Protecting your password is of the utmost importance, as that password grants or denies access to your computing account and, with it, access to your private life, your work and all the data you value most. While the CERN Computer Security team does its best to identify exposed and disclosed passwords and to figure out anomalies in your login patterns, the time has come to improve even further.
Today, your CERN password is the only protection against unauthorised attackers seeking to access CERN’s plethora of web services. If your password was lost, exposed or stolen by such a malicious evil, there would be severe consequences for the operation of CERN’s accelerators, experiments and IT infrastructures. It’s therefore vital that your password itself be as protected as possible. The deployment of so-called two-factor authentication provides, for example, silver-bullet protection for your CERN account. But two-factor authentication might not be enough.
Therefore, on the first day of next month, the Computer Security group and the identity management team are planning to:
- Enforce password resets for passwords that are also used by someone else at CERN, and we’ll let you know who that was so you can check for other areas of interest (“This password is already used by user stefan24. Please try a different one.”);
- Provide more password creativity assistance by employing Microsoft’s MathGPT tool to distinguish between weak (” n→p+e–+v “) and strong (” Δ0→p+π– “) passwords;
- Require that passwords are typed using the “Courier New” or “Comic Sans MS” fonts only. That will it make harder for phishers to replay your password;
- Enforce two-factor authentication for anyone who fell for the annual clicking campaigns in 2020, 2021 or 2022. Discussions are ongoing at the management level as to whether those people should even be denied access to all CERN computing resources forever;
- Introduce an additional two-factor authentication method requiring simultaneous login to Google Workspace as well as Microsoft’s Azure AD within a time window of one minute (the latter value is still subject to fine-tuning);
- Investigate together with the HSE unit and, in particular, the Medical Service the feasibility of deploying three-factor authentication throughout CERN. Besides the usual factors “something you know” (i.e. passwords) and “something you have” (a hardware token like your smartphone), both of which are already used today, the third factor would be “something you are” and would be based on probing your DNA/blood sample;
- Create a dedicated “CQCB” API for high-frequency and, thus, resource-consuming remote access requests, which led in the past to denial of service and service blockage;
- Add the new “ZoomID” authentication feature to the CERN Single Sign-On portal. “ZoomID” allows you to log in using your facial characteristics (like Face ID on Apple devices). The registration portal will open soon.
Once again, protecting your password is paramount to protect your work at CERN, CERN’s accelerators, experiments and IT infrastructure, and the Organization’s data against any malicious evil. Given the difficulties and resistance we faced when deploying two-factor authentication to certain “critical” communities at CERN, we believe these new measures will further improve the ease and fun of signing into CERN while delivering the best possible level of account protection.