The Second-Factor Authentication System at CERN

Adeel Ahmad; Asier Aguado Corman; Hannah Short; Liviu Valsan; Maria Fava; Paolo Tedesco; Sebastian Lopienski; Stefan Lueders; Vincent Brillault

doi:10.1051/epjconf/202429504025

All issues

Volume 295 (2024)

EPJ Web of Conf., 295 (2024) 04025

Abstract

Open Access

Issue		EPJ Web of Conf. Volume 295, 2024 26^th International Conference on Computing in High Energy and Nuclear Physics (CHEP 2023)


Article Number		04025
Number of page(s)		7
Section		Distributed Computing
DOI		https://doi.org/10.1051/epjconf/202429504025
Published online		06 May 2024

EPJ Web of Conferences 295, 04025 (2024)
https://doi.org/10.1051/epjconf/202429504025

The Second-Factor Authentication System at CERN

Adeel Ahmad^*, Asier Aguado Corman, Hannah Short^**, Liviu Valsan, Maria Fava, Paolo Tedesco, Sebastian Lopienski, Stefan Lueders and Vincent Brillault

European Organization for Nuclear Research (CERN)

^* e-mail: adeel.ahmad@cern.ch
^** e-mail: hannah.short@cern.ch

Published online: 6 May 2024

Abstract

In 2022, CERN ran its annual simulated phishing campaign in which 2000 users gave away their passwords. In a real phishing incident, this would have meant 2000 compromised accounts, unless they were protected by Two-Factor Authentication (2FA). In the same year, CERN introduced 2FA for accounts with access to critical services. The new login flow requires users to always authenticate with a 2FA token, either with Time-based one-time password (TOTP) or WebAuthn. This introduces a significant security improvement for the individual and for the laboratory. The previous flow enforced 2FA to access a small number of applications. In this paper, we will discuss the rationale behind the 2FA deployment, as well as the technical setup of 2FA in the CERN Single Sign-On system, Keycloak. The paper will give a detailed overview of the architecture for this new 2FA flow and compare how it differs from the legacy 2FA system which was in place since 2019. We share statistics on how users are responding to this change in the login flow, and the actions we have taken to improve the user experience. Finally, we briefly describe our custom extensions to Keycloak for specific use cases, which include adding roles in the user token, overriding the default Keycloak session, and modifying the user login flow.

This is an Open Access article distributed under the terms of the Creative Commons Attribution License 4.0, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.