Skip to content

Multi-factor Authentication

As part of our ongoing commitment to data security and compliance with NIST 800-171 requirements, MFA is now required for users who access Controlled Unclassified Information (CUI) in the wi-hpc cluster, including dbGaP and NBDC datasets.

Quick Start

1. Log into cluster

ssh user@wi-hpc

2. Start the MFA Setup

google-authenticator

When prompted, with Do you want authentication tokens to be time-based (y/n)?, type y to accept.

3. Scan the QR Code

A QR-Code will now appear on your screen, open the Microsoft Authenticator application on your phone, and scan it (blue button in bottom left). A new entry will now appear on your Microsoft Authenticator app.

QR-Code

4. Enter Verification Code

Back in your terminal, enter in the 6-digit code from your device (make sure you refresh by swiping down on the app).

5. Save Emergency Scratch Codes

Emergency Scratch codes will appear in your terminal, make sure to save these somewhere safe (e.g., Bitwarden).

6. Confirm File Location

It will then ask you where to save the .google-authenicator file. This defaults to your home directory, please accept this default with y.

7. Final Prompts

Answer y to all remaining prompts to complete the setup.

8. You're All Set

Finally, you will be setup for MFA on the wi-hpc cluster.

Now, when you login, you will be prompted for a verification code as well as your password (hence MFA).

ssh user@wi-hpc
(user@wi-hpc) Verification code:
(user@wi-hpc) Password:

Info

If the login is not working, please try closing the Microsoft Authenticator application and re-open.

Info

You will only need to input your code once every 24 hours (if coming from the same IP address; in office vs. at home on VPN).

As always, please see Getting Help if you experience any issues and/or have any questions.

Troubleshooting/FAQ

Why do I need to do this

As part of our ongoing commitment to data security and compliance with NIST 800-171 requirements, we are implementing an important change for users who access Controlled Access Datasets (CAD), including dbGaP and NBDC datasets. We know it's an extra step, but this federal requirement for controlled access datasets helps keep our computing environment compliant and your research data secure. We appreciate your cooperation.

Can you apply MFA only to the directory instead of every login?

Unfortunately, it is not possible to set MFA only for a specific share/directory. It must be done at the login step.

We choose it to be a part of the SSH piece rather than just putting the whole HPC Cluster behind the VPN (even when in office) and require the MFA there. However, this would put a heavy traffic burden on the VPN possibly leading to more issues.

Login keeps asking for code/password

If the login is not working, please try closing the Microsoft Authenticator application and re-open.

I lost my code in Microsoft Authenticator / I got a new phone

If you deleted or lost your code in your Microsoft Authenticator app, use one of the Emergency Scratch codes to login. Once, logged in run google-authenticator again to regenerate the QR code and overwrite your old config.

I use Bitvise as my SSH client

If you are using Bitvise as your SSH client (on Windows), under the "Authentication" section, select your Initial Method as password+kbdi. From there, you can input your password and/or your code. If you don't put any, you will be prompted for the code and password upon clicking Log In.