Passer au contenu principal

Multifactor Authentication With edu-ID

You can now enable and configure two-factor authentication for your SWITCH edu-ID account.

Central IT services is progressively activating multifactor authentication (or MFA, strong authentication, or two-factor authentication) for various services to increase the security level of our applications (more info on our blog, in French). In addition to your password, you will be asked for either:

  • A one-time code generated in an application designed for this purpose, called TOTP (such as Google Authenticator),

  • To validate an authentication request without a password using Passkey technology

  • (or received via SMS, but this is not recommended for reliability reasons).

The edu-ID identity includes the use of multifactor authentication, and its activation is easy. To read the official SWITCH documentation on MFA and edu-ID, visit the following page: https://help.switch.ch/fr/eduid/docs/services/login/two-step-login/

Activation

(adapted from the official SWITCH documentation)

To enable two-step login, go to your SWITCH edu-ID account at https://eduid.ch and click on the Security tab, and then click the On button next to Multifactor Authentication,

MFA_en1.png

or go directly to the two-step login settings (https://eduid.ch/mfa/initial).

Next, activate one of the two-step authentication methods. We recommend using a mobile authenticator app to obtain your codes.

MFA_en2.png

Authenticator app

You will first be asked for a mobile phone number in case you need to recover your account:

MFA_en3.png

Next, you need to register your secret key, which will be used to generate the codes:

MFA_en4.png

The following mobile apps, among others, work: Twilio Authy, FreeOTP, Google Authenticator, Microsoft Authenticator, BitWarden Authenticator, and OTP Auth. (Other applications that support the TOTP standard can also be used.) More information on iBarry.ch. The 2FAS browser extension can be used without a mobile phone.

More and more password managers offer the ability to manage both your passwords as well as the 2nd factor within a single app, such as macOS Keychain (latest version) or BitWarden (premium version). ). This also has the advantage of being synchronized across different devices.

Don't forget to take note of your recovery code and save it.

MFA_en5.png

Passkey

A new authentication technology called Passkey can be configured. This enables you to login securely and without a password. You can find more information here: https://help.switch.ch/eduid/docs/services/login/auth/passkey/

SMS

The other option, which we do not recommend for reasons of reliability and will be gradually retired, is to use SMS. A code will be sent to you for each connection requiring a 2nd factor.

If you use a non-Swiss phone number, please be aware that certain countries and operators may limit the delivery of SMS messages, or charge for them. In this case, we recommend you use an authenticator app rather than the SMS option.

It is possible to enable more than one login method and multiple Passkeys.

Depending on your settings, two-step login is only used for those services that require it (On request) or for all services each time (Always).

ondemand_en.png

To disable two-step authentication, go back to the Security tab and click the Off button next to the Multifactor Authentication option (https://eduid.ch/account/security).

MFA_off_en.png

Please note that this may mean that you need to reinitialise or reverify the verification code if you reactivate a certain method later on.

Most of the authenticator apps mentioned above work with multiple account providers too, such as Google, Facebook, etc.

ConnectionLogin

When connectingyou log in to a servicepage requiring a second factor, after the usual login asking forentering your email addressaddress, anddepending edu-IDon password,your MFA configuration, you will beneed presentedto witheither enter a newpassword page:or proceed via a Passkey:

Login_en1.png

TOTP

If you choose the password, enter it

ThisLogin_en2_pass.png

page

then enablesenter the TOTP code generated in the app you topreviously chooseconfigured

between using an app generated code (for example in Google Authenticator) or an SMS, depending on what you have configured. If available, the don't ask again for one week option means you will not be prompted for the second factor for seven days when using the current browser.

Login_en3_pass.png

ConnectingLogin to the PulseAvanti Secure Access VPN

Starting from the 11th of July 2022, eachEach time you connect to our VPN, you will be prompted with the familiar edu-ID login page, requiring you to enter your email address and edu-ID password:

image-1655904712338.pngcrypto1_en.png

Then, ifNext, you haven'twill be asked to choose between access via password and TOTP code or Passkey, depending on what you have configured:

crypto2_en.png

If you have not yet configuredenabled ayour second factor, the process will guide you throughin settingconfiguring it up.it. By clicking on continue, you will be taken to the two-stepSecurity page where you can configure the authenticationMultifactor settingsAuthentication page (https://eduid.ch/web/edit-security-settings/account/security) offor your edu-ID account:

image-1655904931016.pngcrypto5_en_setup.png

If youryou secondchoose factorpassword isand configured,TOTP, youthey will now be asked to enter it.requested. If you chosehave theopted authenticator app, openfor the app for your second factor, launch it, and copy the displayed code:

crypto3_en.png

crypto4_en.png

If you chose SMS code, check your mobile phone and enter the received code:

image-1655904720733.png

The process will then end and you will be connected to the VPN!

When logging into the VPN using edu-ID, the authentication process uses an embedded browser, to be sure the browser is not insecure or compromised. This means that you won't be able to save your edu-ID password. We recommend using a password management too and copy/pasting your email address and edu-ID password.password, or connect via https://crypto.unil.ch

Passkey

PasskeyPasskey, or access key, is a new standardemerging that is emerging,standard, supported by major internet playersplayers, and shouldis ultimatelyexpected to be THE secure authentication solution.solution in the future. Edu-ID is now Passkey compatible. Once configured, thisit allows youfor to"passwordless" authenticate in a “passwordless” way,authentication, without havingneeding to enter your password. You can find an overviewinteresting ofarticle theon passkey technologyPasskeys here: https://www.ibarry.ch/en/safe-devices/passkeys/

The technology is still new, and there are multiple ways to configure Passkeys. Not all OS, appsapps, or devices are compatible. You can find more information in the Switch FAQ.

It is configured per device! So, you will need to configure a Passkey for your laptop, one for your mobile phone, etc. Alternatively, you can use a password manager, such as BitWarden, and then the Passkey can be used on multiple devices.

Please report any problems or incompatibility encountered during Passkey configuration or use to the helpdesk.

Questions / Problems

Connecting to Ivanti Secure Access

It can happen that after enabling two-factor authentication, the connection to Ivanti Secure Access no longer works. The solution is to uninstall it and then reinstall it (following our documentation (in French)).

You will find the answers to multiple questions concerning multi-factor authentication on the official SWITCH edu-ID website: https://help.switch.eduid.ch/eduid/faqs/?help?lang=en#mfaen#two-step-login-accordion

Retour en haut