{"id":138128,"date":"2021-12-10T13:41:51","date_gmt":"2021-12-10T18:41:51","guid":{"rendered":"http:\/\/www.bu.edu\/tech\/?page_id=138128"},"modified":"2023-05-03T16:35:43","modified_gmt":"2023-05-03T20:35:43","slug":"two-factor","status":"publish","type":"page","link":"https:\/\/www.bu.edu\/tech\/support\/research\/system-usage\/connect-scc\/access-and-security\/two-factor\/","title":{"rendered":"SCC Two-factor Authentication with Duo Security"},"content":{"rendered":"

As of March 15, 2021, users of the Shared Computing Cluster (SCC) who connect to the systems need to use Duo two-factor authentication in order to connect to any SCC system, including scc-lite.bu.edu. This includes OnDemand<\/a><\/b>, MobaXTerm, the Mac Terminal application, WinSCP, Filezilla, Fetch, Putty, and other Windows\/Mac\/Linux SSH and file transfer applications.<\/p>\n

Referred to as two-step or two-factor authentication, this process, which uses Duo Security<\/a>, asks individuals logging in to confirm their identity using a smartphone, via text, or via automated voice calls.<\/p>\n

Information on utilizing Duo Security in general is available<\/a> and those who need to use Duo should consult those pages for how to enroll a device such as your smartphone and other questions. Note that on OnDemand uses a web-browser based login, so for the other applications listed above the process is a bit different from the usual use of Duo Security on BU web pages.<\/p>\n

If you have any questions about SCC-specific troubles using Duo, please send email to help@scc.bu.edu<\/a>. For the specific issues listed below that give a different contact address, please use that contact information to get a quicker response.<\/p>\n

Who needs to use Duo two-factor authentication?<\/h2>\n

Who needs to use Duo two-factor authentication?<\/h3>
As of March 15, 2021, all SCC users, including Linux Virtual Lab\/scc-lite users, need to use Duo two-factor authentication in order to connect to any SCC system (scc1, scc2, geo, scc4, and scc-lite). SCC OnDemand users were required to use Duo before that date.
\n<\/div>\n<\/div>\n\n

How do I get Duo and use it on the SCC?<\/h2>\n

How do I get started using Duo?<\/h3>
Duo is the same technology used to authenticate for the Student Link, Faculty Link, and BUworks so almost all BU people should already have used it. If you do have it, then accessing the SCC using Duo two-factor authentication should be fairly familiar and straightforward. If you have never used Duo (mostly external collaborators using the SCC), you should go to SCC OnDemand<\/a> and, once you have authenticated with your BU login and Kerberos password, you should be given the option to enroll in Duo (see example image<\/a>). You can also consult this page<\/a> which has instruction on enrolling devices such as smartphones, landlines, and tablets into Duo to allow you to use them for authentication but use SCC OnDemand<\/a> as your way to test it since you may very well not have access to BUworks and some of the other example services; Duo is available for ALL<\/strong> SCC users. See the other questions on this page about the specifics of connecting to the SCC using Duo two-factor authentication.
\n<\/div>\n<\/div>\n\n

How does Duo use affect how I log in to the SCC?<\/h3>
You are required to use Duo as a second method of authentication when logging into any SCC machine. Individuals are asked to confirm their identity using a smartphone app, via text message to a device, or via automated calls to a mobile or landline phone.<\/p>\n

The screenshot below shows the process of logging in to scc3\/geo using Duo with MobaXTerm for Windows. After you enter your BU Kerberos password, you will be prompted by Duo to use one of the authentication methods that you have previously set up. Only after having done that second authentication will you be logged in to the SCC.
\n\"Screenshot<\/p>\n

<\/div>\n<\/div>\n\n

SCC specific questions about Duo two-factor authentication<\/h2>\n

Do I have to use Duo every time I log in to the SCC?<\/h3>
The first time you connect to any SCC login node (scc1, scc2, geo, scc4, or scc-lite) using an SSH client or a file transfer application, you will be required to use Duo two-factor authentication. Once you have done that, if you initiate further connections from the same source computer (with the same IP address) to the same SCC login node, you will not need to use the second Duo factor for 30 days. This is true even for different programs, so if you connect to scc1.bu.edu<\/code> using an SSH client and authenticate with both your password and Duo you will then, for 30 days, be able to connect to scc1.bu.edu<\/code> using a file transfer application and only need to supply your password.<\/p>\n

