA CZ AAI context appears after you have logged in at your home organization and looks like on the following screen shot:
...
Available methods
TOTP
TOTP (Time-based One-Time Password) is a standard method for one-time code generation, defined in RFC 6238, and used by many commercial services. TOTP app has a shared secret with the server and generates time-constrained numerical codes based on that secret. The most common setting is with 6 digits and with validity of 30 seconds.
Expand | ||
---|---|---|
| ||
You may know this method by many alternative names, including “code from verification app”, “verification code”, “authentication code”, “code from authentication app”, “6 digit code from code generator”, “code from Google Authenticator” or “verification code from the Google Authenticator app”. The advantage of this method is its versatility - you can copy the one-time code from the app in your smartphone to another app, type it on your PC or even a smart TV. The only requirement that the device you want to authenticate on needs to fulfil fulfill is the capability to enter digits. You can use any TOTP app, for example one of those listed below andOTP, Aegis Authenticator, Google Authenticator, FreeOTP+. Alternatively you can use the TOTP capability of your password manager (e.g. BitWarden or LastPass Authenticator). If you already have a TOTP app installed, you do not have to install another one, you can just add MUNI Unified Logine-INFRA CZ AAI. |
WebAuthn
WebAuthn, short for Web Authentication API, is a modern standard created by W3C and FIDO. This method offers a high level of security while protecting your privacy, it is also easy to use. WebAuthn is often a part of the operating system, so you do not need to install anything on most devices.
Expand | ||
---|---|---|
| ||
You may know this method by different names, including “FIDO2”, “U2F”, “security key verification”, “universal second factor” or simply “security key”. The advantage of this method is its simplicity - you do not need to grab your smartphone, open an app and type in a code, you just confirm the authentication e.g. by pressing a button or using your thumb for fingerprint. You may register various devices and use a different method of authentication in each one depending on the device’s capabilities. In order to use WebAuthn, you need to use one of the supported web browsers together with the operating system capability, an app or a physical authenticator (e.g. a YubiKey).All web browsers officially supported by MUNI Unified Login support WebAuthn authentication. If you want to learn more, check out webauthn.io and webauthn.me. Operating systems with WebAuthn built in
|
Performing the MFA with registered token
When accessing a service, which requires the Multi-Factor Authentication, the e-INFRA CZ AAI will forward this request to your home organization. If you can perform MFA there, you will do so as used to. Otherwise, if you have registered for an e-INFRA CZ AAI, you will be prompted to perform MFA in the e-INFRA CZ AAI context (or will be displayed an error message if you cannot fulfil this requirement).
The prompt to perform MFA in the e-INFRA CZ AAI context appears after you have logged in at your home organization and looks like the following:
...
WebAuthn on MS Windows
Use Windows Hello using a PIN, facial recognition, or fingerprint. Windows 10 build 1903 or later is required.
WebAuthn on Android
The screen lock functionality that uses a PIN, pattern, password, fingerprint or facial recognition can be used for MFA.
Alternatively a NFC or USB connected hardware token like Yubikey can be used.
WebAuth on MacOS
The Touch ID feature can be used.
WebAuthN on Linux PC with FIDO2-compatible hardware token
USB hardware tokens that support FIDO2, like Yubikey, can be used.
WebAuthN on Linux PC with Android phone used for the second factor
This use case requires a rather specific setup. The Linux PC must have Bluetooth enabled, Google Chrome browser must be used on the PC, and an Android phone with enabled Bluetooth and installed Chrome browser must be physically near the PC (so near that the PC and the phone can communicate over Bluetooth).
If the Chrome browser on the Android phone contains authenticated Google Account, the ways for unlocking screen lock will be used for second factor.
If the Chrome browser on the Android phone does not contain authenticated Google Account, scanning of a one-time QR code by the phone from the screen of the PC can be used.
Support
In case of any problem please let us know at login@e-infra.cz.
...