2 Factor Authentication

Configuring your JHPCE Account for 2 Factor Authenticaiton

Introduction

2 Factor Authentication is used on the JHPCE cluster to provided an additional layer of security when logging in to the cluster.  When it is enabled for your account, 2 Factor Authentication will require you to enter your JHPCE password, as well as a One Time Password (OTP) that is generated via a smartphone or browser based application.  We use the Google Authenticator on the JHPCE cluster for 2 Factor Authentication.

The OTP application will generate a new 6 digit code every 30 seconds and you must have access to your ever changing OTP in order to log in. This provides 2 factors for accessing the JHPCE cluster – something you KNOW (your password) and something you HAVE (your OTP).  The presumption is that a bad guy who has hacked you password, does not have access to your phone and thus you are more secure. Here is a video that shows how easy it is to use.

To set up 2 Factor Authentication, you will need to use the following steps:

Step 1) Viewing your Google Authenticator configuration on the cluster.

To view your Google Authenticator configuration on the cluster you must log into a JHPCE login server account and run the auth_util application. If you have never logged into the cluster a temporary “Verification Code” will be provided to you during the orientation session, which will allow you login to the cluster one time.

$ auth_util

*** JHPCE Auth Utility ***

    Choices:
    1=Display Secret Key
    2=Display Scratch Codes
    3=Add New Scratch Codes
    4=Reset Google Authenticator
    5=Display QR Code
    6=exit

Enter your choice (1-6):

Record  the 5 emergency scratch codes someplace safe.  Don’t forget this step. These codes are the only way to log in  should your smart phone go missing!  Emergency scratch codes do not expire, but each code will work only once. If you need more Emergency Scratch Codes, you can use option “3” in auth_util to generate 4 additional codes.  You should print out your scratch codes and print them out on a nondescript piece of paper (so, not labeled “JHPCE cluster scratch codes”), or in an encrypted file on your laptop.

There are several situations where you will need to make use of a scratch code.  One common situation would be when arriving on campus and realizing that you left your cell phone with the Google Authenticator app at home. In this case, you could use one of your scratch code when prompted for “Verification Code” to access the cluster.  The most common situation we have seen where a scratch code is needed is when a new cell phone is purchased.  Often, the old cell phone (with the Google Authenticator app) is traded in, so the next time you go to login to the cluster,  you will find that you no longer have the Google Authenticator app.  In this case, you would need to use one of your scratch codes when prompted for Verification Code to login to the cluster, and then setup Google Authenticator on your new cell phone using the steps above.

Do not close this session. Keep it open for troubleshooting and so you can access the QR code that was generated. Use another ssh session to test your configuration.  You can close this session AFTER you have succeeded setting up your two-factor authentication.

Proceed to step 2 to configure your Google Authenticator application.

Step 2) Installing and setting up the Google Authenticator app on your a) Smartphone or b) via the Authy Chrome application

In order to generate the one time password to login to your account, you will need to install the Google Authenticator app on your smartphone, or the Authy application in the Google Chrome web browser.  We recommend that you use a smartphone, however if you do not have an IPhone or Droid based smartphone, you can install the Authy application.  Please choose one of the 2 options below. You can, of course, install both if you choose, but only one method is required.

2a) Google Authenticator App on your IPhone or Droid based Smartphone

The following is a modified version of  the google-authenticator support page.  First download and install the Google Authenticator app for your smart phone. Next set up the app as follows:

    1. On your phone, open the Google Authenticator application.
    2. Tap the plus icon. You should see something like the following (different versions of the app may look a bit different):

iPhone key entry

  1. Tap Time Based (label 1).
  2. To link your phone to your ssh account you can either (A) scan the QR code that was generated by the auth_util program or (B) enter the information manually.  We recommend scanning the QR code, but if that is not working you will need to manually enter the information into the app by entering a title for this account, such as jhpce in the Account field (label 2b), and the secret key that you got from option 1 in the auth_util application, (the code will look something like IHKIWUQD66HNRBSQ),  into the box next to Key (label 2c).
  3. Tap “Done” (label 2d) or the “√” Check Mark. You will return to the  main display which should display a security code for the account that you just set up. The code should change very 30 seconds.
  4. To test that the setup is correct, try logging into the login server and provide the security code displayed by the app when prompted for “Verification Code:”.
  5.  The clock icon on the phone app will let you know how much time is left before the security code expires and a new one is generated.
  6. If your password and security code are correct, your login will succeed. If you’re still having trouble, you might want to verify that the time on your phone is correct new window or read about common issues.

2b) Google Authenticator App via the Authy Chrome extension

If you do not have a smartphone, you can make use of the “Authy” Chrome browser extension to display your Google Authenticator one time passwords.  Please follow the steps below to configure Authy for accessing the JHPCE cluster. Please note that the Authy app is the only feature you will need to use the Google Authenticator from your browser – you will not need to enable “2 Factor Authentication” in your Google/Gmail account settings.

