Background

The ActivIdentity (HID) security token has been used for over a decade at ECMWF, replacing similar RSA tokens which were used before. These tokens provide a second factor for user authentication alongside a user's password, enabling strong authentication for security sensitive services such as login access to ECMWF's Unix systems.

ECMWF plans to replace the ActivIdentity tokens with a Time-Based One Time Password authenticator application, more accurately known as TOTP Clients ("time-based one time password").  Typically, the TOTP clients are implemented on a smartphone.  The Client is synchronised with systems at ECMWF by the user visiting a web page themselves. Clients usually use PIN codes, or biometric features, for protection.

In the case of a TOTP Client implemented on a smartphone, after the initial synchronisation, the second factor number is displayed in the application and automatically changes every 30 seconds.

TOTP Clients have the following beneficial properties:

• Users are free to choose the TOTP Client they use, as this is a widely used open standard for second factor authentication.
• Management is self-service for the user through the use of QR Codes (3D barcodes) to establish synchronisation with ECMWF's systems.

Features of TOTP implemented at ECMWF

• You can have as many TOTP devices configured as you like. Either you have several different authenticator apps installed on your mobile phone, or you can use several different mobile phones.
• Command line tools such as  oathtool provide a command line TOTP app that can be used from a workstation or laptop
• You can delete your own configured TOTP. If you delete all your configured TOTP devices, then the behaviour reverts back to the current one (i.e. use of ActivIdentity HID security token)
• If you cannot login at all because of TOTP, open a Software and computing ticket in the ECMWF Support Portal to request deletion of the wrong TOTP profile .

Using TOTP for access to ECMWF services

Below you will find some basic information about the TOTP service at ECMWF and how to use it.

TOTP: How to activate

TOTP can be activated for your ECMWF user using the following steps.

These steps can also be used to set up new TOTP devices. [Read more ...]

TOTP: How to use

The main use of TOTP is for logging into ECMWF's Atos HPCF and ECS services using Teleport SSH Access. 

The steps needed are described in this page . [Read more ...]

TOTP: Using oathtool to provide a one-time-password

For users not wishing to use a smartphone or to provide a backup device to enable login with TOTP the oathtool command line tool can be used on Linux or MacOS systems to provide a one-time password as an alternative to using an authenticator client on a smartphone [Read more ...]

Status of services using TOTP at ECMWF

The table documents the status of services using TOTP at ECMWF as at 15 May 2023 [Read more ...]

Questions and Answers

Is a smartphone required for the TOTP Client?

No.

It is possible to use a command line application such as oathtool in just the same way.

Alternatively there are suppliers of hardware TOTP Clients (FEITIAN OTP c200 OATH, Thales eToken PASS, OneSpan Digipass GO) although they typically require a PC or phone for initial setup and synchronisation. While ECMWF will not cover the cost of such solutions, any user of ECMWF services is welcome to use them.

Which TOTP Client application should be used on my smartphone?

There are many to choose from, and they all provide the same basic features. Examples include:

• Google Authenticator
• Microsoft Authenticator
• LastPass Authenticator
• Red Hat FreeOTP

You may wish to find one with a cloud backup, so that the synchronisation is backed up in case you lose your smartphone.

ECMWF commits to finding and offering a working solution to any user, but does not commit to making all TOTP applications work.  In other words, users are supported in their use of TOTP applications in the same way that standards-compliant web browsers are supported when accessing web services.

Is TOTP less secure than the HID ActivID Personal Token?

No.

The HID Personal Token combines a time-based one-time password (a number) with the protection of a PIN code.

The TOTP Client is just the same but replaces the PIN code with your smartphone device lock (biometric or PIN).

If purchasing a hardware TOTP Client, ECMWF naturally recommends one with a PIN code for protection.

Does ECMWF gather any information from my smartphone when I use it for TOTP ?

ECMWF only stores the seed key and a device “friendly name” provided by the user.  No information is gathered from the smartphone.