Commentary on Multi-Factor Authentication
Last updated on 2024-08-23

In recent years, with the increase and diversification of services available online, crimes such as fraud targeting them have become more organized, and methods for illegally obtaining IDs and passwords have become more sophisticated and sophisticated.

　For example, most phishing e-mails a few years ago were clearly wrong by reading the text, but in recent years, phishing e-mails have been sent under the guise of replies to the e-mails that were actually exchanged. Phishing sites are also being created to look exactly like real sites, making it difficult to distinguish them from the real thing, increasing the risk of accidentally entering your ID and password.

　Methods of infecting people with computer viruses are becoming more sophisticated, and computer viruses themselves are becoming more sophisticated so that they can fulfill their purpose without being detected, not just interfering with business, but also making it clear that they are seeking money such as fraud.

　Various services around the world continue to experience mass outflows of IDs and passwords. If you are using another service with the same ID, email address, and password pair that has been leaked in this way (so-called "password reuse"), the risk of unauthorized login is very high.

　In this way, the risk of ID and password leakage is increasing year by year.

　Shifting to on-campus IT services, the integrated certification platform was launched in 2006, and in 2020, it is linked to more than 150 on-campus systems. And each IT service is accumulating more and more important information. While it has become convenient to access various services and important information with just one set of IDs and passwords, the damage if IDs and passwords are leaked is extremely large.

　In this way, the risk of password leakage is increasing, and the impact of unauthorized logins is increasing, so there is a need for safer and more reliable authentication methods as a countermeasure.

• This is a one-time password that will be sent to you by email. It is an 8-digit number and can only be used once within 24 hours.

• By requesting a one-time password to be sent by e-mail when logging in, a one-time password will be sent to the e-mail address specified in advance.

• If you repeatedly request a one-time password on the login screen, you will receive a one-time password with a different number each time. Only the most recent one-time password is valid. Please note that if you make multiple requests in a short period of time, you will not know which one is the latest.

• It may be convenient to set the carrier mail of the mobile phone that can be received by the push notification type as the sending destination (pay attention to the reception limit setting).

• Please be careful when specifying the email address when specifying the email address of a system that requires multi-factor authentication for all faculty and staff accounts as the e-mail address to which the one-time password is sent, as you will not be able to log in and read the e-mail containing the one-time password. (Student email (KUMOI), faculty and staff email (KUMail), @ms.c.kyoto-u.ac.jp) email addresses cannot be specified. ）

• In order to prevent unauthorized access to the mail server where the one-time password is received, please take security measures such as password management.

• In multi-factor authentication using TOTP, authentication is performed by entering a six-digit number that changes every 30 seconds displayed in the TOTP display app that has been initially set up as the second factor.

• TOTP display apps include browser plug-ins and smartphone apps provided by the software. Google Authenticator and many others are offered for free.

• In order to ensure that the 6-digit number is different for each user, initial settings for the TOTP display app are required for each user.

• The QR code at the time of initial setup is a "secret seed" that differs for each user. The TOTP display app uses time and a "secret seed" to calculate a six-digit number that is different for each user.

• The authentication server and the TOTP display application share a "secret seed" that is the source of TOTP calculations. If you calculate the same "secret seed" at the same time on the authentication server and the TOTP display app, the same number will be obtained and you will be authenticated.

• Please note that if you redo the initial settings, the "Secret Seed" will be changed, so you will not be able to use the numbers displayed in the TOTP display app that you set up by default last time.

• You can increase the number of TOTP display apps by copying the set "secret seed" to other TOTP display apps. Copy it to the device you need and increase it.

• Therefore, when you are asked to enter a second factor in multi-factor authentication, you can get a six-digit TOTP number if you have one of the TOTP display apps set up for you nearby.

• When you log in from a browser, you do not need to have a plug-in installed in the browser itself (you can also use the plug-in of other browsers). ）

• The TOTP display app only performs calculations, so no communication occurs.

• Be careful not to share a valid "secret seed" or a six-digit number in your calculations with others.

• Be careful not to lose or steal a device with the TOTP display app set. Please take measures such as setting a screen lock. In the event of loss or theft, please promptly initialize and disable the initial TOTP settings.

