Using Authy on a desktop computer to generate one-time passwords for Savio

Authy, a free app from Twilio, can generate one-time passwords (OTPs) on your laptop or desktop computer, which you can use when logging into the Savio high-performance computing cluster at UC Berkeley.

We recommend using the Authy app if you do not have a mobile device - such as most iOS or Android smartphones and tablets - capable of running the Google Authenticator app. (If you do have one of these, you can find setup instructions for your device in Logging into Savio.)

Authy is a Chrome app; that is, it requires the presence of the Chrome browser but works more like a desktop app than a browser extension. This app can be installed and used wherever Chrome runs, including on MS Windows, OS X / macOS, and Linux.

Setting up Authy

Setup steps:

  1. Open (or switch to) the Chrome browser. (If you don't have that browser on your device, visit Google's Chrome Browser page to download and install it.)

  2. From within Chrome, download Authy.

    In the following section of the download page (https://www.authy.com/app/desktop/), click the icon for the OS you're using:

    Screenshot: download icons on Authy website

  3. Then, on the Authy app page in the Chrome Web Store, click the '+ ADD TO CHROME' button near top right, and 'Add app' in the subsequent dialog.

  4. Visit your browser's Apps page, by entering chrome://apps/ in your browser's address bar and pressing the Return key. (You can also bookmark that page, for convenience.)

  5. Launch Authy by clicking its icon on your browser's Apps page:
    Authy app icon on Chrome browser apps screen

  6. Follow the on-screen instructions to send a text message to your phone, or to call you. This will give you a code that you will need to enter into Authy.

    (If you have a landline phone, or a cell phone that can't receive text messages, be sure to click the "Call" button - rather than the "SMS" button - at the "Verify my identity via" prompt.)

  7. Next, in Authy's window, click the "Settings" (gear) icon at upper left:

    Screenshot: Authy 'gear' (settings) icon on Add Account screen

  8. Set up a Master password by entering text into that field, clicking the "Set" link, and then following the onscreen instructions:

    Screenshot: Authy master password screen

  9. Click the Close ('x') button at upper right to get back to the Accounts screen.

  10. Click the red Plus ('+') button on that screen to create a new account. You'll now see a screen asking for you to enter a code:

    Screenshot: Authy New Authenticator Account screen, with Enter Code field

  11. Now you'll leave Authy, go back to your main Chrome window, and get that code. Here's how to do that:

    Visit the Non-LBL Token Management web page (https://identity.lbl.gov/otptokens/hpccluster).

  12. Login to that web page by clicking the button for the external account (UC Berkeley CalNet, Google, Facebook, or LinkedIn) that you previously linked to your Savio/BRC cluster account.

    (If, when doing so, you encounter the error message, "Login Error: There was an error logging you in. The account that you logged in with has not been mapped to a system account", please complete Step 1, on linking your personal account to a BRC cluster account, in Logging into BRC Clusters. Then, return right back here, to re-try this step in the Authy instructions.)

  13. From the "Token Management" page which appears, create a new token by clicking on "Add an HPC Cluster/Linux Workstation token" and following the onscreen instructions.

    IMPORTANT: Remember the PIN that you are setting on the token.

    Note: Even if you've already created one or more tokens for use with Google Authenticator on a smartphone or tablet, you'll still need to create a new token for use with Authy.

  14. After you've successfully created your new token, a QR code for that token will then be displayed.

    Screenshot: QR code for one-time password token

  15. Because Authy doesn't have a way to scan the QR code (directly or via a helper app), you'll need to extract the 'secret' from the currently displayed webpage.

    (The instructions that follow here are a bit tricky ("fiddly") so please be sure to pay close attention to both the instructions and screenshots.)

    To do so, from Chrome's menus, choose "View -> Developer ... -> Developer Tools".

  16. Click the "Inspect Element" icon - the icon with the 'arrow in a box,' at the upper left of the right-hand panel.

    Screenshot: Inspect Element widget icon in Chrome's developer tools

  17. Then click on the QR code, so that code is highlighted:

    Screenshot: clicking on QR code image using Inspect Element tool

  18. Over in the right-hand panel, you'll see some text highlighted, which will most likely begin with img style=.... (That's the HTML markup which corresponds to the image of the QR code, in the left-hand panel.)

    Press the up arrow key on your keyboard - typically twice - until a block of text just before this is selected: the text that begins with div id="qrcode":

  19. Within that block of text, select and copy the "secret" text to the Clipboard. That's the text immediately following secret= and ending before &issuer=, in the token string that begins with otpauth://, in the location shown by secrettexttocopyishere in the example below:

    otpauth://totp/hpcs%3ATOTP10976BCD?secret=secrettexttocopyishere&issuer=Lawrence%20Berkeley%20National%20Laboratory

    The "secret" text will typically be 32 characters in length, and consist of both uppercase letters and digits.

    For example:


    If you can't easily select just that "secret" text within Chrome's Developer Tools window itself, as an alternative, you can paste in the full token and perhaps even some surrounding text into a text editor or word processing application, and select that text there. (If you do so, for optimum security, do not ever save that token - nor the "secret" text within that token - in any document on your disk.)

  20. Paste that "secret" text into the "Enter Code" field in Authy, next to the "Add Account" button.

    (If Authy is hidden below your browser window, you can bring it back to the front: from Chrome's menus, select Windows -> Authy.)

    Be sure to verify that the text pasted into the "Enter Code" field is exactly the same as the "secret" text in the token. (If these differ, even by only a single character, the one-time passwords that Authy generates will not work with Savio.)



  21. Click the "Add account" button.

  22. On the next screen, select a logo for your new Authy account and enter a name for that account. ("Savio" - or any similar name - is a reasonable option for an account name.) Then click "Done".

  23. At the "Your account has been created" prompt, click "Accept".

  24. Click the Close ('x') button at upper right, to move from the Settings screen, to the screen where you can generate one-time passwords.

  25. On the screen where you can generate OTPs, click on the logo (or name) for the account you just created:

  26. You should now see one-time passwords being generated: a new one will be displayed every 30 seconds:



    (Authy displays the one-time password with a space between the first and last three digits. When you click the "Copy" button, however, the password is correctly copied to the clipboard without that space.)

Assuming the "secret" text you pasted into Authy's "Enter Code" field in step 19, above, was the correct text from your token, you've now successfully completed the process of setting up Authy to generate one-time passwords for Savio.

Logging into Savio

When you want to log into Savio:

  1. Use your terminal or SSH application to connect to hpc.brc.berkeley.edu
     
  2. At Savio's Password: prompt, enter your token PIN (but don't yet press Return).
     
  3. Click Authy's "Copy" button to copy the one-time password to the Clipboard.
     
  4. Then, at Savio's Password: prompt, immediately following the token PIN that you've already entered, paste in the one-time password from Authy and press Return.

(For more details on logging in, please see the Logging into Savio documentation.)

Launching the Authy app

To launch the Authy app later on:

  1. Open the Chrome browser.

  2. In Chrome, visit chrome://apps

  3. From the Apps page, open the Authy icon.

  4. Enter your Master password, and click "Unlock".

  5. You should now see the screen where you can generate one-time passwords. Click on the logo (or name) of your account, to start generating new one-time passwords.