Our testing today was successful and so we plan to go into production with the TFA VPN setup next Friday, 2/18, at 10am. How it's going to work: If you currently access RBVI hosts such as plato from outside of UCSF using an application such as ssh, then you already are using the same TFA app that the VPN will be using. If you don't do this, then keep reading. The VPN will use a Duo (https://duo.com/) account named "UCSF PharmChem." Duo is the same TFA used by the UCSF campus, of course, but the Duo app on you phone or tablet supports multiple accounts and the PharmChem account is distinct from your campus account. Beginning next Friday, when you connect to the RBVI VPN you will receive a notification on your phone/tablet asking you to confirm that it's you attempting to connect. You then just click on the Duo "OK, it's me" box and your VPN connection will complete. That's all there is to it! Testing your account: If you want to test the PharmChem TFA account prior to next Friday's go-live date (advised), then try using the ssh or scp applications to access plato.cgl.ucsf.edu from a location outside of UCSF. You'll first need the Duo app installed on your phone or tablet of course. This campus IT web page describes how to do that: https://it.ucsf.edu/service/multi-factor-authentication-duo. Once registered with Duo and if the PharmChem account is _not_ set up on your device, then when you try to ssh/scp to plato Duo should pop up and tell you that you need a PharmChem account to continue. Follow the instructions Duo provides and you should be able to successfully connect to plato using TFA. If you take too long completing the setup steps you may need to try connecting again because the connection request times out after a while (30 seconds?). Finally, when connecting the the RBVI VPN please remember that this uses a separate password from your plato/wynton "Kerberos" account password. Also, the only prompt you will get to confirm your connection request is from the Duo app, so you need to have your phone/tablet handy when you initiate the VPN connection. If you run into problems connecting, please send email to "vpn-user@cgl.ucsf.edu". Implementing TFA on the RBVI VPN let's us complete a major remediation item noted during a recent IT audit, so thanks for your understanding. Subject: RBVI VPN will be down this Friday 10am - Noon From: Tom Ferrin <tef@cgl.ucsf.edu> Date: 2/9/22, 4:59 PM To: hal2-users@cgl.ucsf.edu The RBVI VPN will be down this Friday 10am-noon as we test two-factor-authentication (TFA). If our tests are successful, another email will announce the time-frame for implementing TFA on RBVI's VPN. Background: UCSF security standards require TFA when accessing UCSF computing resources from outside of UCSF. Because the RBVI VPN currently does not require TFA, we are not compliant with this standard. A recent audit of RBVI computing resources identified this as a critical deficiency requiring high priority resolution. Our plan is to implement TFA on RBVI's VPN using the same Duo technology as currently implemented when directly ssh'ing into RBVI's host "plato" from outside of UCSF. Access to plato requires use of the Duo "UCSF PharmChem" account. If you are already using this account to access plato, then minimal/no changes will be required to access our VPN in the future. Please disconnect from the RBVI VPN prior to 10am on Friday, otherwise you risk your connection being severed without warning and potentially loosing any work in progress.