WSE IT’s Multi-Factor Authentication Overview
A growing number of systems at JHU are now using multi-factor authentication, which is sometimes called MFA, two factor, or step-up authentication. Examples of systems that already use MFA are your online W2 and Employee Self Service (ESS) in myJH, the new VPN client, and your webmail, when traveling internationally. Often, it will look like this in your web browser. You will first be prompted to enter your normal JHED and password, but then will be prompted to provide some additional information.
There are different types of MFA at Hopkins, including secret questions and answers and text message alerts, but we feel the most convenient version is the MyIT Login Code. The MyIT Login Code is generated uniquely for each person once a minute. That changing number acts like a second password for your account, and because it is always changing it provides a very high level of security because it can’t be reused if it is stolen. Programs for your computer or smartphone let you know the current value of the MyIT Login Code number.
Though the IT@JH documentation does a good job at step-by-step instructions, it can be hard to find and doesn’t provide context specific for the WSE community. This page tries to tie together the how-to instructions with the bigger picture. Here’s what this page discusses:
- Where to get your secret key for the MFA apps — programs use your secret key to generate the MyIT Login Code specific to your JHED.
- How to configure programs that generate the MyIT Login Code
- How to test that your MyIT Login Code works
- I HATE Multi-Factor Authentication
- It Doesn’t Have to Be Painful
- Find your multi-factor access secret key
- MyIT Login Code using Macintosh application
- MyIT Login Code using Windows application
- MyIT Login Code with Linux
- MFA passcode with Google Authenticator smartphone app
- Is convenient also secure?
We know, but it’s important. Passwords, because they’re easy to guess — or steal — are basically obsolete for anything that you really care about. You need to care about your JHED account because it has access to sensitive information like your payroll information, financial and student information, your email, and so on.
Adding a time-based second factor adds considerable protection to your account — in addition to a password, which tends to be static and can be compromised in many ways, a time-based password like the MyIT Login Code becomes useless after a minute. This makes most traditional hacking techniques ineffective against your accounts.
Using the MyIT Login Code doesn’t need to be painful. Historically there has been an emphasis on using smartphones or SMS messages for these codes, but that’s frustrating. Generally you don’t really want to use the codes on your phone but on your computer, and when traveling it can be expensive or impossible to get a SMS message. Applications are available for computers that can generate the token code and which don’t require a phone or active SMS service. To be clear: you don’t need a smartphone for the MyIT Login Code, and can conveniently use it from your computer. When traveling, you don’t need to worry about having SMS service. The smartphone apps work great, and they’re documented here as well, but generally this is an easier approach.
The first task is to register for the MyIT Login Code multi-factor authentication access. You might have already registered in the past if you have had to access sensitive data like your W2. Here’s how to tell if you have already registered.
- Go to http://myit.jh.edu. If you are prompted for a MyIT Login Code, then you have already used MFA at some time in the past. If you are asked for some security questions then this is your first time. Follow the requested steps.
- When you have gotten past the login code, you want to hit the “My Step-Up Options” link.
- Next, retrieve the details of your MyIT Login Code Token.
- The next screen holds your secret key. Your secret key and the clock in your computer work together to generate the unique MyIT Login Code every minute. Smart phone applications can use the QR code to enter the secret key, or you can cut and paste it off this page for use in apps on your computer.
There are multiple ways to generate the MyIT Login Code on your Mac, but WSE IT recommends you use OTP Manager. It’s been proven to work and is easily downloaded from the Mac App Store.
- Download the OTP Manager app from here: https://itunes.apple.com/us/app/otp-manager/id928941247?mt=12
- Run the application from your Applications folder. Open the application’s preferences and click both checkboxes.
- Show the OTP Manager window (if it isn’t already visible, show it from the Key menu icon in your toolbar). Hit the + button to add an entry, then fill in the blanks on the “Add new” entry window. The Issuer and Username blanks are just a label — you don’t need to put anything special in them. The OTP Secret is the secret key from the MyIT web page described above.
- In the main OTP manager window you can see the code that the software has generated — this is your current MyIT Login Code To check that everything is set up correctly, you can compare the code your computer made with the one that the Hopkins authentication system is expecting. On the MyIT page, hitting the “Get Current Code” button will pop up a window saying what the system expects. It should match what is in the OTP Manager window.
