5. Two factor authentication methods

5.1. Introduction

Two factor authentication methods help you protecting your account by using a password and a second, different, method. The point is to reduce the surface of attack by forcing a bad actor to steal two different elements instead of one before having access to your account.

Note

You should limit the number of methods you add to your account to reduce the surface of attack as well. If needed, your administrator can always help your reset your account.

5.2. WebAuthn

Webauthn is a standard supported by major browsers and various security tokens like YubiKeys.

Note

If you have a YubiKey, you should prefer this method instead of using the Yubico protocol.

Warning

You should always use secure token, e.g. using a different device and/or using a secure way to store its private key. Physical token exists and are a good solution, some implementation are not (e.g. Windows hello, especially without a TPM).

5.2.1. Current tokens

The list of currently registered tokens are available in your profile, under the tab “Webauthn”.

../_images/webauthn_list.png

Note

The “Usage count” field is the value returned by your token and is independant from Arcanite-SSO usage: if you use your token with another service, this value may increase as well.

5.2.2. Registration

To register a new token, go to your profile, tab “Webauthn” and click on “Register a new Webauthn key”.

../_images/webauthn_add.png

Your browser should ask you to confirm the usage of the token, you may have to confirm somehow, e.g. by pressing a physical button. Please refer to your token help for additionnal details.

../_images/webauthn_add_ok.png

If the validation was successful, a green check will be displayed.

You can, if you want, set a name for the token. The name is only for your own usage, e.g. to differentiate multiple tokens.

When you are done, click on add to finalize the registration of your token.

5.2.3. Usage

To use a Webauthn, the login page will work the in same way than the registration has been performed. Your browser will ask you to confirm the usage of the token and you may have to confirm somehow.

../_images/webauthn_usage.png

If everything is fine, the login process will automatically continue.

5.2.4. Edition

You can edit a token to change its name, by using the button in your list of tokens.

../_images/webauthn_edit.png

Note

You cannot change a token, you need to remove it and add the new one.

5.2.5. Removal

You can remove a token using the button on the list of tokens. A confirmation message will be displayed.

../_images/webauthn_delete.png

Note

You can never remove the last two factor method of your account.

5.3. TOTP Codes

You may use TOTP codes, that are 6 digits code changing each 30 seconds, as a two factor. You need a separate application or device to generate these codes. Examples are provided during the registration process.

5.3.1. Current codes

The list of current codes registered are available in your profile, under the tab “TOTP codes”.

../_images/totp_list.png

5.3.2. Registration

To register a new code, go to your profile, tab “TOTP codes” and click on “Register a new TOTP code”.

../_images/totp_add.png

You can scan the QR code using your application or copy the secret manually with the link.

You can, if you want, set a name for the code. The name is only for your own usage, e.g. to differentiate multiple codes.

As a confirmation, you need to enter the code generated by your application.

5.3.3. Usage

To use a TOTP code, the login page will work in the same way than the registration has been performed. Enter the 6 digits code in the field for validation.

../_images/totp_usage.png

If everything is fine, the login process will automatically continue.

5.3.4. Edition

You can edit a code to change its name, by using the button in your list of codes.

../_images/totp_edit.png

Note

You cannot change a code, you need to remove it and add the new one.

5.3.5. Removal

You can remove a code using the button on the list of codes. A confirmation message will be displayed.

../_images/totp_delete.png

Note

You can never remove the last two factor method of your account.

5.4. YubiKeys

You may use a YubiKey, with the Yubico protocol as a second factor.

Note

If you have a YubiKey, you should prefer the Webauthn method instead of using the Yubico protocol.

5.4.1. Current yubikeys

The list of current Yubikey registered are available in your profile, under the tab “YubiKeys”.

../_images/yubikey_list.png

5.4.2. Registration

To register a new YubiKey, go to your profile, tab “YubiKey” and click on “Register a new YubiKey key”.

../_images/yubikey_add.png

Press the button on your Yubikey (or if you reconfigured the default, the appropried action), to generate the unique code.

You can, if you want, set a name for the YubiKey. The name is only for your own usage, e.g. to differentiate multiple YubiKeys. You should probably set the name before sending the code, since the YubiKey may send automatically the form.

Note

You cannot register the same Yubikey on different accounts.

5.4.3. Usage

To use a Yubikey, the login page will work in the same way than the registration has been performed. Click on the button to send the unique code.

../_images/yubikey_usage.png

If everything is fine, the login process will automatically continue.

5.4.4. Edition

You can edit a YubiKey to change its name, by using the button in your list of Yubikeys.

../_images/yubikey_edit.png

Note

You cannot change a Yubikey, you need to remove it and add the new one.

5.4.5. Removal

You can remove a Yubikey using the button on the list of Yubikey. A confirmation message will be displayed.

../_images/yubikey_delete.png

Note

You can never remove the last two factor method of your account.