WARNING: Once two-factor authentication is activated, every login via the INFN-AAI IdP will require two factors. You can choose the first in the usual way (username/password, X.509, Kerberos-GSSAPI, SPiD, CIE), and the second will always be the TOTP (Time-based One-Time Password) code generated by the app you chose and stored the token in during the two-factor activation process.

WARNING: After 10 failed OTP authentication attempts, the system will block access. You will need to request a reset of the failed attempt counter by sending an email to aai-support@infn.it.

1. Active role
2. An application for generating a Time-based One-Time Password (TOTP)

Only employees, associates, and guests can request two-factor authentication.

Before starting the token acquisition process, it is essential to install and properly configure an application compatible with our infrastructure, running on a device that keeps the correct time, synchronized with official time sources. If the device’s time is off by even half a minute, the generated TOTP may already be expired or not yet valid. Most devices are set to automatically sync with official sources via the network, but you might be on a network that blocks the NTP protocol, causing the device's clock to drift.

The only compatible applications are:

• Ente Auth: the first choice. Multi-platform. It is also recommended by CERN, which can make life easier for CERN users.
• BitWarden: available for both mobile and desktop only if connected to a "self-hosted" account set up at https://vault.infn.it/.
• privacyIDEA Authenticator: available for iOS and Android from their respective stores.

WARNING: Google Authenticator is NOT supported. Microsoft Authenticator should NOT be used (both store the key in plain text in their cloud).

WARNING: Bitwarden connected to the INFN "vault" is allowed only if used for one authentication factor. In other words, it is FORBIDDEN as a TOTP generator if you store your INFN-AAI credentials there.

Detailed instructions on how to install and configure these three applications are available on this wiki page.

The two-factor authentication activation process consists of two seemingly separate actions that are closely connected:

1. Generating a token (performed by the MFA server);
2. Storing the token in the application.

Note Since during the first week of optional two-factor activation we observed a significant number of failed token storage attempts, we modified the process by adding a verification step to ensure the token is correctly stored and used before activating two-factor authentication.

To generate a token, log in to the web service at:

https://mfa.app.infn.it/

using your INFN-AAI credentials. After entering your credentials in the standard INFN login window,

you will be asked to confirm access:

On your first login, the only available action will be to request a token.

In the window, select: Enroll Token.

Next, specify the following values:

Enroll a new token

1. TOTP: Time-based One-Time Password

Token data

1. OTP length: 6
2. Timestep: 30

and click the Enroll Token button.

The next screen will show you a QR code to import into your app.

By clicking the link "The OTP Key," you can view the "secret" or "seed" encoded in a couple of formats, for manual configuration in apps that cannot use QR codes.

WARNING: The secret/seed is only one of the data elements in the QR code and is not sufficient for manual configuration by itself. If the app you are using to generate the TOTP cannot import data from the QR code, immediately save the Base32-encoded key.

If you've chosen an app that can read a QR code, you can simply scan it to import the information (instructions for some applications are available here).

In this window, you will find a "Verify Token" button under a "Please enter a valid OTP value of the new token" field. This is used to verify that the token was correctly registered in your app and that it produces a valid TOTP.

The token acquisition process will only complete if this final verification step is successful.

The session timeout on this webpage is 15 minutes, so it’s essential to save the information before the timeout expires.

If the TOTP produced by your application is incorrect (or you mistype it), an error popup will appear as shown in the image, and you can correct the TOTP or switch to a supported app.

If you cannot enter the correct TOTP but have saved the information, you can log back in at https://mfa.app.infn.it/ and complete the token verification by clicking the serial number of the token to be verified:

and entering the correct TOTP above the blue "Verify Token" button:

Completing the token acquisition process:

and you will receive a confirmation email.

The simplest way to register the token in your app is to use a smartphone (or tablet) app capable of using the camera to import the QR code data.

The Ente Auth smartphone app has a start page with a "Scan a QR Code" button:

This button directly accesses the camera, and as soon as the QR code is scanned, it generates a TOTP.

If you've set up an account on ente.io as described in this wiki page, all instances of Ente Auth linked to that account will generate the same TOTP.

return to enrollment verification

Select: Set up TOTP.

Allow the app to use the camera.

Assign a name to the token and save it.

The saved token will then be displayed like this:

To import the QR code into the PrivacyIdea app, simply click the central icon and scan the QR Code.

return to enrollment verification

The QR code contains a series of necessary details for properly configuring the TOTP generator. If you wish to use a TOTP generator that doesn’t support QR codes (like supported PC apps or the web interface to the INFN "vault"), you’ll need to properly format the string for its configuration.

The string must be formed by concatenating:

• otpauth://totp/?secret=
• <The BASE32 encoded OTP Key>
• &algorithm=sha256&period=30&digits=6&issuer=INFN-AAI

The string should look like this:

  otpauth://totp/?secret=2UCHU2WHNR3S52W7Z6DRQ5XCGWQZ5XAFB6C3JD5F6DSJZ53TL5FA&algorithm=sha256&period=30&digits=6&issuer=INFN-AAI

If you chose a 60-second period or

an 8-digit TOTP, change the period and digits to match your choice.

Below the detail of the manual configuration for the supported apps.

Ente Auth can import a key from a file in text format.

You must therefore create a text file and insert the string obtained from the concatenation of the above information into one line.

After creating and saving the file

1. open the application
2. pressing on the three lines at the top left (open navigation menu)
3. open the down arrow next to the "Data" item
4. select: "Import codes"
5. choose: "Plain text"
6. press: "Select file"
7. select the file created previously

If the operation was successful, a window will appear saying:

Yay!

You have imported 1 codes!

Return to enrollment verification