- When you’ve verified you’re generating the correct MyIT Code, you don’t need to keep using the main window to get the number. Under the key on your menu bar will be a menu item for your HopkinsMyIT Code. If you pick it, the code will be automatically copied to your computer’s clipboard so you can paste it into an authentication screen. There’s no need to even know what the code was — just paste it into the authentication window. (If the option is grayed out, that’s because the generated code is about to change — remember, the codes are time based and are only good for 60 seconds at most. Wait a few seconds and it’ll come back.)
There are multiple ways to generate the MyIT Login Code on your Windows 7-8-10 computer, but WSE IT recommends you use WinAuth. It’s been proven to work and is easily downloaded and installed using Microsoft Clickonce.
- Download the OTP Manager app from here: https://github.com/winauth/winauth/releases
- The application should start automatically when downloaded and installed, but if not find it and run it. Open the application’s preferences and configure it to start with Windows and to use the system tray icon.
- Show the OTP Manager window (if it isn’t already visible, show it from the icon menu icon in your notification tray). Hit the Add button to add an entry, pick Authenticator as the type, then fill in the blanks on the “Add Authenticator” window. The Secret Code is the secret key number from the MyIT web page described above. The Name blank is just a label — you don’t need to put anything special in there. Pick Time-based for the type.
- When you hit the “Verify Authenticator” button you can see the MyIT Login Code that the software has generated. To check that everything is set up correctly, you can compare the code your computer made with the one that the Hopkins authentication system is expecting. On the MyIT page, hitting the “Get Current Code” button will pop up a window saying what the system expects. It should match what is in the WinAuth window. When you confirm they agree, hit OK to continue.
- To protect your secret key, make sure you enable the “encrypt to only be usable on this computer” and “only by current user” boxes. You don’t need to worry about the “protect with my own password” box if you’re already using a computer login that automatically locks the machine after a few minutes of idle time (the WSE IT default configuration).
- When you’ve completed your configuration the app will run in the tray icon section of your menubar. Open the window from there and view your MyIT Login Code. For extra convenience you can right-click on the entry you created and select “Copy on New Code.” That way, whenever you pick a code it will automatically be put on your clipboard to be pasted into the entry field in your login screen or application.
Because the configuration of Linux machines is not standardized it is impossible for us to give a single approach for generating the MyIT Login Code on a Linux machine. For those interested in solutions for their system, you should understand that the MyIT Login Code uses the same mechanism as Google Authenticator. There are a variety of options available for generating Google Authenticator time-based passcodes on Linux, and you can substitute your MyIT secret key in place of the Google secret key in those solutions. One we’ve tried that worked is the oath-toolkit. It can be used in scripts to facilitate a variety of workflows. Here’s a page of tips on this.
The most popular smartphone application to generate MFA tokens is the Google Authenticator smartphone app, probably because it is one of the oldest apps to generate these tokens. Despite the name, it will generate time-based tokens for many sites, including being able to generate the MyIT Login Code. It is available for Android devices and iOS devices. Though it is often run on a phone, it can run on a tablet or other device without a cell connection, or in fact (once downloaded) on devices without any network connection at all.
- Download Google Authenticator from Google Play.
- Download Google Authenticator for iOS (iPhone / iPad / iPod Touch).
Configuring the Google Authenticator app is very easy. It can use the camera in your device to enter the secret key. Just launch Google Authenticator, hit the + button to add an entry, and pick “Scan barcode.” Point your camera at the screen of your computer and it will configure the MyIT Login Code for you.
Convenient is also probably secure, in this case. Certainly more secure than a password alone.
- Without a time-based passcode, hackers have it pretty easy hacking your password. They can make a lot of guesses at it over time using automated tools that are shockingly good at password guessing. Further, if a password you use on more than one site is compromised, the extra passcode would keep them from reusing the stolen password on Hopkins systems — they’ll get past the password but won’t be able to guess the time-based passcode.
- The MyIT Login Code expires every minute, so even if your JHED password and login code number were stolen (by a keylogger program, or through an insecure network) attackers still won’t have access to your data.
- If your computer automatically locks when not in use, and the drive is encrypted, then you don’t have to worry about storing the MFA secret key information on your computer. If your computer is lost or stolen, reset your secret key along with your password when you get a new machine.