Google Authenticator Enrollment

Table of Contents

• About Google Authenticator
• Setting Up Your Google Authenticator Token

1. Open the enrollment link from the SafeNet Authentication Service Self-enrollment email

2. Install Google Authenticator and note the Server-Side PIN

If you have Google Authenticator on your phone proceed to the next step. If not, download it onto your phone from your platform's respective app store (Google Play, Apple App Store). Links should be provided on the page. (DO NOT CLOSE THE BROWSER WINDOW)  
 

 
Take note of the server-side PIN at the bottom of the page. You will use this PIN to setup your own personal PIN later in the process. 

3. Scan the QR Code
 

Once you have Google Authenticator on your phone, open the app. If it is your first time using it, you should see a screen like this:  

Choose to scan a QR code. You should be brought to your phone's camera app. Use the on-screen markers to line up the QR code on your web browser with the camera on your phone. It should promptly read the QR code. 

After scanning you should be greeted by a page that looks like this, take note of the timer that indicates how long your code is valid for (It should be valid for 30 seconds.) and the digits on your screen. The digits are your OTP code that you will use whenever authenticating into a two factor authentication (2FA) service like the VPN or hallgw. 

5. Initialize, and Set up Your Own PIN 

Back on the browser page where you first got your QR code, there is a field promoting you to enter your OTP code. Look to the bottom of the page, there you should see the server-side PIN. This is a temporary PIN you will use in combination with the OTP code generated by the Google Authenticator app to activate your 2FA token and setup your own PIN number.

In the field in the image above enter the temporary server-side PIN followed by the current OTP in your app (without spaces or a ‘+’ ).
 
Once that is completed you should be promoted to create your own 6-8 digit PIN number. (PLEASE IGNORE THE PAGE SAYING 3-8 DIGITS. THIS IS INCORRECT.) This is something you should not forget and will be used in the same manner as before. 

Once you create your own pin and confirm it, you should be greeted with a page saying you have successfully enrolled. This pin will expire in 6 months, in which case, the user will need to reset it.

6. Testing (Optional)

In order to verify that everything is working as intended. Go ahead and navigate to https://vpn.jlab.org in your browser. This can be done from any computer and is simply a test to see if everything is working correctly. You are not required to do this.

You should see a little window at the center of the screen promoting you for a group, user name, and password. For group, make sure “JLAB-CryptoCard-Token” is selected. For your user name, enter your CUE username. For the password, you should enter the PIN number you entered in the last step followed by the OTP code generated by the Google Authenticator app. They should be entered as followed: PIN+OTP without a space or ‘+’ Go ahead and login, assuming all goes well, it should authenticate you in without issues.  
 
Now whenever you wish to login to anything that requires 2FA. Use the same method as above for logging in.

Acronyms

• MFA: multi factor authentication
  • Systems using MFA require you to present two or more verification factors to access them
• CUE: common user environment
  • Your JLab CUE username and password are the ones you use to sign into jlab.org
• OTP: one-time-passcode
  • This is the 6-digit code generated by your MFA token
• (OTP) PIN: one-time-passcode personal identification number
  • Each MFA token you set up will have a 6-8 digit PIN associated with it
  • While PINs may have the same numbers, they are each distinct, and distinct from your Smart Card login PIN(s)