Differences

This shows you the differences between two versions of the page.

--- cn:ccr:aai:doc:2fa-en:app [2025/03/13 08:24] – dmaselli@infn.it
+++ cn:ccr:aai:doc:2fa-en:app [2025/03/13 13:45] (current) – monducci@infn.it
@@ Line 1: / Line 1: @@
+====== Supported Applications ======
+Of the supported applications compatible with the infrastructure:
+  * **[[https://netknights.it/en/products/privacyidea-authenticator-app/|privacyIDEA Authenticator]]**: mobile application for Android and Apple devices. Probably the simplest solution.
+  * **[[https://ente.io/auth/|Ente Auth]]**: available for both mobile and desktop. It is also recommended by CERN.
+  * **[[https://bitwarden.com|Bitwarden]]**: available for both mobile and desktop. \\ **Only if linked to a "self-hosted" account defined at https://vault.infn.it/**
+  * **[[https://getaegis.app/|Aegis Authenticator]]**: only for Android devices. <color #ed1c24>**-->> Added on 03/13/2025**</color>
+Below are detailed instructions.
+<color #ed1c24>**IMPORTANT NOTICE**</color> \\
+These instructions may be modified to introduce improvements and clarifications. The main differences with previous versions will be appropriately highlighted. We recommend that you check them periodically.
+===== Ente Auth ======
+{{:cn:ccr:aai:doc:2fa:ente_auth_logo.png?40 |}}
+**[[https://ente.io/auth/|Ente Auth]]** is a free and Open Source application, available for all architectures, both mobile and PC, that saves data in the ente.io cloud (free to use up to 5GB of storage) using end-to-end encryption. This allows users to share the "secret" authentication database across all their devices (smartphone, tablet, laptop, desktop, etc.).
+The database is encrypted using the [[#master-password|master password (1)]] defined when the account is created (though it can be modified later). Additionally, the software offers the option to define a recovery key (a string composed of 24 randomly chosen words from an English dictionary) to use in case the master password is lost.
+==== Download & Install ====
+You can download the installer either from the home page of [[https://ente.io/auth/|Ente Auth]] or from [[https://github.com/ente-io/ente/releases?q=tag%3Aauth-v4.0.2&expanded=true|GitHub]] (expand the "Assets" section).
+==== Configuration ====
+{{ :cn:ccr:aai:doc:2fa:ente_auth.png?200 |}} Once installed, at the first launch, you can create an account by clicking on "New to Ente."
+{{ :cn:ccr:aai:doc:2fa:ente_auth_create_account1.png?200 |}} As your username, you need to enter a valid email address (the system will send a verification code to this email address for validation).
+{{ :cn:ccr:aai:doc:2fa:ente_auth_create_account2.png?200 |}} You define your [[#master-password|master password]].
+{{ :cn:ccr:aai:doc:2fa:ente_auth_verify_mail.png?200 |}} The system creates the account and sends a verification code to the email address, which you will need to enter into the designated field in the interface.
+{{ :cn:ccr:aai:doc:2fa:ente_auth_recovery_key.png?180 |}} This concludes the account creation process, and the system generates the "recovery key," a sequence of 24 English words that can be used if the master password is lost.
+===== Bitwarden ======
+Bitwarden is essentially a password manager that also has the capability to generate TOTP. The TOTP generation feature is paid if you choose to link the application to an account created on bitwarden.com or bitwarden.eu, but it is free if you associate the application with a "self-hosted" account. The CCR National Services provide a "self-hosting" service compatible with Bitwarden, accessible via https://vault.infn.it.
+For configuring your personal "vault" in the National Services infrastructure, please refer to the [[https://l.infn.it/vault-infn|quickstart guide]] or the more detailed [[https://servizinazionali.infn.it/vault-content/|guides and training materials]] produced by the service administrators.
+Here, we want to highlight an important aspect from an IT security perspective.
+Although it is technically possible and very convenient to use the INFN "vault" (either directly via the web or through a Bitwarden app) to store both your passwords and the secret needed to obtain the TOTP, storing both authentication factors (INFN-AAI password and the TOTP seed) undermines the very concept of two-factor authentication and is therefore considered **PROHIBITED**.
+For this reason, we recommend using Ente Auth for TOTP and the vault (with or without Bitwarden) for password management.
+===== PrivacyIdea Authenticator ======
+PrivacyIdea Authenticator, available for iOS and Android in their respective stores, is a standalone application that does not offer the ability to share configurations across multiple devices and, therefore, does not require configuration.
+----
+===== (1) Master Password ======
+The Master Password must be:
+  * very long
+  * easy to remember
+  * different from any of your other passwords.
+It is not strictly necessary to compose it using different sets of characters (one uppercase, one lowercase, a number, 3 frog tails, a hop on the left foot...) as much as it is to make it long.
+A very strong master password (with an entropy greater than 80 bits) could be, **if it weren’t written here**, for example, the concatenation of 5 random Italian words (using a method only you know) (DivinaTravoltiRododendroMeravigliaoBasta). The important thing is that it’s long and easy for you to remember.