VPN headed for multifactor authentication

Irwin Gaines

Multifactor authentication (MFA) has been around for a few years now, and chances are, many of you use it at least occasionally. Even Facebook provides an MFA login option that, in addition to typing your password, allows you to get a text with a code you must enter or provide biometric information. MFA has been in use at Fermilab for more than two years for a very limited group of employees. However, due to increased cybersecurity risks to our lab data, this will soon change.

MFA means proving your identity using at least two methods from different categories: something you know (like a password), something you have (like a token or a phone) and something you are (like a fingerprint or retinal scan). Currently, individuals who need access to our sensitive financial, HR and security systems use MFA. Over the next several months, we will be taking steps to expand MFA, most notably, to include VPN access.

The DOE has been strongly encouraging its labs to use MFA for remote access, and we at Fermilab had already been investigating using MFA for additional applications. Recent security events have forced us to fast-track MFA’s implementation for VPN.

In the last two weeks, we have been communicating to identified VPN users, who need to ensure they have what’s called the Fermilab Root CA certificate loaded on their device. Most people — those who have centrally managed computers that receive patches from Fermilab — already have the certificate installed. A Fermilab at Work article explains how you can test to make sure the certificate is properly installed on your device and also contains links to other articles detailing how to install the certificates if needed.

Installing the Root CA certificate on your device is the first step toward using the new MFA technologies when they will begin to be implemented in January. The upgrade will be rolled out in a phased manner. Individuals will be provided an opportunity to test any new solutions before they are required to use MFA for VPN. We will communicate additional information as the project progresses, so look for further email messages from the Service Desk, and please take any action specified in such email.

If you have any questions about MFA for VPN, email mfa-questions@fnal.gov.

Irwin Gaines is the Fermilab chief security information officer.