[Ace] Two-Factor Email - Please Comment
Matt Bickley
bickley at jlab.org
Tue Sep 30 12:07:53 EDT 2014
On 09/30/2014 10:15 AM, Anthony Cuffe wrote:
> Colleagues,
>
> I would like to send an email warning about the impending two-factor
> cut-over and wanted to send a first draft for comment.
I re-read the crypto-app web page
https://devweb.acc.jlab.org/twiki/bin/view/UserSupport/HowToCryptoCardApp.
Somewhere on the page we
should make it clear to users that they will have to get a new token
by filing an ACE-PR when their phone OS is updated...and they will be
unable to use the phone as their token code generator in the interim.
We talked about enabling operations staff to provide a temporary token
code in situations where they have an urgent need to get support from
off-site, and the user's cryto tool is not working for them. Are we
going to pursue this? If so, we should let users know the capability
exists, and how they will go about getting the token code.
> =========================
>
> Accelerator Users,
>
> At the end of October, access to Accelerator computers (opsl00, devl00,
> etc..) and other accelerator subnets from the general Jlab network and
> from your home will
> require two-factor authentication. This is a cybersecurity requirement
> imposed not only on the Accelerator environment but also on other
> enclaves such as the Halls.
>
> Two-factor authentication requires you to have a so-called crypto-token,
> i.e. a small physical device or a smartphone application that generates
> a temporary password for you. The temporary password, combined with a
> PIN you know, allows you to log into our gateway computer
> acclogin.jlab.org, from which you can directly access the accelerator
> networks.
>
> This change only affects incoming connections to the accelerator
> networks (e.g. office/home -> opsll). If you on-site using one of the
> Accelerator systems
> or connected to one of the Accelerator systems remotely, you do not need
> the token to connect to other accelerator computers or to destinations
> outside of the Accelerator
> networks (e.g. opsll -> office). In other words, within the Accelerator
> Computing Environment everything will work exactly as before.
>
> If you need to access Accelerator systems remotely and do not already
> have a crypto-token, please file an ACE-PR and select "ACE- CryptoCard"
> and request a CrytoCard token. Please indicate
> whether you would prefer to have a smartphone app or a hardware key for
> this function. It might take several days to fulfill these requests, so
> plan ahead. If you choose a hardware key, you will need to pick up the
> crypto key in person from one of the Accelerator computing group staff.
> Alternately, if the help desk is more convient for your location you can
> file a CCPR with the same request.
>
> If you would like to read more about crypto-cards, the smartphone app or
> would like to see the updated procedures for access Accelerator systems,
> please visit our remote access page.
>
> How to Access Accelerator Systems Remotely:
> -------------------------------------------
> https://devweb.acc.jlab.org/twiki/bin/view/UserSupport/HowToRemoteAccess
>
> In short, you need a crypto-card and you need to start using
> acclogin.jlab.org as a gateway to Accelerator systems (at home and from
> Jlab networks).
>
> Thank you,
>
> Anthony Cuffe
> Accelerator Computing Group
>
> =======================
>
>
>
>
>
>
--
Matthew Bickley Email: bickley at jlab.org
Deputy Director of Accelerator Operations Telephone: 757-269-7347
TJNAF
More information about the Ace
mailing list