Multi-Factor Authentication Security Enhancement Now Available
February 12, 2018 by Rebecca Hartman-Baker
NERSC is pleased to announce the availability of Multi-Factor Authentication (MFA), a new security feature that can help prevent compromise of user accounts. With MFA, when you login you will enter your NIM password plus a One-Time-Password (OTP). At this time, when using MFA at NERSC you will get the OTP via an app (Google Authenticator) on your smartphone or tablet.
The OTP will replace your ssh key for MFA-enabled NERSC systems - when you ssh to a NERSC system you will enter your password plus the OTP provided by Google Authenticator. You can reduce the number of times you have to re-enter your password and OTP by using the ControlMaster feature of ssh - see the web page linked above for how to use this. Additionally, you can also now ssh between NERSC compute systems without a password or key, regardless of whether you have enabled MFA.
At this time, MFA is available for ssh access to Cori, Edison, Genepool, Denovo, PDSF and Data Transfer Nodes. We will enable it for other services in the future.
Note that if you run automated remote scripts that reply on passwordless ssh keys, you won't be able to use MFA yet - we plan to have a solution for this use-case in the future. If you're unsure whether MFA supports your workflow you can test it by opting in in NIM - if you have trouble you can easily opt out again via the same menu.
To give it a try, first read the MFA page, which will show you how to set up and opt into or out of MFA through NIM. Please contact the NERSC consultants via https://help.nersc.gov, https://my.nersc.gov, or firstname.lastname@example.org for any additional assistance.