Multi-Factor Authentication with Duo

Multi-Factor Authentication (MFA) adds a layer of security to your authentication process. In addition to your account password, you can add another factor to your login process such as a telephone number, smartphone, physical token, or other device that is similarly unique to you. With a such a device paired to your XSEDE account using MFA, it becomes much more difficult for another person to gain access to your account, files and data than is the case with Single-Factor Authentication.

XSEDE and MFA

XSEDE users may currently opt-in to using this security feature on the XSEDE Single-Sign-On Hub. Note that other service providers (e.g. TACC, SDSC, PSC) will certainly be implementing MFA on their resources in the very near future. XSEDE has chosen Duo as its MFA partner.

Step 1. Install Duo app

Download and install the Duo App on your iPhone or Android device. Search for "Duo Mobile" from your mobile device. You can identify the Duo Mobile app by its green logo. Do not confuse this with Google Duo, which has a blue logo.

Step 2. Enroll your XUP Account

  • Login to the XSEDE User Portal (XUP) and visit your XSEDE Profile page (MyXSEDE->Profile). Click on "Enroll in Duo" in the upper right corner of your profile page.
Enroll in Duo screen on XUP

Enroll in Duo from XSEDE Profile page
  • The "Duo Enrollment Details" form will pop up. If you do not see this form, please ensure your browser settings will allow pop-ups from xsede.org. Read the "Duo Enrollment Details" form and click on "Enroll" to continue. Enter your XUP password and you will be taken to the "Protect Your XSEDE Account" screen
Start Setup screen on XUP

Start Setup screen on XUP

From this screen, do the following:

  • Click on the "Start Setup" button
  • Enter your phone number
  • Click the checkbox to confirm
  • Click "Continue"

Step 3. Pair your Device with Duo

Make sure the Duo App is installed on your Android or iOS device. If not, go back to Step 1 and install the app before proceeding. At this point, you should see the "Add a new device" screen in your XUP session.

  • Select your device type and click "Continue". You will then see the confirmation page where you must indicate that you have Duo Mobile installed on this device.
  • Click "I have Duo Mobile installed".

On the next screen, point your device camera at the barcode on your web browser. If your device doesn't have a camera, press the "No barcode" button and click "Skip this step" in the portal session.

If you have not opened the app immediately after installing it, you may be presented with a License Agreement on your device. Tap "Accept" on your device to continue and then tap "Continue".

  • Open the Duo app on your device.
  • In your XUP session, click "Continue to login". When this is done, you should see a message in the upper right corner of the XSEDE Portal saying "DUO Enrollment" Successful.
  • Click "Send me a Push"
  • Tap the green bar at the top named "Request waiting: Tap to respond". You should now be enrolled.

Connecting to XSEDE resources

To use DUO to connect to the XSEDE SSO Hub, start an SSH session to login.xsede.org as you would normally. After entering your password, you'll be prompted to select an authentication method. Choose "Duo Push" by entering the corresponding number on your keyboard.

susanunit [501]~> ssh -l slindsey login.xsede.org
Please login to this system using your XSEDE username and password:
password: ********
Duo two-factor login for slindsey

Enter a passcode or select one of the following options:

1. Duo Push to XXX-XXX-8004
2. Phone call to XXX-XXX-8004

Passcode or option (1-2): 1
Success. Logging you in...

You should receive an update via your app saying "Request waiting: Tap to respond." Tap this, then tap the "Approve" prompt on the next screen.

You should now be logged into the XSEDE SSO hub. From here you can open a gsissh session to any of your allocated resources.

[slindsey@ssohub ~]$ gsissh stampede
------------------------------------------------------------------------------
                  Welcome to the Stampede Supercomputer

...do work on Stampede...

login4.stampede(1)$ exit
logout
Connection to stampede.tacc.xsede.org closed.

[slindsey@ssohub ~]$ gsissh bridges
You have connected to br006.pvt.bridges.psc.edu 

...do work on Bridges...

[lindsey@br006 ~]$ exit
logout
Connection to bridges.psc.edu closed.
[slindsey@ssohub ~]$ exit
logout
Connection to login.xsede.org closed.
susanunit [502]~>

Last update: February 20, 2017