Two-factor authentication with OTP
One Time Password for staff
What is OTP
The acronym OTP stands for 'One Time Password', a mechanism aimed at making users' online authentication more secure through the use of a secret code that changes each time they log in. To obtain this code, you can use an application (through a smartphone, tablet, pc, etc.) that, every 30 seconds, generates a new one-time code ('token code') to be used to prove your identity from an original configuration key called a 'seed'.
In addition to traditional authentication by means of personal username and password, OTP is part of the 'Multi Factor Authentication' (MFA) systems, whereby a user can only access an online service after authenticating themselves by means of two or more proofs of identity, e.g., by knowing their password and possessing a device authorised to generate OTP.
This mechanism, which has been in use for some time in areas such as home banking, has become necessary for the University's applications as well, in order to more effectively counter the risks of cyber-attacks.
OTP at Ca' Foscari
As of 1st July 2022, OTP shall be required for all staff with a unive account (e.g., professors, researchers, research grant holders, short-term research fellows, foreign language assistants, technical administrative staff, etc.), excluding students. Thereafter, if users have not configured OTP, they will be asked to activate this additional security level when changing their password for the first time.
The OTP is tied to a single unive account: if you have several accounts, you will have to activate an OTP for each of them.
When it comes to most Ca' Foscari online services and applications, in order to authenticate yourself, you will have to enter your username and password and provide a 6-digit one-time code generated by a suitably configured application. As a matter of fact, the OTP system chosen at Ca' Foscari does not use SMSs nor is it tied to a phone number. The code created by the app changes every 30 seconds in order to reinforce security: at each authentication, the code corresponding to the one displayed at that moment by the application must be entered.
The following still work without OTP and thus with simple authentication via username and password: VPN connection, Wi-Fi connection via eduroam or Unive_WiFi networks, access to computers or virtual machines via dedicated protocols such as SSH, RDP or Citrix.
How OTP is activated
The OTP activation procedure must be completed seamlessly. Should you be forced to interrupt it, you will have to repeat it from scratch, as the codes provided change with each new access to the activation web page.
- You can activate OTP yourself by logging on to www.unive.it/gestione-otp [ITA]: a QR code will be displayed (to be scanned via the application with your device (smartphone or tablet) as indicated in the following points).
- In the meantime, download Google Authenticator or a similar app on your device from the official store (Google Play for Android devices, App Store for iOS devices):
- Start the app, click on the ( + ) button at the bottom right, select 'Scan a QR code' and scan the previously generated QR code.
- Download the pdf document generated at the end of the process and store it safely. It will then be possible to activate an OTP generator on another device in the event of loss, replacement, theft, etc. of the previous device.
The 'seed' key contained in the pdf must never be disclosed to anyone, not even to the staff of the Computer Services and Telecommunications Area (ASIT).
- Only after setting up the app and saving the pdf document in a safe place, click on 'Activate' at www.unive.it/gestione-otp [ITA] to activate two-factor authentication.
From now on, you will have to enter the OTP code in addition to your username and password to authenticate.
How should I store the document downloaded upon activation of OTP?
To avoid losing or disseminating the information in the document obtained by OTP activation, we advise you to:
- print it out and put it in a protected and confidential place (e.g., a drawer under lock and key)
- or store it in pdf format within an encrypted archive protected by a 'strong' password (e.g., as an attachment to a password manager; a compressed file with a password is not sufficient)
Do I have to activate OTP even if my unive account only serves to access the WiFi network?
Yes, because it enhances security and protects password management.
The OTP generated by my device (e.g., smartphone or tablet) is not valid: what should I do?
- Check that the OTP has not expired, i.e., no more than 30 seconds have passed since it was generated in the app. If this is the case, simply use the next code displayed by the app.
- Check that you have set automatic time synchronisation on your device (e.g., smartphone or tablet). If the time is synchronised manually, it may not be aligned with the actual time: using https://time.is, check that the difference is no greater than 30 seconds.
Otherwise, set automatic time synchronisation to solve the problem.
- If you do not want to change the time of your device, access the Google Authenticator app, click on the menu (3 vertical dots on the top right), select 'Settings' and then 'Time correction for codes'. This way, the app will calculate and save the difference between the manual time on your device and the exact real time. This correction operation has to be redone from time to time or after each manual change of the device time, so it is preferable to solve the problem by setting automatic time synchronisation.
I am abroad: should I expect problems with the OTP?
No. If properly configured according to the instructions, the system works regardless of geographical location and time zone.
Can I continue to use the University's online services without activating OTP?
If you do not activate the OTP system, you will have to use your personal SPID to access your University account and related services, as required by Italian Law Decree No. 76/2020.
You will only be able to use your University credentials for services that do not require OTP (listed above in the ‘OTP at Ca' Foscari’ section).
How can OTP be activated for a shared unive account?
In unive accounts shared between several co-workers, OTP can be enabled by having all co-workers in that account scan the activation QRcode, so that they can configure the device appropriately.
By having the QRcode scanned but not disclosing the 'seed', the account contact person can maintain control over the employees authorised for access. It should therefore be the responsibility of the unive account contact person not to disclose the document with QRcode and ‘seed’.
If employees access the mail of the shared account via Gmail delegation, it will not be necessary to have the OTP configured for them, as they will continue to view the mail of the shared account via personal authentication. It will then be the sole responsibility of the account contact person to configure the OTP.
I have a new smartphone / lost the application to generate OTP: what should I do?
The application for generating the OTP code can be reconfigured using the QR code or the 'seed' in the activation document, which is why it is important to keep that document safe. If that document is no longer available to you, you must contact ASIT - Technical and Phone Support Unit to proceed with your identification and the reconfiguration of your personal authentication parameters.
My device with the OTP generator has gone astray/been stolen: what should I do?
Using the OTP activation pdf document, immediately configure a new device by following the instructions.
Then go to www.unive.it/gestione-otp [ITA] and, for security reasons, select the ‘Generate a new seed’ option and reset the Google Authenticator app with the new QRcode. This procedure will create a new pdf document to keep, containing a new 'seed', and will invalidate OTPs generated by the lost/stolen device.
I want to generate a new 'seed': what should I do?
By visiting www.unive.it/gestione-otp [ITA] (which in any case requires the current OTP code), you can select 'Generate a new seed' and immediately reconfigure the device with the new QRcode.
This procedure will create a new pdf document to be stored, containing a new 'seed', and will invalidate OTPs generated through the previous configuration.
I do not have access to the OTP generation mobile app: what alternatives can I use?
Although the use of the application installed on a mobile device is strongly recommended, it is also possible to obtain OTP through special browser extensions.
The staff of the ASIT has verified the Two Factor Authenticator extensions for Mozilla Firefox and Authenticator for Mozilla Firefox and Google Chrome.
Last update: 10/08/2022