Two-Factor Authentication Coming to HPC Clusters

Implementation of two-factor authentication for the HPC clusters is currently scheduled for January 6th, 2015. The planned technology is Duo, the same phone based technology that is currently used on the University of Iowa HR Self Service site. This change will significantly improve system security but will mean login times will take a bit more time. A pilot is ongoing for this technology. If you are interested in being a pilot user or have any questions/feedback please email hpc-sysadmins@iowa.uiowa.edu

Documentation for using two factor authentication on HPC systems is available here: https://wiki.uiowa.edu/display/hpcdocs/Two-factor+authentication

Frequently Asked Questions

What is two-factor authentication? – Two-factor authentication adds another component of verification beyond username and password. In the case of Duo this is generally accomplished by an App on a smartphone or an SMS message.

Is this a new technology? – No, two factor authentication has been in use at a handful of HPC sites for many years. The Duo technology is currently in use on HR Self Service systems at the University of Iowa and HPC administrators have been using the technology on the HPC systems for over six months.

Where can I find out more about Duo security on campus? - http://its.uiowa.edu/duo

http://its.uiowa.edu/support/article/102316

Can I still use NX with the cluster? – Yes, NX (No Machine) will continue to work with the cluster. We however have seen occasional situations where timeouts of more than 15 seconds in responding to the second factor request leads to a time out.

Can I avoid responding to a Duo challenge every time I log in to the system? – No, at this time there is no known technical mechanism for doing this. This is different from web based applications which allow you to save your machine as trusted for a period of time.

Can I continue to do passwordless ssh using keys? – No. You may continue to use ssh keys as your first identification factor but you will still be prompted by Duo for second factor authentication.

Will two factor authentication be required for ssh within the cluster? - No. Two factor authentication will not be required once you have authenticated to the cluster. Two factor authentication will only be used from machines connecting from outside the system.

Will Duo work internationally? - Yes. As long as you have uncensored Internet access Duo should continue to operate. HPC staff have successfully tested Duo on a smartphone (with only wifi connectivity) from Indonesia and Japan.