Introducing Multi Factor Authentication implementation on Grex and DRAC systems
As you may know, both Digital Research Alliance and our UManitoba HPC system, Grex, are proceeding with the ongoing implementation of a multifactor authentication (MFA) system. MFA adds an additional layer of security to the traditional password-based and SSH keys authentication by requiring a second factor, known as "something you have". The Cisco Duo product was chosen as the second factor authentication. Grex is using the Duo instance from the Alliance.
We have successfully completed the first phase of MFA testing for staff and early adopter users. Some of you might have been invited to enroll from the Alliance side already.
Now, we would like to extend the invitation to every Grex user to enroll in the new MFA system! Please let us know if you would like to get enrolled.
Note that the second factors used by the Alliance are not entirely the same as those used by the University of Manitoba for platforms such as UM Intranet and Exchange. On Grex and Alliance systems, the following factors are enabled:
* Duo smartphone app (Android and iOS)
* Yubico Yubikey cybersecurity USB key device
* One-time codes (recommended as a backup MFA)
Enrollment into the Alliance Duo is through CCDB: https://ccdb.alliancecan.ca<https://ccdb.alliancecan.ca/> . Enrollment enables the MFA requirement on every SSH login on both Grex and Alliance systems like Cedar, Graham, Beluga, Narval or Niagara.
After we enable MFA for your account, you must follow these steps to complete the enrollment:
* login into CCDB with your credentials
* from the top menu choose "My Account" ⇒ "Multifactor Authentication Management"
* register a new device
* OPTIONAL BUT RECOMMENDED, at the bottom of the same page, use the "Generate 10 codes" button to generate 10 rescue codes (you must print/save these codes in a safe location and never disclose them to anyone)
The following Grex Documentation page explains it better with screenshots:
You can also find additional information on the Alliance official wiki:
As of now, the enrollment is voluntary: we kindly ask you to let us know (by an email to support(a)tech.alliancecan.ca<mailto:firstname.lastname@example.org> ) if you / your group members would like to enroll, and we will then enable the MFA option under your CCDB account. Eventually enrollment would become mandatory.
We plan for MFA to become mandatory for all Grex users in October 2023. We appreciate your attention to this matter and encourage you to enroll at your earliest convenience to ensure a smooth transition. Should you have any questions or require further assistance, please don't hesitate to reach out to your local HPC team!
However, If some of your work relies on unattended connections or automations that may be disrupted by the MFA, we ask that you do not enroll yet, and instead ask that you contact us for technical support, so that we can work with you on a solution.
Also, please note that enrolling in MFA for Grex, makes MFA active and enforced also on the National systems as well, and vice versa. If this does not work for you, please contact us (by an email to support(a)tech.alliancecan.ca<mailto:email@example.com> ).