A Free, Flexible, and Secure Way to Provide Multiple Factors of Authentication to Your Community
By Patrick Storm, William Proctor, and Nathaniel Mendoza (Texas Advanced Computing Center)
How does a supercomputing center enable tens of thousands of researchers to securely access its high-performance computing systems while still allowing ease of use? And how can it be done affordably?
These are the questions we, at the Texas Advanced Computing Center (TACC), asked ourselves when we sought to upgrade our system security. We had previously relied on users’ names and passwords for access, but with a growing focus on hosting confidential health data and the increased compliance standards that entails, we realized we needed a more rigorous solution.
In 2015, we began looking for an appropriate multi-factor authentication (MFA) solution that would provide an extra layer of protection against brute-force attacks. What we quickly discovered was that the available commercial solutions would cost us tens to hundreds of thousands of dollars per year to provide to our large community of users.
Moreover, most MFA systems lacked the flexibility needed to allow diverse researchers to access TACC systems in a variety of ways — from the command line, through science gateways (which perform computations without requiring researchers to directly access HPC systems), and using automated workflows.
So, we did what any group of computing experts and software developers would do: we built our own MFA system, which we call OpenMFA.
We didn’t start from scratch. Instead we scoured the pool of state-of-the-art open source tools available. Among them was LinOTP, a one-time password platform developed and maintained by KeyIdentity GmbH, a German software company. To this, we added the standard networking protocols RADIUS and HTTPS, and glued it all together using custom pluggable authentication modules (PAM) that we developed in-house.
This approach integrates cleanly with common data transfer protocols, adds flexibility to the system (in part, so we could create whitelists that include the IP addresses that should be exempted), and supports opt-in or mandatory deployments. Researchers can use the TACC-developed OpenMFA system in three ways: via a software token, an SMS, or a low-cost hardware token.
Over three months, we transitioned 10,000 researchers to OpenMFA, while giving them the opportunity to test the new system at their leisure. In October 2016, use of the MFA became mandatory for TACC users.
Since that time, OpenMFA has recorded more than half a million logins and counting. TACC has open-sourced the tool for free, public use. The Extreme Science and Engineering Discovery Environment (XSEDE) is looking to begin using OpenMFA in the coming months, doubling the OpenMFA user base, and many other universities and research centers have expressed interest in using the tool.
We developed OpenMFA to suit our center’s needs and to save money. But in the end, the tool will also help many other tax-payer-funded institutions improve their security while maintaining research productivity. This allows funding to flow into other efforts thus increasing the amount of science that can be accomplished, while making that research more secure.
TACC staff will present the details of OpenMFA’s development at this year’s Internet2 Technology Exchange on Tuesday, October 17 at 2:30 pm PT. They will also be presenting at The International Conference for High Performance Computing, Networking, Storage and Analysis (SC17).