MAX IV is committed to using Multi Factor Authentication for all external access to anything that is more than purely informational.
Raising the bar
Multi Factor Authentication is adding another piece into the authentication process, one that does not depend on knowing the username and password. Those are often the pieces that a bad actor have managed to obtain via some other source. Using a one-time password is one commonly used technology to achieve 2-factor authentication.
All external access to MAX IV resources requires two-factor authentication via Time-Based One-time Password (TOTP). The one-time password can be distributed via email, SMS or be generated via an application on your mobile phone. Both email and SMS methods have inherent weaknesses and will only be used for the initial setup and registration of a TOTP application. SMS has previously been used extensively at MAX IV, but is being phased out in favor of using a TOTP application for generating the token. After January 15, 2024, SMS will no longer be used for sending out OTP code.
Activating a TOTP application
Using a mobile application to generate the Time-based One-Time Password (TOTP) has many advantages over receiving a SMS message, both from security and practical point of views. There are many OTP applications in the respective mobile phone app stores. Some are also available for desktop use. Pick the one that works best for you. Some examples: Pocket Pass, Authy by Twilio, Google Authenticator, Microsoft Authenticator and many more.
If you rather use a desktop application, that will work too. There are dedicated OTP applications for all operating systems, and most password managers have a feature for OTP generation as well. Just copy and paste the URL for QR code (see next paragraph) to activate the application.
You activate the application for authentication at MAX IV at this URL: MAX IV – TOTP Registration
It is a straight forward 3-step process, just follow the instructions on the web page.
- Install the application
- Scan the QR-code
- Confirm by typing in a generated code
Many fail to complete this last step. It must show the text in green “Security code successfully verified”.