As stated above, the IP address must remain the same. If you were working on your laptop using wireless at home and then switch to using the BU wireless, for example, you will need to authenticate again with Duo two-factor authentication.
\n<\/div>\n<\/div>\n\n

Will I ever be logged out of the SCC as a result of this change?<\/h3>
No, Duo two-factor authentication only ever applies when you log in to the system\/open a file transfer connection. You can stay logged in\/let your file transfer run for as long as you want without an issue.
\n<\/div>\n<\/div>\n\n

What about things I am doing that don't require a password?<\/h3>
If you don’t need a password, you also don’t need Duo two-factor authentication. One example of this is connecting from one SCC node, say scc1.bu.edu<\/code>, to another SCC node, such as scc4.bu.edu<\/code>. However, you may have things set up so that you are being asked for a password but your SSH client or another program is automatically remembering it and supplying it; in these cases, you may still need to use Duo two-factor authentication.
\n<\/div>\n<\/div>\n\n

If I recently authenticated to BUworks using Duo do I have to do so again to the SCC and vice versa?<\/h3>
Yes, although the two systems are using the same technology, the implementations are totally independent. Authenticating to one of them has no effect on the other one.
\n<\/div>\n<\/div>\n\n

Does it matter where and how I am accessing the SCC?<\/h3>
No, Duo should work fine regardless of where you are connecting from and for all SSH clients and file transfer applications. Please let us know<\/a> if it is not working for you, particularly if you are using it from a foreign country or are using a new application to access the SCC. Please provide as much detail as possible on what your situation is.
\n<\/div>\n<\/div>\n\n

Will my SCC account ever be locked as a result of too many failed attempts at authentication?<\/h3>
No, Research Computing Services does not lock SCC accounts based on failed attempts at authentication.
\n<\/div>\n<\/div>\n\n

Specific applications (ssh, file transfer, etc…) questions about Duo two-factor authentication<\/h2>\n

I am using MobaXterm and am having problems with Duo. What should I do?<\/h3>
There are issues with Duo TFA when using the Terminal method of connecting using MobaXterm. We recommend switching to using ‘Sessions’ as described under Connecting to the SCC from Microsoft Windows<\/a>.<\/p>\n

Alternatively, you can continue to use the Terminal method with the following command line argument:<\/p>\n

