Multi-Factor Authentication
e-INFRA CZ AAI (Authentication and Authorization Infrastructure) offers MFA (Multi-Factor Authentication) using TOTP (Time-based One-Time Passwords) or WebAuthn (Web Authentication) standards.
Users may also generate backup one-time codes for regaining access in case they lose their tokens. Detailed instructions can be found at the page How to set up Multi-Factor Authentication (MFA) .
Contents
Performing MFA with a registered token
When accessing a service which requires Multi-Factor Authentication, the e-INFRA CZ AAI will forward the request to your home organization. If you can perform MFA there, you will do so. Otherwise, if you have registered for MFA in e-INFRA CZ AAI, you will be prompted to perform MFA in the e-INFRA CZ AAI context (or will be displayed an error message if you cannot fulfil this requirement).
The prompt to perform MFA in the e-INFRA CZ AAI context appears after you have logged in at your home organization and looks like on the following screen shot:
Available methods
TOTP
TOTP (Time-based One-Time Password) is a standard method for one-time code generation, defined in RFC 6238, and used by many commercial services. TOTP app has a shared secret with the server and generates time-constrained numerical codes based on that secret. The most common setting is 6 digits with validity of 30 seconds.
WebAuthn
WebAuthn, short for Web Authentication API, is a modern standard created by W3C and FIDO. This method offers a high level of security while protecting your privacy, it is also easy to use. WebAuthn is often a part of the operating system, so you do not need to install anything on most devices.
WebAuthn on MS Windows
Use Windows Hello using a PIN, facial recognition, or fingerprint. Windows 10 build 1903 or later is required.
WebAuthn on Android
The screen lock functionality that uses a PIN, pattern, password, fingerprint or facial recognition can be used for MFA.
Alternatively a NFC or USB connected hardware token like Yubikey can be used.
WebAuth on MacOS
The Touch ID feature can be used.
WebAuthN on Linux PC with FIDO2-compatible hardware token
USB hardware tokens that support FIDO2, like Yubikey, can be used.
WebAuthN on Linux PC with Android phone used for the second factor
This use case requires a rather specific setup. The Linux PC must have Bluetooth enabled, Google Chrome browser must be used on the PC, and an Android phone with enabled Bluetooth and installed Chrome browser must be physically near the PC (so near that the PC and the phone can communicate over Bluetooth).
If the Chrome browser on the Android phone contains authenticated Google Account, the ways for unlocking screen lock will be used for second factor.
If the Chrome browser on the Android phone does not contain authenticated Google Account, scanning of a one-time QR code by the phone from the screen of the PC can be used.
Support
In case of any problem please let us know at login@e-infra.cz.
Support: perun@cesnet.cz