strong 2-factor authentication with LinOTP
Table of contents
User authentication can get significantly more secure by using more than one factor at logon.
With 2-factor authentication "knowledge" (the PIN) and "possession" (the hardware token) are being needed to login successfully. A one-time password is a password to authenticate only once - i.e. for the current session. Every next authentication needs a new one-time password. Thus replay attacks are being avoided.
The hardware token is a small electronical key the user should tote safely. The loss of a hardware token is not that much critical as the PIN is known to the user only. The token will automatically be blocked when too many failed login attempts occur.
We use LinOTP as the platform for authentication with one-time passwords. LinOTP is easy to use.
So far we offer eToken PASS SafeNet hardware-OTP token and YubiKey Token from yubico. After pressing the button of the Token a one-time password (OTP) is being generated. The technique, the passwords are being created with, is based on Open Authentication Standard (OATH), a ceritfied andworldwide accepted method.
The YubiKey is a flat USB token which is being supplied with power via the USB port. So the YubiKey's lifetime could be theoretically endless. The operating system acknowledges the YubiKey as a USB keyboard, so client software installation is not required. To authenticate move (click) the mouse pointer into the login mask. The YubiKey generates a one-time password when softly touching the sensor of the token. The OTP is inserted automatically.
Usages
At TU Dresden we use the 2-factor authentication for VPN service of ZIH for our administrators. The administrator authenticates with
VPN-GATEWAY : adminvpn.zih.tu-dresden.de
USERNAME : zih-login@Netzressource
PASSWORD : PIN@Einmalpasswort
Instructions for token registration
To use the token some initial steps are required:
- send a request for an OTP token to servicedesk@tu-dresden.de to get a hardware token. Then...
- Open the LinOTP Selfservice-Portal https://otp.zih.tu-dresden.de in your browser
- login with your ZIH credentials
- register your token. You need the serial number of the token to do so. You find that number on the back of the token.
- Click on the Assign Token tab and type in the serial number of your token in the field below. With YubiKey you need to insert the word YUBI with the serial numer, i.e. YUBI716448.Then click the button assign Token. New YubiKeys (they do have a small "y" in the sensor field) you always need to insert a "0" (zero) between "YUBI" and the serial number printed on the token.
- then you will find the registered token's serial number in the left column of the portal page:
- You must now allocate a PIN to your token. Click on the set PIN tab and then click on the serial number of your token in the left column. The PIN must consist of 6 to 12 alphanumerial signs. Click on the set PIN button. You have to keep the PIN in secret.
- The token needs to be synchronized now. Click on the Resync Token tab and then on the token serial number on the left. The token serial will appear in the "selected Token" field then. 2 one-time passwort values must be entered:
- when using eTokenPASS press the button on the token two times to get 2 different numbers and enter them each in the fields "OTP 1" and "OTP 2" - then click the "resync OTP" button
- when using YubiKey token plug this into a USB port on your computer. Click in the field "OTP 1" and touch the sensor of the token to get the first number, then click into the field "OTP 2" and press the sensor of the token again to get the second number. The token will automatically be registered, clicking the "resync OTP" button ist not required.
- Your token is configured successfully now.
Logout from the LinOTP selfservice portal. Your OTP token can be used now. The YubiKey ist ready to use if the little light in the middle of the token's sensor field shines. If this is not the case, there may be a problem with the USB port or even with the token itself. Contact
FAQ
- I want to disable my token because it is lost/I can't find it anymore/I leave the TU Dresden
Please login on LinOTP Selfservice-Portal web page. Then click on the Disable Token tab. Then click on the serial number of the token in the left column, then click the disable Token button.
If your token got lost contact as soon as possible!
If you leave TU Dresden please first disable your token and then return it to ZIH Service Desk
- I have forgotten my PIN/want to change my PIN.
Please login at LinOTP Selfservice-Portal web page and click on set PIN tab, then on the serial number of your token in the left. The PIN must consist of 6 to 12 alphanumerical signs. Click on the set PIN button then.
- I have touched the token sensor field repeatedly and can't login any more.
The one-tine password needs to be synchronous with the LinOTP server. When touching the sensor field more often in a USB port without using ist for authemntication, ist could happen the one-time password is not synchronous any more . You need to resync the token. Please logon at LinOTP Selfservice-Portal web page and then click the Resync Token tab, then on the serial number of the token in the left. Now you must enter 2 OTP values. See above for details.
- I have synchronised the token but am still getting "Login failed".
This can occur for different reasons. For example the maximum error counter ciuld be reached. Please contact
Tunnel-Groups
Beim Aufruf des Cisco AnyConnect können bei "Group:" verschiedene Tunnel-Groups ausgewählt werden. Diese werden hier erläutert:
- A-Tunnel-TU-Networks
Datennetzverbindungen in alle TU-Netze laufen durch den VPN-Tunnel, das sind:
141.30.0.0/16, 141.76.0.0/16, 172.16.0.0/12, 192.168.0.0/16 - B-Tunnel-Public-TU-Networks
Datennetzverbindungen zu öffentlichen TU-Netzen laufen durch den VPN-Tunnel, das sind: 141.30.0.0/16, 141.76.0.0/16 - C-Tunnel-All-Networks
alle Datennetzverbindungen laufen durch den VPN Tunnel - TUD-vpn-lic
Verwendung ausschließlich für den Zugriff auf den Lizenzserver (MathCAD u.a.)
Authorisierung über die DOM Domain (der Nutzer muss explizit durch seinen IT-Administrator in einer bestimmten ActiveDirectory Group der DOM Domain dafür eingetragen werden) - TUD-vpn-split-sap
tunnelt ausschließlich Verbindungen zu den SAP Servern der TU - Z-AdminVPN-dhcproute
tunnelt die internen TU-Netze wie A-Tunnel-TU-Networks, richtet keine Route zum DHCP Server des lokalen Netzes ein (no-dhcp-server-route) - wichtig für Admins, für den Zugriff auf Domaincontroller/DHCP-Server in MS Umgebungen - TUD-vpn-split-ivv, TUD-vpn-split-la-s, TUD-vpn-split-tk, Z-TUD-vpn-split-mgmt,
Tunnelgruppen für speziellen Einsatz