User Guide to Multifactor Authentication (MFA) for Remote Access to HFIR/SNS Beamlines

Quick Start Instructions for Multifactor Authentication (MFA) for Remote Access to HFIR/SNS Beamlines

Overview: goals and history

To protect beamlines and data, the Neutron Sciences Directorate (NSD) is preparing to implement Multi-Factor Authentication (MFA) for users performing remote experiments at HFIR and SNS. Once implemented, users will use their phone or tablet to authorize each attempt to remotely connect to the instruments.

Users will be asked to enroll their ORNL account with Duo Security and install the Duo Mobile app on their phone or tablet. In some instances, new users who are conducting experiments through remote access may also be required to schedule a brief initial identity vetting meeting with the ORNL NSD User Office before enrolling their account with Duo.

The user office will contact users for whom an initial identity vetting meeting is required. Current access policy requires that new users who are participating on their first experiment through remote instrument control (rather than onsite) will require additional vetting when that user is from a non-US institution.

To date, the processes for MFA enrollment and use have been technically tested by staff and also piloted on BL-18 ARCS at SNS. User Experience testing has been conducted with a cohort of external users.

Following our successful pilot on BL-18/ARCS, we are piloting on three additional instruments (CG-1D/MARS; CG-2/GP-SANS; and HB-1/PTAX) to gather more information before setting a wider implementation plan. Timeline for implementation across all HFIR/SNS instruments has not been set.

Instrument Pilots: CG-1D/MARS; CG-2/GP-SANS; HB-1/P-TAX (August 29 to September 22)

Second pilot phase on CG-1D/MARS; CG-2/GP-SANS and HB-1/P-TAX will occur on experiments running August 29 to September 22, 2023.
 
MFA will be required for all users who are participating on CG-1D/MARS; CG-2/GP-SANS or HB-1/P-TAX experiments as Remote Instrument Control participation type. Onsite users who wish to remotely connect to instrument control as part of their onsite experiment will also be required to use MFA.

We successfully piloted use of Duo Security for MFA on BL-18/ARCS with users requiring access to remote instrument control on BL-18/ARCS from June 21 to August 14, 2023. 

Next steps for pilot/implementation

Additional updates on status of MFA implementation will be shared as known. Users conducting experiments on instruments other than MARS; CG-SANS; or P-TAX will not be impacted by the August- September pilot and do not need to enroll with Duo Security at this time.

How MFA enrollment works

  1. If you are a participating team member for an experiment requiring MFA, you will need to enroll your ORNL account with ORNL's Duo Security. Eligible users will receive an enrollment email with further instructions.
  2. The process for enrolling in Duo and installing the Duo Mobile app are explained in detail here.
  3. Once setup, you will respond to notifications on the Duo Mobile app to authorize attempts to remotely connect to the applicable instruments during your scheduled experiment.

Getting help

Email neutron-mfa-support@ornl.gov for help or questions about MFA for remote connection to HFIR/SNS instruments.