Multi-Factor Authentication Reinforced

Since December 2018 the edu-ID login has supported multi-factor authentication in form of a two-step login that relies on SMS codes. However, receiving one-time SMS codes requires a mobile phone. Not all users want to add a mobile phone number to their edu-ID account. Furthermore, SMS messages generally cannot be securely sent. There is always the risk that somebody else intercepts SMS messages. Some edu-ID users also want to use multi-factor authentication for all their edu-ID logins but without entering a one-time code several times per day.
To address the above issues reported by the community, we extended the edu-ID two-step login in the following three areas…

Time-Based One-Time Passwords (TOTP)

19-04-17 08-45-15 8516As explained above, SMS messages cannot be sent to mobile phones in a secure way because they are not encrypted. By supporting Time-based One-Time Passwords (TOTP) no codes need to be sent to a mobile phone anymore. Instead an app generates and displays the one-time code, typically on a smart phone. The code changes with time and it is generated using a shared secret known only to the app and the edu-ID login server. Due to the standardized algorithm, there are many different TOTP apps available that a user can choose from. The most known ones for mobile devices are the Google Authenticator and FreeOTP.
From a security point of view, the TOTP method is the recommended one. With the SWITCH edu-ID it is, however, also possible to use only SMS, or SMS and TOTP in parallel.
When one looses his mobile phone or has no access to it, the two-step login recovery codes can still be used to log in. The recovery codes are generated automatically when a user enables the two-step login for the first time.

Requiring Two-Step Login the Easy Way

Who can request multi-factor authentication (MFA)? So far, the two-step login has been enforced only when services request MFA. Enabling MFA increases authentication security for the users accessing the service. This may be required by services which hold sensitive data (e.g. student grades, personal data, unpublished research data) or services which allow performing sensitive actions (e.g. operate lab equipment or machines).
Some services cannot be configured to request multi-factor authentication in a regular SAML authentication request (e.g. Microsoft AD). For such services it is now possible to enforce the two-step login via a SAML metadata flag that can be set in the AAI Resource Registry. In the “Intended Audience” section of a Resource Description an SP admin can check the checkbox “Require all users to support the REFEDS Multi-Factor Authentication (MFA) profile”. Identity Providers supporting the REFEDS MFA profile (i.e. the edu-ID Identity Provider/all edu-ID migrated organisations) will then enforce MFA for all users accessing this service.

Always use Two-Step Login

Currently, there are only few services that request MFA authentication for edu-ID users. However, besides the services, also the users can request MFA. Some security-aware users prefer to use MFA every time they access a service with their edu-ID mfa-alwaysaccount, regardless if it requests MFA or not. Why? Because this considerably reduces the risk that somebody else could impersonate a user by stealing his edu-ID password. With two-step login enabled, even if somebody manages to steal a user’s password this would not be sufficient to access services as this user. The two-step login also requires a one-time password that is typically sent to or generated on the user’s mobile phone. Stealing a password can be done unnoticed, but stealing a mobile phone will not go unnoticed by the user. Also, many users protect their mobile phone with a pin code or similar to prevent access by others. This further protects the second factor.

Extending Two-Step Login Session

mfa_rememberEspecially when a user wishes to always use two-step login, it can become cumbersome to enter a new one-time code every few hours. Therefore, there is now an option to extend the two-step login session. One thus can skip entering a one-time code while keeping the security level high. When this option is active, no two step-login codes have to be entered for the web browser on the current device for one week. When a different web browser or a different device is used, one obviously still needs to enter a one-time code again.

Enabling two-step login is optional but generally recommended, especially for regular edu-ID users. We hope that the above new two-step login features help further securing the edu-ID authentication in general while keeping the ease-of-use still at an acceptable level.

Author: Lukas Hämmerle

I'm a member of the SWITCHaai team and the SWITCH edu-ID team.

%d bloggers like this: