This documentation is a work in progress. It is accessible only to "early adopters" who have been given access tor testing purposes.
Show If
group
ecmwf
The documentation is currently only accessible to User Services, Oliver, Cesar and selected "early adopters" from the Member States. It is not yet complete or ready for wider publication.
Info
ECMWF plans to retire the ActivIdentity (HID) Security Tokens that have been used to provide a two-factor (strong) authentication access to ECMWF systems since 2007, and replace has replaced these with a TOTP (Time-based One-Time Password) Client application.
This page describes how to activate TOTP for your ECMWF User and documents the current status of services that have been configured to use TOTP
The page was last updated on . .
Note
Time-based One-Time Passwords are only required for login access to:
Time-based One-Time Passwords are NOT required for logging in to the ECMWF web site, ecCharts, to use the WebAPI to download data from MARS or the CDSAPI to download data from the Copernicus Climate Data Store (CDS).
Table of Content Zone
Table of Contents
...
Info
All Bologna systems will accept both ActivIdentity and TOTP Clients as a second factor, in parallel, for seven months from July 2022 to 31st January until 31st March 2023, at which point the ActivIdentity HID systems will be switched off.
...
You can have as many TOTP devices configured as you like. Either you have several different authenticator apps installed on your mobile phone, or you can use several different mobile phones.
Command line tools such as oathtool provide a command line TOTP app that can be used from a workstation or laptop
You can delete your own configured TOTP. If you delete all your configured TOTP devices, then the behaviour reverts back to the current one (i.e. use of ActivIdentity HID security token)
If you cannot login at all because of TOTP, open a Software and computing ticket in the ECMWF Support Portal to request deletion of the wrong TOTP profile .
Tip
title
A note on security
Users should ensure access to the TOTP client is protected if their device were to be lost, stolen, shared or otherwise compromised.
On a mobile device this can be achieved, for example, with a PIN, Password or Fingerprint lock on the device. Many TOTP client applications also support additional authentication to the application itself (this can provide additional protection, especially if the device is shared).
Ensure you keep the device up to date and we strongly recommend not rooting or jailbreaking your device because this weakens the protections built into it.
Using TOTP for access to ECMWF services
...
Multiexcerpt include
MultiExcerptName
preamble
PageWithExcerpt
UDOC:TOTP: How to activate
TOTP: How to use
Multiexcerpt include
MultiExcerptName
preamble
PageWithExcerpt
TOTP: How to use
TOTP: Using oathtool to provide a one-time-password
Multiexcerpt include
MultiExcerptName
preamble
PageWithExcerpt
UDOC:TOTP: Using oathtool to provide a one-time password
...
Multiexcerpt include
MultiExcerptName
preamble
PageWithExcerpt
UDOC:TOTP: Status of services using TOTP at ECMWF
...
Show If
group
ecmwf
Status of services using TOTP and accessible to ECMWF staff only
Multiexcerpt include
MultiExcerptName
preamble
PageWithExcerpt
UDOC:TOTP: Status of services accessible to ECMWF staff only
...
If purchasing a hardware TOTP Client, ECMWF naturally recommends one with a PIN code for protection.
Does ECMWF gather any information from my smartphone when I use it for TOTP ?
ECMWF only stores the seed key and a device “friendly name” provided by the user. No information is gathered from the smartphone.