Oct. 9, 2017 — How does a supercomputing center enable tens of thousands of researchers to securely access its high-performance computing systems while still allowing ease of use? And how can it be done affordably?
These are questions that the Texas Advanced Computing Center (TACC), asked themselves when they sought to upgrade their system security. They had previously relied on users’ names and passwords for access, but with a growing focus on hosting confidential health data and the increased compliance standards that entails, they realized they needed a more rigorous solution.
In 2015, TACC began looking for an appropriate multi-factor authentication (MFA) solution that would provide an extra layer of protection against brute-force attacks. What they quickly discovered was that the available commercial solutions would cost them tens to hundreds of thousands of dollars per year to provide to their large community of users.
Moreover, most MFA systems lacked the flexibility needed to allow diverse researchers to access TACC systems in a variety of ways — from the command line, through science gateways (which perform computations without requiring researchers to directly access HPC systems), and using automated workflows.
So, they did what any group of computing experts and software developers would do: they built our own MFA system, which they call OpenMFA.
They didn’t start from scratch. Instead they scoured the pool of state-of-the-art open source tools available. Among them was LinOTP, a one-time password platform developed and maintained by KeyIdentity GmbH, a German software company. To this, they added the standard networking protocols RADIUS and HTTPS, and glued it all together using custom pluggable authentication modules (PAM) that they developed in-house.
This approach integrates cleanly with common data transfer protocols, adds flexibility to the system (in part, so they could create whitelists that include the IP addresses that should be exempted), and supports opt-in or mandatory deployments. Researchers can use the TACC-developed OpenMFA system in three ways: via a software token, an SMS, or a low-cost hardware token.
Over three months, they transitioned 10,000 researchers to OpenMFA, while giving them the opportunity to test the new system at their leisure. In October 2016, use of the MFA became mandatory for TACC users.
Since that time, OpenMFA has recorded more than half a million logins and counting. TACC has also open-sourced the tool for free, public use. The Extreme Science and Engineering Discovery Environment (XSEDE) is considering OpenMFA for its large user base, and many other universities and research centers have expressed interest in using the tool.
TACC developed OpenMFA to suit the center’s needs and to save money. But in the end, the tool will also help many other tax-payer-funded institutions improve their security while maintaining research productivity. This allows funding to flow into other efforts, thus increasing the amount of science that can be accomplished, while making that research more secure.
TACC staff will present the details of OpenMFA’s development at this year’s Internet2 Technology Exchange and at The International Conference for High Performance Computing, Networking, Storage and Analysis (SC17).
To learn more about OpenMFA or explore the code, visit the Github repository.