EPJ Web of Conferences (Jan 2024)
The Second-Factor Authentication System at CERN
Abstract
In 2022, CERN ran its annual simulated phishing campaign in which 2000 users gave away their passwords. In a real phishing incident, this would have meant 2000 compromised accounts, unless they were protected by Two-Factor Authentication (2FA). In the same year, CERN introduced 2FA for accounts with access to critical services. The new login flow requires users to always authenticate with a 2FA token, either with Time-based one-time password (TOTP) or WebAuthn. This introduces a significant security improvement for the individual and for the laboratory. The previous flow enforced 2FA to access a small number of applications. In this paper, we will discuss the rationale behind the 2FA deployment, as well as the technical setup of 2FA in the CERN Single Sign-On system, Keycloak. The paper will give a detailed overview of the architecture for this new 2FA flow and compare how it differs from the legacy 2FA system which was in place since 2019. We share statistics on how users are responding to this change in the login flow, and the actions we have taken to improve the user experience. Finally, we briefly describe our custom extensions to Keycloak for specific use cases, which include adding roles in the user token, overriding the default Keycloak session, and modifying the user login flow.
