PDC Portal for Improved Login

Protecting identities and data is critically important these days. When researchers from academia or business/industry log in from their personal computers or laptops to use PDC’s systems for their research, they are communicating over non-secure networks. The identity, research work and data of the researchers who use PDC’s systems need to be protected from security threats and attacks, as do PDC’s own resources. As an example, last summer saw security breaches at various European high-performance computing (HPC) institutions. The results of such breaches can be that systems are down for weeks, or research data can be stolen or corrupted. It is therefore vitally important for users to have a secure method for logging in to PDC’s systems.

A current trend being seen on a European level is to use what is known as multi-factor authentication for security purposes rather than single-factor authentication. Authentication of identities that relies on only one factor is not regarded as secure. For example, in the past, a single password was used to log in to online bank accounts, so anyone who found out the password could log in to the account. Nowadays, European banks use two-factor authentication (2FA) in accordance with the EU’s Strong Customer Authentication (SCA) requirements. This means that two identifiers are needed: one could be a personal password; the other could, for example, be provided via an SMS or through a One-Time Pad (OTP) application like Google Authenticator. It is expected that similar national regulations for accessing information systems hosted by academic organizations (such as the MSBFS2020:7 security measures in relation to information systems for Swedish authorities, www.msb.se/sv/regler/gallande-regler/krisberedskap-och-informationssakerhet/msbfs-20207 ) will be extended to encompass all users.

PDC is in the process of developing a secure and reliable login approach which will be used for logging in to the new Dardel system, and which would in principle scale up to work for accessing all HPC systems in Sweden available through the Swedish National Infrastructure for Computing (SNIC). Many of the academic and business researchers who use HPC systems in Sweden for their research actually work on several Tier‑1 systems within Sweden (through SNIC) and may also use Tier-0 systems in Europe (through PRACE or EuroHPC). With the example of the new Dardel login approach, PDC hopes to influence the debate in Sweden concerning a login method that could be implemented on all the SNIC systems over time, and that would ideally make it easy for users who want to migrate their research to a Tier‑0 system outside of Sweden (such as the EuroHPC system LUMI).

Of course, the new approach should be easy-to-use, so preferably any cumbersome aspects of the authentication process should only be done when initially setting up communications between the user and the system. Once such a "session" is established, it could be trusted for a certain validity period and thus researchers would not have to go through a full authentication process every time they (re-)connected to the system.

PDC’s proposal is to use the SNIC User and Project Repository (SUPR) to provide authentication for managing login set-up in a future-proof way. In coming years, it is likely that a European identity provider (IdP), such as GÉANT, will act as a proxy IdP for accessing HPC research systems within Europe. The PDC solution would be designed to be compatible with that potential scenario. Such an approach would have the advantage that users would only need a single (virtual) identity and ideally only one set of credentials to use various HPC systems, rather than having to identify themselves in different ways to access different research systems. The plan is that, in the first stage, a single authentication solution would be provided nationally through SUPR in Sweden, and then, in the longer term, that would be extended to apply across all of Europe. This approach makes sense as SNIC already has a well-established and proven authentication solution, known as SUPR 2FA, which is used for all the SNIC centre staff and for the principal investigators (PIs) using the SNIC SENS computing and storage systems for sensitive data.

The new login approach at PDC also needs to take into account the fact that many researchers log in repeatedly on days when they are using PDC’s systems. To make it easier for these users – and to keep the process of automating jobs as simple as possible – multi-factor authentication would not be required for multiple connections by a researcher using the same personal computer during any given day. Instead, 2FA would be used to initially set up the communication between the researcher’s computer and the PDC system. Thereafter, 2FA would only be needed to manage and revalidate the user’s identity if the user wanted to change his or her password or connection information, or after too long a time had passed since the initial login, or if strange connection behaviour was detected.

For the sake of reliability and simplicity, the new PDC login solution should, wherever possible, rely on already existing software and not introduce new software tools. It is also important for the designed solution to be backwards compatible, so that experienced users who are comfortable with the existing Kerberos login method for PDC’s soon-to-be-retired systems, Beskow and Tegner, can continue to log in in much the same way. Note that the existing Kerberos solution provides more protection for the current single-factor passwords than if those passwords were just being used over a remote SSH (Secure Shell) connection. However, the acquisition of Kerberos credentials will have to be migrated to 2FA once the new PDC login solution is phased in.

Based on all of these considerations, PDC is working on giving users a choice of two safe login options: an improved version of the login approach that has been used on PDC’s resources for decades (without any major security incidents happening!), as well as a method based on registered SSH key pairs that will be in line with login mechanisms widely used on European systems. Both of these approaches will be made available to users via a new PDC web portal, where researchers will be able to initialise and update their login credentials for PDC’s systems. Experience has shown that some PDC users regularly log in more than twenty times a day. For this reason, the new Dardel login approach (and the associated portal) is being designed so that the basic login process is as quick and hassle-free as possible, whether users log in to Dardel using Kerberos or SSH-key-based authentication. Further information about the improved login options and the PDC Portal will be available soon through the PDC Support pages. If you have any questions about the new login options, you can contact support@pdc.kth.se .