How to set up Multi-Factor Authentication (MFA)

Owned by Pavel Vyskočil
Last updated: Jul 22, 2022 by Martin Kuba
3 min read

Before you start using multi-factor authentication, you need to registered at least one authentication device. The first one has to be a TOTP app, then you can register arbritrary number of TOTP apps and WebAuthn authenticators. After you add your first token, you can go to user profile and enable MFA for all services connected to e-INFRA CZ AAI.

Contents

 

Add first token

  1. Go to the token management page. Either visit mfa.login.e-infra.cz directly or visit e-INFRA User Profile, select Settings > Authentication and click on “Manage my MFA tokens”.

  2. Sign in with your account

  3. Enter by clicking on Log in

  4. Click on Enroll Token

  5. Enter the description of your first TOTP token and confirm by clicking Enroll Token

  6. You will see a QR code with a shared secret. Scan the QR code with your TOTP app.

    If you are enrolling from the mobile phone that has installed a TOTP app, click on Here next to the QR code. Shared secret will be transferred via link.

    You do not have to backup the QR code or the link - you can register more TOTP apps later, using a different code.

    Next time you sign in at mfa.login.e-infra.cz you will have to use multi-factor authentication.

Add more tokens

  1. Click on Enroll a new token. If you opened the page on a WebAuthn capable device, choose token type WebAuthn, enter a description (e.g. "Work laptop") and continue by clicking Enroll token.

  2. A dialog widow from the web browser or from the operating system pops up, asking for confirmation.

    Push the button on your physical authenticator, confirm by fingerprint when on smartphone or perform another required action depending on the device. In the picture you can see the variant for Ubuntu 22.04 (USB authenticator)

  3. If the registration was successful, a confirmation about added token appears.

  4. You may add arbitrary number of TOTP apps and WebAuthn devices. We highly recommend adding at least two devices and at least one of them with TOTP app.

 

Recovery codes

To prevent losing access in case you lose all registered devices, it is possible to generate one-time recovery codes, which you can securely store or print out.

  1. Click on Enroll token

  2. As a type choose PPR, enter description and click on Enroll token

  3. See recovery codes by clicking on The OTP Values box. You can also print them out or download in PDF by clicking Print the OTP list.

 

Force Multi-factor authentication for all services

If you want maximum level of security, open user profile.

Go to Settings > Authentication and toggle the Turn on multi-factor authentication for all services switch (see the picture).

You be asked to sign in again using multi-factor authentication to confirm the action. From now on, every sign in to your account will require the multi-factor authentication.

 

Support: perun@cesnet.cz