The 2 prerequisites for using Authy are 1) the Google Chrome web browser, which you can get from https://www.google.com/chrome/ and 2) a cell phone that can receive text messages.

  1. First you will need to install the Authy app.  From your Chrome browser, go to https://www.authy.com/.  At the top of the page click on the button to Download Authy.
  2. Once you will install Authy, you will see a message that says “Authy has been added to Chrome”, with the option to “Show Me”.  Select the “Show Me” option.  This will take you to chrome://apps/ which will display the apps installed in Chrome.  Select the Authy App.
  3. Follow the Authy app setup steps.  You will be prompted to enter a cell phone number, and you will receive a text message with a PIN to use to install Authy.  Once the installation is complete, you should see a window similar to:Screen Shot 2015-01-06 at 12.02.13 PM
  4. Click on the red “+” to add your JHPCE Google Authenticator information.a.) You will first be prompted for you “Authenticator Account”, which is your “Secret Key” from the previous section.  If you have forgotten your “Secret Key”, you can get it by logging in to the JHPCE cluster and using Option 1 “Display Secret Key” in the auth_util program. Enter your Secret Key and click “Add Account”
    b.) Next, select a logo (such as “Other”) and enter a name for the account (such as JHPCE), and click “Done”
    c.) Close the “Account” window.  You should now see a list of accounts (which should only include JHPCE).  Click on your account, and you should now see your 6 digit One Time Password.
  5. Going forward, to access Authy, you can go to chrome://apps in your Chrome browser, or you can install the Authy Extension to get an Authy button on your Chrome toolbar.
  6. To test that the setup is correct, try logging into the login server and provide the security code displayed by the app when prompted for “Verification Code:”.
  7. The clock icon on the phone app will let you know how much time is left before the security code expires and a new one is generated.
  8. If your password and security code are correct, your login will succeed. If you’re still having trouble, you might want to verify that the time on your phone is correct  or read about common issues.

One last note. If you access the JHPCE cluster frequently from a single computer, you can set up keypair authentication on that computer to simplify the login process. Using keypair authentication in essence provides 2 factor authentication in that you will need something you KNOW (the password for the account on your local computer), and something you HAVE (the ssh key on your computer). If you had already set up keypair authentication, on the machine you are attempting to login from, the authentication will default to the keypair authentication and will not require your password and OTP.

Troubleshooting 2 Factor Authentication

My winscp program stopped working!

With 2 Factor Authentication, you need to include you username in the definition for your session

The “authy” chrome plugin works on one machine but not on another

Check that the time is set correctly on your machine. The six-digit One Time Passwords (OTP) are time-based and are only valid for 30 seconds. So if the time is off on your machine it will not generate the correct OTP for the 30 second interval.

I just swam 9 miles onto a deserted desert island. I found a laptop and there is internet, but my phone is dead so I can’t get a code. Could you turn off 2-factor authentication so I can login with only my password?

NO.  Instead, we will send you one of your “emergency scratch codes”. Once you are in, get your remaining four scratch codes (see documentation above) and write them down on a coconut.  Keep the coconut with you at all times ( in case the island sinks and you have to swim to another desert island).  Hopefully you get rescued before you use up your four scratch codes. If not, use auth_util to generate more one-time scratch codes and write those down on another coconut. Repeat until you are rescued.

I use CyberDuck to transfer files from my mac to the cluster. Now it doesn’t work anymore.

We have had several people that have still had issues with Cyberduck even after applying the fixes below. We recommend using Filezilla ( instead.

  1. Update your cyberDuck to the latest version.
  2. Make sure that your password is not saved in the Cyberduck connection.
  3. Click “Open Connection”
  4. Select “SFTP” from the pulldown list. Enter “jhpce01.jhsph.edu” for the server. Enter your JHPCE user name in the “Username” field. be sure that the “Password” field is empty. Click “Connect”.
  5. The first window that pops up will say “Login Failed”, but don’t be alarmed. Enter the 6 digit number from your Google Authenticator or Authy app into the “Password” field.
  6. The next window that pops up will say “Provide Addional Login Credentials”. Enter your normal JHPCE password here.

I use Filezilla to transfer files from my mac to the cluster. Now it doesn’t work anymore.

  1. Update your Filezilla to the latest version.
  2. In Filezilla, create a new Site
  3. Enter the “Hostname” (eg. jhpce-transfer01.jhsph.edu)
  4. Set the “Protocol” to “SFTP”
  5. Set the “Logon Type” to “Interactive”
  6. Set the “User” to your JHPCE UserID. Do not touch the “Password” and “Account” fields.
  7. Click “Connect”. You will be prompted for your “Verification Code”, which is the 6 digit number from Google Authenticator, and then “Password”, which is your JHPCE Password.