Two-factor Authentication on POD

Back to documentation index

Two-factor authentication provides an additional layer of security that helps protect you and your data by requiring a second authentication factor when logging in. 

On POD, like many websites and apps, your password is the first authentication factor. The second factor is a one-time code you enter. The implementation used here is called OTP, specifically time-based OTP, or TOTP. Read more about TOTP here. The code is generated by an app on your mobile device. We suggest using Google Authenticator. This implementation is used by many common services like Gmail, Twitter, Instagram, Github, etc.

Enabling Two-factor Authentication

To enable two-factor authentication for your account, log in to the portal and proceed to your account settings page. The link to your account settings lives in the menu in the upper right corner of the navigation bar; click on your username to access the menu. From the account settings page, click on the "Enable Two-factor Authentication" button to begin the setup. The next page explains the process and provides the code that you will scan with your mobile device. Make sure you have Google Authenticator installed on your iOS or Android device. You can cancel the setup at any time up to this point but once you click the "Confirm" button, your account will fully protected.

Once 2FA is enabled, you'll be required to enter a code as the second auth factor when logging into the POD portal and to login nodes via SSH. Note that Scyld Cloud Workstation instances do not currently support two-factor authentication but will in the near future (Q2 2018).

Setting an Authentication Policy

Account owners have the option to set two-factor authentication requirements for their entire account or an a per-user basis. Managed users cannot override these settings. By setting the requirement on the entire account, all users and all future users (via invitation) will be required to use two-factor authentication.

SSH Configurations

2FA users must enable the local (client side) SSH config to allow both publickey and keyboard-interactive authentication.

Your primary authentication will be your configured SSH key, and the keyboard session allows you to type in your 2FA verification code. 2FA enabled users with incompatible local SSH configs, will not see a prompt for “Verification Code” and their login will fail. If you are affected, this stanza in your local (client side) SSH config will fix the issue:

Host 192.41.74.? 192.41.29.?       
          PreferredAuthentications publickey,keyboard-interactive

Accounts without 2FA enabled will see this message when SSHing into their login node: Authenticated with partial success. This message can be safely ignored.

Help and Recovery

If you lose access to your mobile device (or otherwise lose the POD account data in Google Authenticator), the account owner will need to contact support. POD administrators will confirm the account owner's identity, and once confirmed, they will reset the secret on your account. On your next login, you will be asked to scan a new code with Google Authenticator (to exchange the secret) and you can proceed.