Multifactor Authentication at TACC

TACC is now implementing Multi-Factor Authentication (MFA) as an additional security measure when accessing resources. MFA will become mandatory on September 27, 2016 and will be required to access all TACC resources. To set up MFA pairing at TACC, proceed directly to the TACC pairing page.

What is Multi-Factor Authentication?

Authentication is the process of determining if you are you. Traditional methods of associating a user account with a single password have not been 100% successful. Multi-Factor Authentication (MFA) requires another step, or "factor", in the authenticaton process. In addition to the usual password users must complete authentication using another device unique to them, usually the user's mobile phone/device. TACC offers another device, the TACC Hard Token, as another authentication factor.

1. Manage Profile

To pair a new device, sign in to the TACC User Portal and click on the "Manage Profile" link in the right corner. Users who've not set up MFA before will see a message similar to Figure 1.
Figure 1.
Profile with no MFA enabled

Click "Pair a Device" to get to the TACC device pairing page. Here you'll be presented with three different pairing methods. Users may authenticate with one and only one method. It's easy to pair and unpair using either of the first two methods.

Figure 2.
Select Pairing Method

2. Select Pairing Method

TACC offers three methods of authentication (pairing). Pairing methods are mutually exclusive. Select one of the following pairing methods:

  • TACC Token app

    Users with Apple iOS and Android devices may set up device pairing using the TACC Token app, available for both Android and iPhone devices.

  • SMS (text) messaging

    Users without (and with) smartphone devices may enable multi-factor authentication with SMS, standard text messaging.

  • TACC Hard token

    A TACC Hard Token is a physical device, similar to a fob (see Figure 7). This device is another unique-to-the-user device that serves as another pairing method.

TACC Token app

Follow the three steps below to pair your smartphone with the TACC Token App.

  1. Download and install the TACC Token App on your iPhone or Android device.
Figure 3.
TACC Token app

2. Press the "Use the TACC Token App to pair" button on the portal (Figure 2. above). A personalized QR code will be generated on your computer screen as in Figure 4. below.

Figure 4.
Scan the generated QR code on your screen

3. Open the TACC Token App on your device. Your smartphone screen should appear similar to Figure 5a. Tap the "+" in the lower right corner of the app to start the pairing process. The app will launch the smartphone's camera. Scan the generated QR code on your computer screen. Do not scan the image on this tutorial's page.

Figure 5a.
Figure 5b.
TACC Token App
generating token code

SMS Messaging

TACC users who do not (or do) have smartphone devices may set up multi-factor authentication using standard SMS messaging.

When logging into a TACC resource you'll be prompted for your standard password, and then prompted for a "TACC Token Code". At this point a text message will be sent to your phone with a unique six-digit code. Enter this code at the prompt.

This token code is valid for this login session only and cannot be re-used. Please note that it may take up to 60 seconds for the text to reach you. We advise you to clear out your text messages in order to avoid confusion during future logins.

 
Figure 6a.
SMS pairing code
Figure 6b.
Pairing with SMS

TACC Hard Token

Users have the third choice of pairing using the TACC Hard Token, a fob-sized device that generates random numbers. The TACC Hard Tokens are available for purchase for $25 at the UT store. Users who do not have a UT EID may "checkout as guest". TACC will cover cost of shipping the token to the user's specified address.

Figure 7.
TACC Hard Token (front and back)

Once you've received the TACC Hard Token, enter the token's serial number (on the back of the fob) on the portal pairing page, followed by clicking "next", and then entering the current 6-digit rolling token code shown on your screen.

International Users

Users located outside the U.S. must pair using either the TACC Token App or TACC Hard Token methods. Because the cost associated with sending multiple international text messages is prohibitive, international users may NOT set up multi-factor authentication with SMS.

Travelers who may experience intermittent wifi or internet access should also pair using either the TACC Token App or TACC Hard Token methods.

Logging into TACC resources with MFA enabled

A typical login session will look something like this:

localhost$ ssh -l username stampede.tacc.utexas.edu
Password: 
SMS Submitted
TACC Token Code:
Last login: Tue Aug 16 09:41:46 2016 from 70.114.204.80
------------------------------------------------------------------------------
                    Welcome to the Stampede Supercomputer
       Texas Advanced Computing Center, The University of Texas at Austin
------------------------------------------------------------------------------
 ...
login3.stampede(1)$

After typing in your password, you'll be prompted for "TACC Token Code:". At this point, turn to your device/phone.

  • If you've paired with SMS, you'll receive a text message containing a six digit verification code (figure 9a). Enter this code at the TACC Token Code: prompt. Please note that it may take up to 60 seconds for the text containing the token code to reach you. Each token code is valid for one login only and cannot be re-used.

  • If you've paired with the TACC Token App, open the app and the enter the six-digit number currently being displayed. If you mis-type the number, just wait till the app cycles (every 30-60 seconds) and try again with the next number (figure 9b).

Figure 8a.
SMS token code
Figure 8b.
TACC Token App token code

Unpairing your Device

Users who have paired using either of the first two methods, TACC Token App or SMS, may unpair using an automated process. Users who have paired with the TACC Hard Token cannot unpair without staff help. These users must submit a support ticket to unpair with the hard token.

Otherwise, to unpair your device, sign into the TACC User Portal and click on "Manage Profile". Depending upon the method of pairing you'll see a message similar to Figure 9. Click on the red subtract symbol to begin the unpairing process.

Figure 9.
Profile configured with SMS pairing

On the next screen (Figure 10.) you'll be asked to to confirm the unpairing. Similar to the pairing process, you must verify unpairing by entering the token code when prompted. If you've lost access to the device you originally paired with, you may unpair using email notification.

Figure 10.
Unpairing TACC Token App or SMS pairings

Last update: December 12, 2016