Change in one-time password tool for logging in to HPC resources

August 3, 2016

Beginning in July 2016, the Google Authenticator application has become the newly-supported tool used for generating one-time passwords (OTPs) by users of Savio and other high-performance computing (HPC) clusters managed by Berkeley Research Computing.

Users of these clusters still relying on Pledge, the application previously employed for generating these passwords, have been requested to switch to using Google Authenticator. As of August 1, 2016, 110 Savio users had already done so. Instructions on setting up Google Authenticator to generate one-time passwords can be found in the Logging into Savio document on the Research IT website.

According to a 2016 analysis by Verizon, nearly two-thirds of the over 2,000 recent data breaches surveyed involved guessed, cracked, or stolen passwords. In response to this threat, requiring rapidly-expiring passwords that can be used only once, helps protect Savio’s users from unauthorized access to their accounts, and the cluster itself from attacks, so that it can remain highly available to the campus community. This requirement isn’t unique to UC Berkeley: a growing number of peer organizations, such as the Texas Advanced Computing Center (TACC) and Stanford University, have also recently begun requiring one-time passwords and/or similar two-factor authentication methods.

Some background on the current transition: during the first two years of Savio’s operation, the Pledge app (from McAfee, formerly Nordic Edge) was used for generating OTPs. Support for the Pledge infrastructure and client apps was discontinued by its vendor, effective this summer. In response, Lawrence Berkeley National Laboratory, which runs the OTP infrastructure used by both the Lab’s and the campus’s HPC clusters, selected LinOTP for its new, enterprise-level solution, together with the Google Authenticator client app.

At some future time - possibly as soon as the 2017-18 academic year - the UC Berkeley campus will implement its own OTP solution across many campus services. When that occurs, the authentication mechanism for Savio is slated to adopt that solution.