ssh<\/span> your_login_name<\/span>@scc1.bu.edu -o PasswordAuthentication=no<\/span>\r\n<\/code><\/pre>\n
<\/div>\n<\/div>\n\n
I am using FileZilla and have had issues since the switch to Duo occurred. What should I do?<\/h3>
There are issues with Duo TFA when using the ‘Quickconnect’ method of connecting to the SCC using File Zilla from the opening screen. You should instead create a ‘Site’ by doing the following steps:<\/p>\n
    \n
  1. Open Site Manager with File > Site Manager<\/strong>.
    \n<\/li>\n
  2. Single-click the name of your SCC site on the left. Change the Logon Type<\/strong> to \u201cInteractive.\u201d
    \n<\/li>\n
  3. Click Connect<\/strong>. A box will appear to ask for your password. Enter your BU Kerberos password and click OK<\/strong>.<\/li>\n
  4. A new box will let you choose a way to respond with Duo. This should be familiar to you from other applications. Respond to the challenge and FileZilla will connect.
    \n<\/li>\n
  5. When you connect to the SCC from the same computer in the next 30 days, it will prompt for a password with the same type of box but it should not present a Duo challenge. This only applies if you are connecting from the same machine to the same SCC node and you are using the same IP address.<\/li>\n<\/ol>\n
    <\/div>\n<\/div>\n<\/p>\n
    General Duo questions that also apply to SCC users<\/h2>\n
    If you have issues with Duo that are not SCC-specific, please contact the IT Help Center<\/a> to resolve them.
    \n
    Can I set up Duo on more than one phone?<\/h3>
    Yes, you are very much encouraged to set up Duo on more than one phone in case you forget a phone at home or are not at your office phone. When you are doing your initial setup (or are adding devices later), you may add as many phones as you like (landline and\/or mobile). After that, when you are logging in you can choose which line Duo will send the authentication request to (via smart phone app, SMS text message, or phone call depending on what you chose).
    \n<\/div>\n<\/div>\n<\/p>\n
    What is the Manage Devices button on the Duo support page? Can I use that to add more devices?<\/h3>
    Yes, you can use the Manage Devices<\/strong><\/a> feature to add, remove, or change the devices that Duo can use to verify who you are.
    \n<\/div>\n<\/div>\n\n
    I have a new phone and the Duo app stopped working. What should I do?<\/h3>
    If you get a new phone, even if the Duo app is restored from a cloud backup, it will lose its association with your account. If the phone number of your new phone is the same, you can still authenticate using the phone call or sms option, but the push option will not work until re-activated.<\/p>\n
    You can re-activate your new phone with the Manage Devices<\/strong><\/a> option. First, ensure that you still have access to any of the phone numbers enrolled in Duo. Set the authentication option to Phone Call and then select Manage devices. The phone you chose should ring, and you will need to answer, and hit any key to authenticate. From here, you can select the phone number of your new phone (assuming it\u2019s the same phone number) and under Actions, select Activate Duo Mobile. This will prompt you to scan in a new QR code from the Duo app. If you have difficulties with this process, you can submit a ticket to the IT Help Center<\/a> or call for immediate assistance – 617-353-HELP (4357).
    \n<\/div>\n<\/div>\n\n
    Can I use the Duo app internationally?<\/h3>
    The Duo smart phone app is designed to work internationally. If you install the app, it can generate the required code without need of either a telephone signal or data plan, and it can do this anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as pushing a single button, but if you don\u2019t have one of those two things, you can use the app to generate a six digit code and enter that manually.
    \n<\/div>\n<\/div>\n\n
    What if I forget my phone at home?<\/h3>
    You can contact the IT Help Center<\/a>. They will verify your identity and provide a temporary passcode. We encourage you to then go into Manage Devices<\/strong><\/a> and add an additional phone.
    \n<\/div>\n<\/div>\n\n
    What if I lose my phone?<\/h3>
    Contact the IT Help Center<\/a> immediately and we will lock your Duo account to prevent malicious activity.<\/p>\n
    <\/div>\n<\/div>\n\n
    What if I don\u2019t have a cell phone?<\/h3>
    If you don\u2019t have a cell phone, Duo allows you to use your landline phone. You would receive an automated phone call that requires you to hit any button to confirm your identity.
    \n<\/div>\n<\/div>\n\n
    What if I don\u2019t have a data plan on my phone? What if I don\u2019t have a connection?<\/h3>
    The Duo smart phone app provides options that work without a data plan, a texting plan or even a connection, if necessary. The app can generate the required code without need of either a telephone signal or data plan, and it can do so anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don\u2019t, you can use the app to generate a six digit code and enter that instead.
    \n<\/div>\n<\/div>\n\n
    Do I need a smart phone to use Duo?<\/h3>
    No. Duo provides a great deal of flexibility and you do not need a smart phone to use it.<\/p>\n
    The recommended smart mobile phone option makes two-factor authentication extremely easy, but a lot of other easy options exist as well. Duo can send a text message to a regular cell phone or place a voice call to your office landline phone or cell phone.
    \n<\/div>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"
    As of March 15, 2021, users of the Shared Computing Cluster (SCC) who connect to the systems need to use Duo two-factor authentication in order to connect to any SCC system, including scc-lite.bu.edu. This includes…<\/p>\n","protected":false},"author":1692,"featured_media":0,"parent":137913,"menu_order":1,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/138128"}],"collection":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/users\/1692"}],"replies":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/comments?post=138128"}],"version-history":[{"count":9,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/138128\/revisions"}],"predecessor-version":[{"id":145448,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/138128\/revisions\/145448"}],"up":[{"embeddable":true,"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/pages\/137913"}],"wp:attachment":[{"href":"https:\/\/www.bu.edu\/tech\/wp-json\/wp\/v2\/media?parent=138128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
<\/a>