Skip to content

Using Built-in Fingerprint Reader (Touch ID) for 2FA

Summary

If your Mac has a fingerprint reader, you can use your fingerprint as Two-Factor Authentication (2FA) for CERN's SSO. You can still continue to use the OTP codes to complete the 2FA - this is just an alternative method. The fingerprint can be used on all devices that have iCloud set up.

Limitations: - Once registered, removing the fingerprint would require opening a SNOW ticket. - This functionality doesn't work with applications that use embedded browser (e.g. Mac Self Service).

Requirements

  • Having an Apple ID and iCloud registered with cern e-mail, this is needed for iCloud which is used to sync the credentials between the devices.
  • Registering the Touch ID fingerprint reader (see Setting Up 2FA).

To enable these on your Mac Device, follow these steps:

1. Have an Apple ID registered with your CERN e-mail

  • Ensure that you have an Apple ID that is connected to your CERN email. You can check by visiting the Settings and signing in with your linked Apple ID.

  • For details about registering a new Apple ID, please refer to this article: How to Create an Apple ID.

  • In summary:

    • Fill-in the details and create an Apple ID through your CERN email.
    • Ensure that you are signed in with you CERN e-mail based Apple ID.

2. Setup Touch ID

  • Go to the Settings pane.

  • Type 'Touch ID' in the search Bar and select the option 'Touch ID & Password'.

  • On the Right pane, select the option for adding a fingerprint.
  • Enter your password to start the process of adding your fingerprint.

  • Follow the on-screen instructions to finish setting up your Touch ID.

  • You can further customize the options made available with your newly added fingerprint by toggling any of the options provided.

Your fingerprint has been successfully added.

3. Registration of your fingerprint for 2FA

  • Go to https://users-portal.web.cern.ch, log in with SSO, then click on Configure 2FA.

  • Click on the toggle for "Enbale WebAuthn credentials" to start configuring it. If you have already configured it before, click on Reset WebAuthn.

  • Read the message, then click on the "Got it" button. Once you do this, the page will keep loading until this configuration is finished. Proceed with the next step.

  • Open an incognito/private session in your browser and go to https://users-portal.web.cern.ch and login with your CERN account and provide your OTP code for 2FA if needed.
  • At this point, a button to Register your Security key will be shown, click on it.

  • You will receive a prompt to configure authentication via Touch ID, confirm by using your fingerprint on the fingerprint reader.

  • A confirmation will be shown that the passkey was saved.

  • Provide a name for your Security Key, which can be an alias of your laptop.

  • If all above steps went correctly, close the incognito session, then you will observe that the toggle for WebAuthn is now enabled.

  • Congrats! You can now ues the fingerprint on your laptop to log in with 2FA. When you log in with SSO the next time, you can click on "Try Another Way" if the default is not WebAuthn.

  • Choose then Security Key.

  • And finally you will be able to see your newly-configured Security key as a way to authenticate using 2FA.

4. (Optional) Set up Kerberos

Setting up Kerberos allows you to bypass the password step for the login. This works out of the box with Safari, but additional configuration is needed for Firefox and Chrome. For details please see About Kerberos and SSH article.