With the 2nd Fase Accomplished, the roll-out of 2-Factor Authentication (2FA) will soon be complete. After enrolling all CERN staff in 2023, in 2024 we deployed 2FA to about 12 700 computing accounts linked to CERN's user community (i.e. those fine folks who come to CERN about 5-100% a year). The final step is 2025's Full Activation of 2FA for all so-called CERN "participants" (i.e. about 7300 accounts of people who work with but never come to CERN). And, apart from some loose ends still to be tied up, we are done!
With this, CERN has put in place an essential pillar of protecting its computing facilities. 2 Fantastic Advantages to ensure that a single password cannot compromise important computing services, control systems or data storages. One of the ultimate silver bullets against ransomware attacks.
To make your life under 2FA a bit easier, however, here are 2 Fine Astuces (tips) to improve 2FA usability:
- If you have more than one smart device, note that you can export/import your 2FA codes between smartphones. Just go to the "settings" menu of your favourite 2FA number generator (e.g. Aegis or Ente): "Export" the codes, transfer them to your other phone, and "Import" it there. However, those exports cannot necessarily be imported into other brands of 2FA number generator.
- If you prefer a "Yubikey" 2FA token but are fed up with the large format of your Yubikey, consider collecting a smaller one from the IT SOS Helpdesk in CERN's Restaurant 2. The Yubikey "nano" is perfect to be left in your laptop all the time* as it does not easily bend or break when the laptop is transported. But consider ordering the USB-C version as the USB-A one activates too easily on touch.
- On the other hand, if you want to get rid of your Yubikey altogether, laptops with fingerprint readers allow you to configure those readers in the same way as your Yubikey (actually, the underlying FIDO2 protocol is the same). However, as the corresponding enrolment depends strongly on your laptop model, its operating system and the browser used, we can't give more precise instructions. But we know that many people have managed.
- (But, no!, using your password manager for 2FA is NOT an option and is prohibited by CERN's Computing Rules).
- And, as a bonus, if you want to try out 2FA when SSHing into LXPLUS/LXTUNNEL, check out this pilot project, and note that "ControlMaster" for multiplexing connections is your friend.
(OK, those are actually 2+2 Fine Astuces, but who cares?)
Finally, here are 2 Funny Anecdotes reported to us by users of 2FA: one user works for an institute that neither allows smartphones on site nor has USB ports for using Yubikeys enabled. Hmmm? But instead of bringing in a so-called "Token2" device (which itself might not be allowed), that user calls his partner over a landline connection to obtain the necessary 6-digit code. The 2nd Funny Anecdote (or not?) is the user who claimed burnout due to the psychological stress of always having the 2FA token with them and, thus, always being reachable by their partner… Fortunately, those 2 Funnies Are extremely rare among the 32k users of 2FA today!
P.S. Did you count how often 2FA appeared in this text? We count 28 Full Appearances.
*Yes, this means a little reduction in computer security, but at least you will notice if your laptop disappears and your 2FA is compromised. In that respect, the loss of your laptop/Yubikey combined is the equivalent of losing your smartphone.
