2-Factor Authentication

From RHLUG Wiki
Jump to navigation Jump to search

2-Factor Authentication (2FA) is required on all Rose-Hulman accounts as of April 26, 2021.

Adapted from https://rose-hulman.microsoftcrmportals.com/knowledgebase/article/KA-01311/en-us

Look Here First - Getting Started

  1. Go to https://mysignins.microsoft.com/security-info and log into your Rose-Hulman network account.
  2. Click "Add Method".
  3. The dropdown should say "Authenticator App". Click OK. Click the tiny text near the bottom of the dialog box that says "Set up using a different app".
  4. Right-click the QR code image and click "Save Image". Save it in a secure place, such as saving it to your Downloads folder and keeping it off cloud storage.
  5. Now, either follow the steps in one of the below sections ("How to add 2-factor authentication info to KeePassXC" or "How to add 2-factor authentication info to KeePass"). You might also want to scan it with your phone. The app AlphaCubed recommends is Tofu Authenticator (click to go to the App Store page for it) for iOS, as it's open source.
    1. IMPORTANT! BEFORE CONTINUING: Make sure you have a backup of the QR code image stored somewhere other than your phone (e.g. if you followed one of the "below sections" -- in the KeePassXC database you created for 2-factor authentication that's stored on your computer). Otherwise if your app fails, the app is buggy or gets corrupted, or your phone breaks, you will be locked out unless you're on campus or logged in through the VPN!
    2. Click Next in your web browser where you're setting up 2FA. Get the 2-factor authentication code (follow either Step 1, 2, or 3 below depending on what password manager you use):
      1. For KeePassXC, right-click on the "RHIT 2-Factor" entry you created. Go to TOTP > Show Code.
      2. For KeePass, (to be written up)
      3. If you're using your phone, look at the code.
    3. Type the code in your web browser and click Next.
    4. Click OK. You're done!

OPTIONAL: To set up email on your computer without using the Outlook web app, you can use Thunderbird. Steps to log in with 2-factor authentication are located on the Thunderbird wiki page.

Extra information: Evolution and other apps that support OAuth2 authentication may work in place of Thunderbird as well.

How to add 2-factor authentication info to KeePassXC

Download KeePassXC from https://keepassxc.org/download/.

  1. In your main database, if you have not already written your Rose-Hulman username and password in the database: Make a new entry for your Rose-Hulman network account. Go to Entries > New Entry. Enter your username and password and click OK. Press Ctrl + S to save the KeePass database.
  2. Make a separate database for your 2-factor authentication tokens and keep it in a different location (e.g., off of cloud storage and on your hard drive only). This is recommended for security reasons. Source: KeePassXC FAQ
  3. Make a new entry called "RHIT 2-Factor" for your RHIT 2-factor authentication token in that database. Go to Entries > New Entry. You can leave username and password blank. (You can call it something else, but I use this name for the purposes of this tutorial.)
  4. In the entry, go to Advanced > Attachments. Click "Add" and add the QR code image that you downloaded in your Downloads folder. Click OK at the bottom and press Ctrl + S inside of KeePassXC.
  5. Delete the QR code image from your Downloads folder.
  6. We will now read the QR code to get the 2-factor authentication "secret". This is how KeePassXC generates the 2-factor authentication code you use to log in.
    1. On Linux or Windows Subsystem for Linux, you can read a QR code through the zbarimg tool. To do this, open up a terminal (Ctrl+Alt+T on most Linux distros) and perform the following commands:
      1. Ubuntu-based distros: apt-get install zbar-tools
      2. Type cd ~/Downloads (may be different on Windows) and then type zbarimg <whatever you saved your image as>.png
      3. You should see something like this text (YOUR_EMAIL and SOME_STRING_OF_LETTERS_AND_NUMBERS are different since it's a different user that generated the QR code, but you should see your network email under YOUR_EMAIL and a bunch of letters and numbers under SOME_STRING_OF_LETTERS_AND_NUMBERS):
        1. QR-Code:otpauth://totp/Rose-Hulman%20Institute%20of%20Technology%3AYOUR_EMAIL%40rose-hulman.edu?secret=SOME_STRING_OF_LETTERS_AND_NUMBERS&issuer=Microsoft
      4. Copy the text under SOME_STRING_OF_LETTERS_AND_NUMBERS and put it into a blank text document (e.g. through Notepad). This is called the secret.
  7. Right-click on the KeePassXC entry called "RHIT 2-Factor" and go to TOTP > Set Up TOTP.
  8. Paste in the secret you put in a blank text document and paste it under "Secret Key". Leave all the other settings alone and click OK.
  9. Press Ctrl + S. Go back to 5. and then look at 1. under that inside the "Look Here First - Getting Started" section.

Sources: https://blog.paranoidpenguin.net/2020/05/how-to-back-up-your-2fa-secret-keys-with-keepassxc/, https://askubuntu.com/questions/22871/software-to-read-a-qr-code

How to add 2-factor authentication info to KeePass

KeePass is pre-installed on RHIT laptops. If you uninstalled it, it can be re-installed through the Software Center or from https://keepass.info/download.html.

You will need to install a plugin for KeePass that handles TOTP tokens since it isn't built in to KeePass.

To be written up.