The protection of user credentials is of utmost importance. Two-Factor Authentication (2FA) is a powerful security tool in the field of cybersecurity, enabling us to deploy a mechanism that counters certain cyber threats, making credential theft extremely difficult, if not impossible.

We know that passwords can be "stolen" or disclosed to third parties (either voluntarily or involuntarily). By using Two-Factor Authentication, the impact of a "stolen" password is significantly reduced because your account is protected not only by something "you know" (i.e., the password), but also by something "you possess," such as a one-time code generated by a number generator available through the "vault" service or installed via a specific application on your smartphone or PC.

Starting today, you can enable this new feature by following the instructions available at this link: https://wiki.infn.it/cn/ccr/aai/doc/2fa/req.

The procedure is very simple:

• Request activation through AAI authentication (currently reserved for employees, associates, guests) by accessing the web service at https://mfa.app.infn.it/.
• Register the "unique secret" in your "personal vault," available in the vault service https://vault.infn.it/ or in your chosen application.

During the usual login via INFN-AAI, an additional step will be required where you will be asked to enter the OTP (One-Time Password), which is a six-digit number generated by your "personal vault" or chosen application.

Once activated, Two-Factor Authentication will be required to access all web services connected to INFN-AAI, with the sole exception of the Indico agenda (as the service is open to everyone) and the password management (or "personal vault") service at https://vault.infn.it/#/login (as this service is already protected by an additional master password).

As with all activations of second-factor authentication, the INFN Computing and Networks Commission (CCR) defined a deployment plan that has been approved by the GE and directors. This plan includes a period where activation is voluntary, followed by a phase where those who have not activated the second factor will be required to do so in order to access IT services.