31 October 2022 to 3 November 2022
Clarion hotel Umeå
Europe/Amsterdam timezone

Enforcing Two-Factor Authentication at CERN: A Technical Report on Our Experiences with User Migration

2 Nov 2022, 12:10
25m
Clarion hotel Umeå

Clarion hotel Umeå

Storgatan 36, Umeå, Sweden
Networking & Security Networking and Security

Speaker

Adeel Ahmad (CERN)

Description

During 2022 CERN introduced permanent Two-Factor Authentication (2FA) for accounts having access to critical services. The new login flow requires users to always login with a 2FA token (either TOTP or WebAuthn), introducing a significant security improvement for the individual and the laboratory. In this paper we will discuss the rationale behind the 2FA deployment, as well as the technical setup of 2FA in CERN's Single Sign-On system, Keycloak. We will share statistics on how users are responding to the change, and concrete actions we have taken thanks to their feedback. Finally, we briefly cover our custom extensions to Keycloak for specific use cases, which include, persistent cookies and our Kerberos setup.

Speaker release Yes
Presentation will be held... remotely

Primary authors

Adeel Ahmad (CERN) Asier Aguado Corman (CERN) Hannah Short (CERN) Liviu Valsan (CERN) Maria Fava (CERN) Stefan Lueders (CERN)

Presentation materials