One year ago, the CERN Computer Security team and the IT Identity Management team started the CERN-wide roll-out of multifactor authentication to staff and users. The combination of a second “factor”, i.e. something you have, and the primary factor “something you know”1, i.e. your password, provides the ultimate silver bullet for the protection of your CERN computing account: “2-factor authentication” (2FA). This was seriously needed as, in our latest phishing campaign in August 2022, more than 2000(!) people provided their password to a fake login page. 2FA would have protected their accounts from any evil-doing. Hence, many thanks to you ─ T2U!
Technically, this new 2FA protection is not very different from that deployed for your Google mailbox or your bank account. And bear in mind that your CERN account is there not only to give you access to your emails and your money but also potentially provides you with much more power, with much more severe consequences if your account password is lost to an evil, malicious attacker. With your password gone, the attacker might be able to steer particle beams into uncharted territories and create previously unseen damage, delete our precious physics data or manipulate it such that none of our results make sense anymore, misuse data centre computing resources to create crypto-money or manipulate our invoices to extract money, or access confidential and sensitive information owned by or stored within the Organization…
After extensive experience of using 2FA to protect administrator access to CERN’s data centre (using the “AIADM” gateways), expert access to our accelerator control systems (via the so-called “ROG”) and CERN’s VPN service, last summer we started adding 2FA protection to CERN web applications accessible via CERN’s new Single Sign-On (SSO)2. Since then, the new CERN SSO requires your 2FA about every 12 hours when you stay on the same device. That’s all. One quick extra step every half-day when using the same device. And at every login you can choose whether you want to use the one-time password (OTP) generator installed on your Android smartphone or iPhone (top row in the photo below, currently we recommend the privacy-preserving and secure “Aegis Authenticator”; and “Raivo OTP”), a pocket-style OTP generator (middle row) or a USB hardware dongle (“Yubikey”, bottom row). Easy as pie ─ but also a potential pain in the arm when you are part of the population who regularly forgets their smartphone or keychain at home. In that case, it’s like with your dosimeter: do a U-turn and head back home. So, acknowledged!, 2FA does add another (minor) inconvenience when accessing CERN’s computing facilities. Sorry for that ─ S4T.
On the other hand, as mentioned before, 2FA provides the right industrial-standard state-of-the-art level of access protection that the Organization desperately needed. In fact, more than 5500 account owners from ATS & FHR desktop support, the BE/EN/FAP/IPT/IT/SY/TE departments, the CERN Pension Fund, the DG-IA/LS/TMC services & the Directorate secretariats, the EP-AGS/AID-DC/CMD/CMG/DI/DT/ESE/LBC/LBD/LBO/SFT/SME, HR-DHO/PXE, and RCS-SIS groups, the HSE unit, the IR sector, SCE-SMS/Site Security, SERCO support, and MPEs of the TH department as well as users of the AIADM/AITNADM/CS-CCR-DEV/ROG gateways, have already (been) enrolled for 2FA protection of their accounts. And the numbers of complaints, problems, issues, questions and the like raised with us were few and far between ─ and very appreciated to make 2FA even better. Hence, once more, a big THANKS to you ─ T2U!!!!
And we’re not done yet. We still have some communities at CERN who have not yet been enrolled into 2FA protection. We’ll address this by the end of the year. And we’ll look into enlarging 2FA protection to other means, like CERN’s Terminal Service. And, of course, we’ll follow the evolution of 2FA software and might add new/other 2FA tokens to make your life even easier. If you’re interested in joining and haven’t done so yet, check out our Knowledge Base article here. Thanks to you for using 2FA protection: T2U4U2FA. And S4T ─ sorry for those ─ who aren’t yet enjoying its merits and benefits…
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.
[1] The third and last factor is “something you are” like using your fingerprint, an iris scan (like when entering the accelerator complex) or a blood/DNA sample. For obvious reasons, none of these are appropriate for digital access to your CERN account.
[2] Websites behind the old SSO are not affected as this old SSO has to die and shall RIP by the end of the year.