Skip to content
Find file Normal view History Permalink
two-factor-authentication.rst 2.16 KiB
Newer Older
TiG's avatar
add headings for user guides  
TiG committed
1 2 3 4 5 
=====================
Secure authentication
=====================
Bengfort's avatar
document two factor authentication
Bengfort committed
6 7 8 9 10 11 12 13 14 
.. _2fa:

Two-Factor-Authentication
=========================

To further protect subjects' personal data against compromised or weak
passwords, Castellum can *and should* be used with two-factor authentication
(2FA).
Bengfort's avatar
expand 2FA  
Bengfort committed
15 16 
If enabled, you need to enter an additional code before you can log in to
Castellum (similar to a TAN for online banking).
Bengfort's avatar
document two factor authentication
Bengfort committed
17 18 19 20 21 22 23 

Currently we support any generic TOTP application or FIDO2 hardware security
tokens.

Smartphone apps (TOTP)
----------------------
Bengfort's avatar
Gardening  
Bengfort committed
24 
We recommend to use a 2FA application on your phone. Just ask your local IT on
TiG's avatar
add example for totp apps  
TiG committed
25 26 27 28 
suggestions for appropriate apps to be used at your institution.

.. admonition:: Example
Bengfort's avatar
Gardening  
Bengfort committed
29 30 31 32 33 
    By the time of writing (June 2021) the MPI for Human Development recommends
    its Castellum users to install either `Google Authenticator
    <https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2>`_
    or `andOTP <https://f-droid.org/packages/org.shadowice.flocke.andotp/>`_ for
    Android or `Microsoft Authenticator
TiG's avatar
add example for totp apps  
TiG committed
34 
    <https://apps.apple.com/de/app/microsoft-authenticator/id983156458>`_ on iOS.
Bengfort's avatar
document two factor authentication
Bengfort committed
35
Bengfort's avatar
expand 2FA  
Bengfort committed
36 37 38 
TOTP stands for “Time-based One-Time Password”. As the name suggests, each TOTP
code can only be used once.
Bengfort's avatar
document two factor authentication
Bengfort committed
39 40 41 42 43 
Most TOTP apps work the same:

1.  Install an authenticator app on a phone
2.  Register that phone on the website (Castellum) by scanning a QR code with
    the authenticator app
Bengfort's avatar
expand 2FA  
Bengfort committed
44 45 46 
3.  The app will now generate a new 6-digit numeric code every 30 seconds
4.  The code depends on the current time, so make sure that the phone
    has the correct time set
Bengfort's avatar
document two factor authentication
Bengfort committed
47 48 49 50 51 52 53 54 55 56 57 58 59 60 

Hardware Keys (FIDO2)
---------------------

If you do not want to use your phone and TOTP, you can also chose to use
FIDO2-based hardware keys (tokens). In that case we recommend `Yubico FIDO2
tokens <https://www.yubico.com/de/product/security-key-nfc-by-yubico/>`_, but
any FIDO2-compatible token should work.

The tokens are connected to your device with USB and, when registered
successfully, usually just require a tap / key press when prompted on login.

For additional details about supported hardware tokens or Authenticator apps,
contact your local IT department or security officer.