Skip to content

Multi-Factor Authentication (MFA) for Cluster Access

To access the Mila Cluster clusters, you will need a Mila account. Please contact Mila systems administrators if you don't have it already. Our IT support service is available here: https://it-support.mila.quebec/

You will also need to complete and return an IT Onboarding Training to get access to the cluster. Please refer to the Mila Intranet for more informations: https://sites.google.com/mila.quebec/mila-intranet/it-infrastructure/it-onboarding-training

Important

Your access to the Cluster is granted based on your status at Mila (for students, your status is the same as your main supervisor' status), and on the duration of your stay, set during the creation of your account. The following have access to the cluster : Current Students of Core Professors - Core Professors - Staff

Overview

Multi-Factor Authentication (MFA) adds a critical layer of security to your account beyond just a password or public key. Once configured, accessing the cluster will require two distinct steps:

  1. First Factor: Your Public Key (SSH).

  2. Second Factor: A dynamic verification (TOTP token, Push notification, or Email token).

Supported Authentication Methods

You can choose one of the following methods for your second-factor verification:

1. PrivacyIDEA Mobile App (Push Notification)

  • Action: Approve a login request via a \"Push\" notification on your smartphone.

  • Requirement: Install the privacyIDEA Authenticator app (available on iOS and Android).

2. TOTP (Time-based One-Time Password)

  • Action: Enter a 6-digit rolling code generated by an app.

  • Compatibility: Works with privacyIDEA, Google Authenticator, Microsoft Authenticator, Cisco Duo or any app supporting the RFC 6238 standard.

3. Email Token

  • Action: Receive a Token verification code via your registered email.

  • Requirement: Access to your \@mila.quebec email address.

4. Hardware Token (Coming Soon)

  • Feature: Support for YubiKey (FIDO2/WebAuthn).

  • Status: This is a planned implementation feature and will be available in a future update.

Initial Registration Process

To configure your MFA factors (TOTP, Push, or Email), you must first access the MFA Web Interface. Follow these steps to register your account:

1. Receive Your Registration Token

Before your first login, you will receive an automated email containing a Registration Token.

  • Purpose: This token grants you initial access to the configuration portal.

  • Expiration: This is a one-time (disposable) code. Once used, it becomes invalid.

2. First-Time Login

  1. Navigate to the MFA Web Interface: https://mfa.mila.quebec

    Login-interafce

  2. Username: Enter your standard Cluster Username.

  3. Password Field: When prompted for a password, enter the Registration Token you received via email.

    User-dashboard

  4. Once logged in, you must immediately generate and link your permanent factors (TOTP or Push token).

    Token-selector

3. Subsequent Logins

IMPORTANT

Access to the Web Interface is restricted after the first setup: You can no longer use an email token to log into this portal. Access is strictly guaranteed via your TOTP token only.

Warning: Ensure you have successfully scanned your TOTP QR code or enrolled your Push device before logging out of your first session. If you fail to set up a permanent TOTP token during this first visit, you will be locked out and will require a new registration token from IT Support.

Summary Table: Which Token to Use?

Access Type First Time (Setup) Every Time After
MFA Web Portal Email Registration Token TOTP Token Only
Cluster Access (SSH) N/A TOTP, Push, or Email

Pro-Tips for Users

  • Registration Timing: Use your registration token as soon as you receive it, as it may have a limited lifespan.

  • Create a Backup: We highly recommend setting up at least two factors (e.g., both a Push notification and a TOTP app) so you have a fallback method if you lose your phone or have no internet access.

  • Update your SSH Config: Consider adding the ControlMaster=auto and ControlPersist=yes options in your SSH configuration entry for the Mila cluster login and compute nodes. This will allow you to go through 2FA only once per machine boot, rather than once per SSH command. Note that these options are supported on Linux and MacOS. For Windows users, consider installing WSL.

How it Works: Accessing the Cluster

When you attempt to connect to the cluster via SSH, the authentication flow will proceed as follows:

  1. SSH Key Exchange: Your local machine presents your private key to match the Public Key stored on the cluster.

  2. MFA Challenge: Once the key is accepted, the system will prompt you for the second factor.

  3. Validation:

    • If using Push, tap "Approve" on your phone.
    • If using TOTP or Email, type the provided code into your terminal prompt.

Troubleshooting & Support

  • Time Synchronization: TOTP codes are time-sensitive. Ensure your smartphone\'s clock is set to Automatic; otherwise, the codes will be rejected.

  • Lost Device: If you lose access to your smartphone, please contact the IT support team immediately to reset your MFA tokens.

Support Contact: Mila's helpdesk

Comments