IP Register TOTP authentication

At the moment IP Register's TOTP setup is limited to members of the Hostmaster / Network Systems team who have privileged read/write access to the database via the web user interface.

What is TOTP?

Time-based one-time passwords are based on the current time and a shared secret, which are combined to produce a 6 digit authentication code which changes every 30 seconds.

There are a number of apps that support TOTP:

Some of these apps are linked to cloud authentication services, but they can be used as stand-alone TOTP generators.

IP Register TOTP

When logging in with Raven, there is a second challenge - "speak, friend, and enter" - which demands a correct TOTP code before access is granted. This sets a 12 hour login session cookie.

Enrolment / reset

The enrolment and secret reset process is a rough bare-bones prototype, and rather unfriendly. You or a colleague must:

  • check out the ipreg repository
  • cd ipreg/ansible
  • run bin/totp reset <crsid>
  • commit and push the change
  • use ansible-playbook -e secrets=1 jackdaw.yml to deploy it

Then, get a colleague to visit https://jackdaw.cam.ac.uk/ipreg/totp and enter your CRSID to bring up the QR code of your TOTP secret. Open your TOTP app and point your phone's camera at the QR code.

You need a colleague to help for initial enrolment and for secret resets. You can't reset your own TOTP secret since your TOTP login session cookie is tied to your secret, so when you reset your secret your session is invalidated.

After you are enrolled, you can add your existing secret to other devices using the QR code page. Or you can use an app that syncs your secret across devices.