About CERN

At CERN, the European Organization for Nuclear Research, physicists and engineers are probing the fundamental structure of the universe. They use the world’s largest and most complex scientific instruments to study the basic constituents of matter the fundamental particles. The particles are made to collide at close to the speed of light. This process gives the physicists clues about how the particles interact, and provides insights into the fundamental laws of nature.

The instruments used at CERN are purpose-built particle accelerators and detectors. Accelerators boost beams of particles to high energies before the beams are made to collide with each other or with stationary targets. Detectors observe and record the results of these collisions.

Founded in 1954, the CERN laboratory sits astride the Franco-Swiss border near Geneva. It was one of Europe’s first joint ventures and now has 21 member states. (For more information see http://home.web.cern.ch/about)

Quote below are from Remi Mollon of the CERN Computer Security Team. Italic comments are from Yubico.

 

Why and where have CERN deployed strong authentication?

“CERN provides a wide variety of services, allowing its users to access data. Although a minimum level of complexity is required for users’ passwords, there is still a danger of them being ‘sniffed’ or stolen. As such, stronger authentication was deemed necessary for critical services, and multi-factor authentication appeared to be a well-adapted solution. The idea was to ask for two different kinds of factor: ‘something you know’ and ‘something you have’. In other words, requiring a hardware token in addition to the password. It is necessary to offer several tokens in order to cover users’ requirements, and YubiKey is one of them.

The integration of multi-factor authentication has been done on the single sign-on (SSO) web portal, and for Secure Shell (SSH) access as well.”

Remi Mollon of the CERN Computer Security Team

The YubiKey is a USB device that is actually a keyboard with one button. Each touch of the button causes the YubiKey to emit a one time passcode (OTP) that can be validated by the relying service.

 

Why CERN chose the YubiKey for Strong Authentication?

“The YubiKey meets all of our requirements thanks to its simplicity of use, its open algorithm and the available open-source software support. Moreover, the YubiKey requires no drivers, meaning that it is compatible with all our operating systems, which is a big advantage in a heterogeneous academic environment. The absence of a battery is yet another plus, limiting the maintenance costs to a strict minimum.”

Remi Mollon of the CERN Computer Security Team

The YubiKey is designed to be robust and thrive in everyday use on your keychain. Yubico’s philosophy of distributing host and configuration software as open source under liberal licenses and using open protocols makes the YubiKey deployable in the widest variety of strong authentication scenarios.

 

What work was required to integrate the YubiKey into CERN authentication?

“We integrated using mainly open-source software, plus some CERN written code. We have been able to deploy YubiKeys into both our SSO portal and SSH sessions. For SSO, some integration work had to be done in order to make Microsoft AD FS (Active Directory Federation Services) ask for the 2nd factor. Concerning SSH sessions, we decided against using the open source pluggable authentication module (PAM) module, because it is not compatible with Kerberos authentication, which is widely used at CERN. Thus, we have developed our own script, called (via the SSH option) ‘ForceCommand’. This offers a menu for the choice of the second factor.”

Remi Mollon of the CERN Computer Security Team

Yubico supports a wide range of strong authentication methods through the open source client projects available at http://opensource.yubico.com. We are also interested in supporting community generated projects for new methods.

 

How do you handle initializing the cryptographic secrets in the YubiKeys?

“Whereas it was accepted for the prototype phase to use externally loaded cryptographic secrets, one of the final goals was to not rely at all on an external company for the initialization of the secrets. We now have self-service stations, where users can initialize their hardware tokens and map them to their account.

The deployment is now at production stage, and a few services are already using multi-factor authentication with the YubiKey. We are now at the stage of progressively determining and migrating them to strong authentication with the YubiKey.”

Remi Mollon of the CERN Computer Security Team

Yubico’s strategy is that its customers do not have to trust Yubico in deploying strong authentication. Free open source software is available to allow customers to configure YubiKeys in GUI, command line and low level library forms. For large deployments of millions of devices, Yubico has a high volume configuration suite available, capable of configuring 1,000,000 devices per month, per operator.

 

What has the user experience feedback been?

“At the beginning, some users were confused with the YubiKey’s two identity slots and how to use them. Some press the button as long as they see something being generated, thus the second slot is used. But they quickly get used to the two slots, and then everything is fine.”

Remi Mollon of the CERN Computer Security Team

The YubiKey supports two separate identity slots; when both slots are configured, the first slot is accessed by a short touch of about a second, and the second slot with a long touch gesture of three to four seconds. If only a single slot is configured, the OTP is emitted as soon as the touch is recognized.

 

What is your experience working with Yubico?

“We appreciate the reactivity of Yubico. When we started using YubiKeys at CERN, we were missing some functionalities, like Oracle support on the server side and https support on the client side. We implemented them, and we pushed the patches to the corresponding Yubico open-source projects. The Yubico team accepted the patches, and even spent time to improve the integration of the Oracle support! Those functionalities are now part of the upstream software, which eases the deployment of new versions on our side. Thank you!”

Remi Mollon of the CERN Computer Security Team

Find out more about YubiKey for Businesses