• FIDO is an abbreviation for Fast IDentity Online, and is a standard designed to handle biometric authentication such as fingerprint authentication and face recognition in a unified manner. Passkeys are a mechanism that deploys FIDO's authentication technology in a way that is easy for users to use.

• Biometric information for fingerprint and face recognition is stored only in smartphones and other terminals that support FIDO and passkeys, so there is no need to share the biometric information itself with the authentication server.

• For multi-factor authentication introduced at Kyoto University, any authenticator (terminal) that supports the FIDO2/WebAuthn standard can be used.

• The initial setup for multi-factor authentication allows you to register multiple FIDO authenticators. If you try to re-register an authenticator that has already been registered, you will see a message that it has been registered.

• If you select FIDO Authentication as the second factor for multi-factor authentication, you can log in by authenticating with one of the multiple registered FIDO authenticators.

• You can delete FIDO authenticator registrations individually.

• Be careful not to lose or steal your FIDO authenticator. For example, if you are registering a YubiKey as an authenticator, it is not fingerprint authentication (just tap it), so it can be easily spoofed. In the event of loss or theft, please delete the registration of the FIDO authenticator and redo the initial settings.

• Since there are various authenticators provided as FIDO2/WebAuthn compatible, not all authenticators have been confirmed to work. There may be some defects, so please try it based on the fact that it may not be available. The Information Environment Organization would like to provide as much information as possible, but due to this situation, we will not be able to respond to inquiries about FIDO and Passkey for the time being.

The "multi-factor authentication" used at Kyoto University this time is "two-factor authentication" that combines two factors. Enter your traditional ID and password as the first factor, and your one-time password as the second factor.

Mail OTP

This is a one-time password that will be sent to you by email. It is an 8-digit number and can only be used once within 24 hours. The user will be notified to the e-mail address registered in advance to confirm the identity of the user. For this reason, the e-mail address to be registered in advance must be readable only by the person himself. If there is more than one unused one-time password within the validity period, only the most recent password will be valid.

For two-factor authentication for Kyoto University-wide accounts, it is recommended that you first set up this "email OTP" so that you can start over on your own when you change the model of a terminal that has other methods such as TOTP.

TOTP

The second factor is a one-time password called "TOTP" (Time-based One-time Password), which uses a six-digit number that changes every 30 seconds. This six-digit number varies from user to user.

　In order to obtain TOTP, use the TOTP display app that has been set by default for each user. The following TOTP display apps are available for free. Strictly speaking, these are "calculators" that calculate TOTP using different "species" for each time and user, so communication does not occur when downloading the display application or using it after the initial setting is completed.

• App version for smartphones (Android, iPhone)

• Plug-in version to be embedded in web browsers (Chrome, Firefox, Edge (Chromium version))

　For two-factor authentication for Kyoto University-wide accounts, we recommend using TOTP as a standard method.

Methods other than Mail OTP ＆TOTP

In addition to the above, the following methods are also supported:

• FIDO/Passkey

If you set up each of them, you can choose one of them as the second factor to log in. FIDO/Passkey allows you to register multiple devices at the same time so that you don't have to worry about not being able to log in when you forget your smartphone or computer at home or it breaks down and you can't use it.

When or Not to Require Second-Factor Authentication

• As a general rule, regardless of whether the access is from within or off campus, a second factor is required.

• Switching to multi-factor authentication all at once can cause significant confusion, so we will continue to switch to multi-factor authentication in stages. Therefore, each service has a different need for a second factor.

Validity Period of Second-Factor Authentication

• When logging in with multi-factor authentication, you can skip entering the second factor for 7 days by checking "Trust this browser" (this period is subject to change). The first factor, password authentication, is not omitted.

• Since authentication is done on a browser-by-browser basis, a second factor is required for different types of browsers even on the same terminal.

• For browsers that may be used by others, such as shared terminals, do not check "Trust this browser".

Learn more about how to set it up

For details on the initial setting and usage details, refer to the manual listed in "(1) Initial Setup".

If you are unable to log in because you cannot enter the second factor, the Information Environment Organization's Support Center will handle it.