Enable multifactor authentication
Suggest changes
PDFs
Multifactor authentication (MFA) allows you to enhance security by requiring users to provide two authentication methods to log in to an admin or data SVM.
-
You must be a cluster administrator to perform this task.
-
If you are unsure of the access control role that you want to assign to the login account, you can use the
security login modifycommand to add the role later. -
If you are using a public key for authentication, you must associate the public key with the account before the account can access the SVM.
You can perform this task before or after you enable account access.
-
Beginning with ONTAP 9.12.1, you can use Yubikey hardware authentication devices for SSH client MFA using the FIDO2 (Fast IDentity Online) or Personal Identity Verification (PIV) authentication standards.
Enable MFA with SSH public key and user password
Beginning with ONTAP 9.3, a cluster administrator can set up local user accounts to log in with MFA using an SSH public key and a user password.
-
Enable MFA on local user account with SSH public key and user password:
security login create -vserver <svm_name> -user-or-group-name <user_name> -application ssh -authentication-method <password|publickey> -role admin -second-authentication-method <password|publickey>The following command requires the SVM administrator account
admin2with the predefinedadminrole to log in to the SVMengData1with both an SSH public key and a user password:cluster-1::> security login create -vserver engData1 -user-or-group-name admin2 -application ssh -authentication-method publickey -role admin -second-authentication-method password Please enter a password for user 'admin2': Please enter it again: Warning: To use public-key authentication, you must create a public key for user "admin2".
Enable MFA with TOTP
Beginning with ONTAP 9.13.1, you can enhance security by requiring local users to log in to an admin or data SVM with both an SSH public key or user password and a time-based one-time password (TOTP). After the account is enabled for MFA with TOTP, the local user must log in to complete the configuration.
TOTP is a computer algorithm that uses the current time to generate a one-time password. If TOTP is used, it is always the second form of authentication after the SSH public key or the user password.
You must be a storage administrator to perform these tasks.
You can set up MFA to with a user password or an SSH public key as the first authentication method and TOTP as the second authentication method.
-
Enable a user account for multifactor authentication with a user password and TOTP.
For new user accounts
security login create -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method password -second-authentication-method totp -role <role> -comment <comment>For existing user accounts
security login modify -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method password -second-authentication-method totp -role <role> -comment <comment> -
Verify that MFA with TOTP is enabled:
security login show
-
Enable a user account for multifactor authentication with an SSH public key and TOTP.
For new user accounts
security login create -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method publickey -second-authentication-method totp -role <role> -comment <comment>For existing user accounts
security login modify -vserver <svm_name> -user-or-group-name <user_or_group_name> -application ssh -authentication-method publickey -second-authentication-method totp -role <role> -comment <comment> -
Verify that MFA with TOTP is enabled:
security login show
-
If you have not associated a public key with the administrator account, you must do so before the account can access the SVM.
-
The local user must log in to complete MFA configuration with TOTP.
Learn more about Multifactor Authentication in ONTAP 9 (TR-4647).