Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
About two-factor authentication & Duo

One way to increase the security of computer systems is to use multiple factors for authentication. Typically, this will be two factors and follows the pattern of authenticating with a "knowledge" factor, which is something you know, like a password, and a "possession" factor, which is something that you have. The latter is typically a key or one time password often generated by a device. In the near future we will be implementing We have implemented a two factor authentication system for the HPC resources. The technology that has been chosen is called Duo from Duo Security. This is the same technology that was deployed for the University of Iowa Employee Self Service site.

Info

We are currently kicking off a pilot of two factor authentication. If all goes well in the pilot then all HPC users will be required to authenticate with two factor authentication. More information will be coming shortly. If you would like to participate in the pilot please send a note to HPC-Sysadmins

There is an ITS Duo support site In order to use Duo on the HPC systems you must enroll in the Duo service and register a device. If you are an external collaborator, you will not be able to enroll in Duo until after you are granted access to the HPC systems. The most convenient method for managing Duo, particularly on the HPC systems, is via Duo's app for smartphones and tablets (no phone number required and the app can be used internationally with or without Internet). The remainder of the documentation will refer to smartphones but information is also applicable to the Duo app on tablet devices unless phone calls or SMS messages are involved. There is support for all, or most, types of smartphones and other mobile devices; see this page for more information. Please see the following page for setting up a smart phone for Duo:

Enrolling in Two-Step Login | Information Technology Services

Note

The Duo service is already set up. You only need to enroll in the service that we offer. Ignore any instructions from Duo that prompt you to set up a Duo service account.

There are several ways to use Duo codes if your phone is not connected to a Wifi network or Data service. If you do not have access to Wifi or data service you can generate a code with the app. That could be useful if you have a wired network connection for your laptop but no wireless or cellular for your phone. You can also send a set of 10 codes to your phone via SMS. Note that these codes are good until they are used and you only need to generate a new set when you have gone through all 10 of a set. If something happens to your phone and you can not use Duo push or generate a key with the app, or even receive SMS codes, you can visit the following site to get a list of 10 codes that you can use:

HawkID Login Tools - Two-Step Backup Codes

While not as convenient that will allow you to get access to Duo enabled services if your Duo device is not working or not with you.

Info

Registering with Duo for the HPC system will enable Duo for all campus services that use Duo such as Employee Self-Service.


There is an ITS Two-Step Login with Duo Security | Information Technology Services page that has all of the information that you will need to get enrolled for using Duo. Please direct all questions regarding enrollment to the ITS Help Desk, whose contact information is listed on the above page.

Using Duo on the

...

HPC system

Once you are enrolled in Duo you are ready to use it on the HPC system. Usage is fairly straight forward and is very similar to what you may be accustomed to with Web sites, such as the UIowa Employees Self Service site. All of the authentication methods of Duo are supported, however, given that the HPC systems are shell systems, the duo-push method is very convenient for automation.

For normal ssh connections the following illustrates what you will see.

Panel

ssh argon.hpc.uiowa.edu
Password: 
Duo two-factor login for gpjohnsn

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-8727
2. Duo Push to My tablet (Android)
3. Phone call to XXX-XXX-8727
4. SMS passcodes to XXX-XXX-8727 (next code starts with: 1)

Passcode or option (1-4):

In the above, I have two devices registered, a phone and a tablet. The phone is set to be the primary device.

Home Accounts

/wiki/spaces/hpcdocs/pages/76513488

Finally, note that two-factor authentication only applies to logging into a login node of the HPC system. Once on the system, connections between nodes all use the normal cluster ssh authentication mechanisms, as before.

How to unlock your Duo account

You will be unable to access the HPC system if your Duo account is locked. You can become locked out of Duo if you enter an invalid (or used) passcode too many times, or if you let multiple Duo mobile push notifications expire in the app without approving or denying them.

If this happens, you will need to unlock your Duo account before you can access the HPC system. Information about how to unlock your Duo account is available at https://its.uiowa.edu/support/article/102357.

After your Duo account is unlocked, you should be able to login to login to the HPC system. If you do not have your mobile phone or other primary device with you, other options for logging in with Duo are to use a backup code or enroll another device (such as an office phone).