Use of Duo two-factor authentication (https://www.duosecurity.com) is required for access to HCC clusters. Users will connect via SSH and enter their username/passwords as usual. One additional authentication step through Duo is then needed before the login is completed. This second authentication can be in several different forms (cell phone, YubiKey hardware token), and is user-selectable at each login. A brief description of each is provided below. See the Duo Authentication Methods page for more details.
Most HCC account holders use the Duo Mobile application on their smartphone or purchase a YubiKey USB device.
- Install the free Duo Mobile application from the Google Play Store, Apple App Store or Microsoft Store.
- Visit one of the following locations. Bring your smartphone and a valid photo ID such as your university ID card or drivers license.
Faculty/staff members with a verified NU telephone number can enroll by phone. If you would like an HCC staff member to call your NU telephone number to enroll, please email email@example.com with a time you will be available.
YubiKey devices are currently a one-time cost of $22 from HCC, or can be purchased from Yubico and added in-person at either HCC location. Purchasing a YubiKey from HCC must be done via a University cost object transfer (HCC cannot accept cash or credit cards). Please bring the cost object number with you if possible. YubiKeys are available from the Union Bookstore at UNL for a one-time cost of $25 each.
Example login using Duo Push
This demonstrates an example login to Crane using the Duo Push method. Using another method (SMS, phone call, etc.) proceeds in the same way. (Click on any image for a larger version.)
First, a user connects via SSH using their normal HCC username/password, exactly as before.
After 10 failed authentication attempts, the user's account is disabled. If this is the case, then the user needs to send an email to firstname.lastname@example.org including his/her username and the reason why multiple failed authentication attempts occurred.
After entering the password, instead of completing the login, the user will be presented with the Duo prompt. This gives the choice to use any authentication method that the particular account is setup to use. In this example, the choices are Duo Push notification, SMS message, or phone call. Choosing option 1 for Duo Push, a request to verify the login will be sent to the user's smartphone.
Approve to verify the login.
If you receive a verification request you didn't initiate, deny the request and contact HCC immediately via email at email@example.com.
In the terminal, the login will now complete and the user will logged in as usual.
Duo Authentication Methods
Duo Push [Watch the Duo Push Demo]
Photo credit: Duo Security
For smartphone or tablet users (iPhone, Android, Blackberry, Windows Phone), the Duo Mobile app is available for free. A push notification will be sent to the device, and users can simply confirm the login with one tap.
Photo credit: Duo Security
The Duo Mobile app can also be used to generate numeric passcodes, even when cell service is unavailable. The passcode is then entered manually at the login prompt to complete authentication.
For non-smartphone users, Duo can send passcodes via normal text messages which are entered manually to complete login. Please note since this is an SMS message it may not be free, depending on the details of the particular cell phone plan.
For users with cell phones who prefer not to use any of the above methods and for those with landline phones, Duo will call the phone and provide a passcode via automatic voice message. The passcode is then entered manually to complete the login.
Photo credit: Yubico
YubiKeys are USB hardware tokens that generate passcodes when pressed. They appear as a USB keyboard to the computer they are connected to, and so require no driver software with almost all modern operating systems. YubiKeys are available from the Union Bookstore at UNL for a one-time cost of $25 each. Users may also purchase them directly from Yubico if desired; this does require stopping by either HCC location in person to have the YubiKey added to the user's account. For your convenience, HCC often carries some YubiKeys as well; these may only be purchased via a Cost Object transfer.