Of the three supported applications compatible with the infrastructure:

• Ente Auth: the first in order of preference. Multi-platform. It is also recommended by CERN, which can make life easier, at least for CERN users.
• Bitwarden: available for both mobile and desktop, but only if linked to a "self-hosted" account defined at https://vault.infn.it/
• privacyIDEA Authenticator

The first two are available for all platforms and can access the same database, which is stored in an encrypted database with a master password, while the third is only available for mobile (both iOS and Android) and does not allow for database sharing (except through export-import processes).

Below are detailed instructions on how to install and configure the first two applications listed so they can correctly generate the Time-based One Time Password (TOTP) needed for authentication.

Ente Auth is a free and Open Source application, available for all architectures, both mobile and PC, that saves data in the ente.io cloud (free to use up to 5GB of storage) using end-to-end encryption. This allows users to share the "secret" authentication database across all their devices (smartphone, tablet, laptop, desktop, etc.).

The database is encrypted using the master password (1) defined when the account is created (though it can be modified later). Additionally, the software offers the option to define a recovery key (a string composed of 24 randomly chosen words from an English dictionary) to use in case the master password is lost.

You can download the installer either from the home page of Ente Auth or from GitHub (expand the "Assets" section).

Once installed, at the first launch, you can create an account by clicking on "New to Ente."

As your username, you need to enter a valid email address (the system will send a verification code to this email address for validation).

You define your master password.

The system creates the account and sends a verification code to the email address, which you will need to enter into the designated field in the interface.

This concludes the account creation process, and the system generates the "recovery key," a sequence of 24 English words that can be used if the master password is lost.

Bitwarden is essentially a password manager that also has the capability to generate TOTP. The TOTP generation feature is paid if you choose to link the application to an account created on bitwarden.com or bitwarden.eu, but it is free if you associate the application with a "self-hosted" account. The CCR National Services provide a "self-hosting" service compatible with Bitwarden, accessible via https://vault.infn.it.

For configuring your personal "vault" in the National Services infrastructure, please refer to the quickstart guide or the more detailed guides and training materials produced by the service administrators.

Here, we want to highlight an important aspect from an IT security perspective.

Although it is technically possible and very convenient to use the INFN "vault" (either directly via the web or through a Bitwarden app) to store both your passwords and the secret needed to obtain the TOTP, storing both authentication factors (INFN-AAI password and the TOTP seed) undermines the very concept of two-factor authentication and is therefore considered PROHIBITED.

For this reason, we recommend using Ente Auth for TOTP and the vault (with or without Bitwarden) for password management.

PrivacyIdea Authenticator, available for iOS and Android in their respective stores, is a standalone application that does not offer the ability to share configurations across multiple devices and, therefore, does not require configuration.

The Master Password must be:

• very long
• easy to remember
• different from any of your other passwords.

It is not strictly necessary to compose it using different sets of characters (one uppercase, one lowercase, a number, 3 frog tails, a hop on the left foot…) as much as it is to make it long.

A very strong master password (with an entropy greater than 80 bits) could be, if it weren’t written here, for example, the concatenation of 5 random Italian words (using a method only you know) (DivinaTravoltiRododendroMeravigliaoBasta). The important thing is that it’s long and easy for you to remember.