Last update: September 14, 2018
Multi-Factor Authentication (MFA) adds a layer of security to your authentication process. In addition to your account password, you can add another factor to your login process such as a telephone number, smartphone, physical token, or other device that is similarly unique to you. With a such a device paired to your XSEDE account using MFA, it becomes much more difficult for another person to gain access to your account, files and data than is the case with Single-Factor Authentication. Other XSEDE service providers (e.g. TACC, SDSC, PSC) have or will implement MFA on their resources. To provide this service, XSEDE has chosen Duo Security as its MFA partner.
Follow these steps to begin using MFA with the XUP Single-Sign-On Hub.
- Install the Duo app on your smartphone or other device
- Enroll your XSEDE Portal account in Duo
- Pair your Duo-enabled device with your XUP account
Download and install the Duo App on your iPhone or Android device. Search for "Duo Mobile" from your mobile device. You can identify the Duo Mobile app by its green logo. Do not confuse this with Google Duo, which has a blue logo.
- Login to the XSEDE User Portal (XUP) and visit your XSEDE Profile page (
MyXSEDE->Profile). Click on "Enroll in Duo" in the upper right corner of your profile page.
- The "Duo Enrollment Details" form will pop up. If you do not see this form, please ensure your browser settings will allow pop-ups from
xsede.org. Read the "Duo Enrollment Details" form and click on "Enroll" to continue. Enter your XUP password and you will be taken to the "Protect Your XSEDE Account" screen
From this screen, do the following:
- Click on the "Start Setup" button
- Enter your phone number
- Click the checkbox to confirm
- Click "Continue"
Make sure the Duo App is installed on your Android or iOS device. If not, go back to Step 1 and install the app before proceeding. At this point, you should see the "Add a new device" screen in your XUP session.
- Select your device type and click "Continue". You will then see the confirmation page where you must indicate that you have Duo Mobile installed on this device.
- Click "I have Duo Mobile installed".
On the next screen, point your device camera at the barcode on your web browser. If your device doesn't have a camera, press the "No barcode" button and click "Skip this step" in the portal session.
If you have not opened the app immediately after installing it, you may be presented with a License Agreement on your device. Tap "Accept" on your device to continue and then tap "Continue".
- Open the Duo app on your device.
- In your XUP session, click "Continue to login". When this is done, you should see a message in the upper right corner of the XSEDE Portal saying "Duo Enrollment" Successful.
- Click "Send me a Push"
- Tap the green bar at the top named "Request waiting: Tap to respond". You should now be enrolled.
Reconnect your XSEDE login with a previously established Duo account
Note: Use this procedure if the originally registered device has been replaced. You may also need to reactivate if Duo has been uninstalled from a previously paired device. Use this same procedure in either case.
- Login to the XUP
- Visit your XSEDE Profile page (
- Click on "Manage DUO" in the right sidebar.
This will open an interactive session with your existing XSEDE Duo account. In the session, click "My Settings & Devices" and follow the steps to pair the new device with your previously established XSEDE account.
To use Duo to connect to the XSEDE SSO Hub, start an SSH session to
login.xsede.org as you would normally. After entering your password, you'll be prompted to select an authentication method. Choose "Duo Push" by entering the corresponding number on your keyboard.
susanunit ~> ssh -l slindsey login.xsede.org Please login to this system using your XSEDE username and password: password: ******** Duo two-factor login for slindsey Enter a passcode or select one of the following options: 1. Duo Push to XXX-XXX-8004 2. Phone call to XXX-XXX-8004 Passcode or option (1-2): 1 Success. Logging you in...
You should receive an update via your app saying "Request waiting: Tap to respond." Tap this, then tap the "Approve" prompt on the next screen.
You should now be logged into the XSEDE SSO hub. From here you can open a
gsissh session to any of your allocated resources.
[slindsey@ssohub ~]$ gsissh stampede ------------------------------------------------------------------------------ Welcome to the Stampede Supercomputer ...do work on Stampede... login4.stampede(1)$ exit logout Connection to stampede.tacc.xsede.org closed. [slindsey@ssohub ~]$ gsissh bridges You have connected to br006.pvt.bridges.psc.edu ...do work on Bridges... [lindsey@br006 ~]$ exit logout Connection to bridges.psc.edu closed. [slindsey@ssohub ~]$ exit logout Connection to login.xsede.org closed. susanunit ~>