One year ago, the CERN Computer Security team and the IT Identity Management team started the CERN-wide roll-out of multifactor authentication to staff and users. The combination of a second "factor", i.e. something you have, and the primary factor "something you know"1, i.e. your password, provides the ultimate silver bullet for the protection of your CERN computing account: "2-factor authentication" (2FA). This was seriously needed as, in our latest phishing campaign in August 2022, more than 2000(!) people provided their password to a fake login page. 2FA would have protected their accounts from any evil-doing. Hence, many thanks to you ─ T2U!
Technically, this new 2FA protection is not very different from that deployed for your Google mailbox or your bank account. And bear in mind that your CERN account is there not only to give you access to your emails and your money but also potentially provides you with much more power, with much more severe consequences if your account password is lost to an evil, malicious attacker. With your password gone, the attacker might be able to steer particle beams into uncharted territories and create previously unseen damage, delete our precious physics data or manipulate it such that none of our results make sense anymore, misuse data centre computing resources to create crypto-money or manipulate our invoices to extract money, or access confidential and sensitive information owned by or stored within the Organization…
After extensive experience of using 2FA to protect administrator access to CERN's data centre (using the "AIADM" gateways), expert access to our accelerator control systems (via the so-called "ROG") and CERN's VPN service, last summer we started adding 2FA protection to CERN web applications accessible via CERN's new Single Sign-On (SSO)2
