Speaker
Adeel Ahmad
(CERN)
Description
During 2022 CERN introduced permanent Two-Factor Authentication (2FA) for accounts having access to critical services. The new login flow requires users to always login with a 2FA token (either TOTP or WebAuthn), introducing a significant security improvement for the individual and the laboratory. In this paper we will discuss the rationale behind the 2FA deployment, as well as the technical setup of 2FA in CERN's Single Sign-On system, Keycloak. We will share statistics on how users are responding to the change, and concrete actions we have taken thanks to their feedback. Finally, we briefly cover our custom extensions to Keycloak for specific use cases, which include, persistent cookies and our Kerberos setup.
Speaker release | Yes |
---|---|
Presentation will be held... | remotely |
Primary authors
Adeel Ahmad
(CERN)
Asier Aguado Corman
(CERN)
Hannah Short
(CERN)
Liviu Valsan
(CERN)
Maria Fava
(CERN)
Stefan Lueders
(CERN)