Two factor authentication

Zwo factor autentication is one of the most important methods to perform a secure authentication. It is based on the idea to have two separate types of authentication from the categories knowledge, possession and being. Usually knowlege comes in form of a password, possession usually needs the user to prove the ownership of an item. Being usually is displayed in form of biometric data like your fingerprint.

The factor possession shows a gread variability, like the physical credit card or your smartphone SIM card. It can also be in form of access to a device with a certain phone number (SMS Tan) or a device which was registered to a web service.

The latter is used in the CAU-Cloud, the user can register an App on a smartphone to exchange a secret with the CAU-Cloud which can be used to generate Time-based One-Time Passwords (TOTP). These passwords are needed in addition to the normal user password and are valid for 30 seconds after creation. This short time period makes them nearly useless for attackers trying to access another users account, evel if the attacker manages to get access to one password.

Settings-Menü der CAU Cloud
To activate two factor authentication pleas login to the web interface of the CAU-Cloud. On the top richt corner you will find the settings menu.

Option zum, Aktivieren der TOTP
In the submenu you will find the Entry "Security" which leads to the checkbox "Enable TOTP".

Generierung eines TOTP Secrets
A secret is generated which needs to be exchanged with your smartphone. In some software you will need to enter the secret by hand, while others allow you to scan the shown QR-Code with your smartphones casmera.

The following will describe how to set up the app "Google Authenticator", but you can choose to use other software following the TOTP-Standard as well. You can find the Google Authenticator in the Google Play Store as well as in the Apple App Store.

Das Hauptmenü der Authenticator App
Within the Google Authenticator app please tap the "+" button on the upper right corner to register a new TOTP Secret.

Geheimnis per QR-Code scannen
You can scan the QR code from the web interface now using your smarphones camera or you can choose to enter the secret by hand..

Erzeugtes Einmalpasswort im Authenticator
Once the secret is exchanged the app will start to generate a new 6-digit long one time password every 30 seconds. On the richt side you will see a graphical indicator on how log the code will be active until a new code is generated.

Eingabe des generierten TOTP Tokens
Until now the secret was exchanged with the smart phone, but the two factor authentication in the CAU-Cloud is not active yet. Please enter a valid one time password to prove the successfull exchange of secrets. After verification you will need your second factor to log in to the CAU-Cloud.

Generierung von Backup Codes
As you will need your second factor in order to be able to access your data in the cloud, it is a good practice to have a fallback solution in case the device is lost or broken. Therefore you can generate so calles "Backup codes". In the same settings menu please choose "Generate backup codes".

Speichern der Backup Codes
You will be presented with 10 new backup codes, you can use each of thone once to log in to your CAU-Cloud as a sevond factor. Please be sure to save these to a secure location or even print them and keep them at a safe place. It might even be a goot idea to have one of them in your wallet in case of data-emergency on the go. If the backup codes get lost, you can always generate a new set of 10, in that moment all unused old ones get invalidated.