Two Factor Authentication

Two factor authentication (2FA) must be enabled on your CCR account or you will not be able to login to any CCR resources. We support OTP, which stands for One-Time Passcodes and is a common form of two factor authentication (2FA). OTP is also known as app based authentication, software tokens, or soft tokens where an app on your phone will generate unique numeric passcodes as a second factor to provide increased account security.

Supported authenticator apps

Authenticator apps that support time-based tokens (TOTP & HOTP) work with CCR accounts. Options include:

  • Duo Mobile (for iOS and Android) - recommended smartphone app as it is currently in use by UBIT for all faculty/staff/student accounts
  • Google Authenticator (for iOS and Android)
  • Authy (for iOS, Android, MacOS, Windows, Linux) - recommended option for devices other than smartphones
  • FreeOTP (for iOS and Android)
  • Microsoft Authenticator (for Windows phones)

Tip

Install an authentication app FIRST and have it open on your phone or device prior to enabling 2FA on your CCR account

Enabling Two Factor Authentication

Watch this demonstration of the process:

To enable two factor authentication on your account, follow these easy steps:

  1. Install an authenticator app on your phone. Authentication apps like Authy, Google Authenticator, and Duo are supported. We recommend Duo as it's also used by UBIT.

  2. Login to CCR IDM portal here and click on OTP Tokens in the side menu.

  3. Click on the "New Token" button and follow the directions to scan the QR code using your authenticator app. Enter the six digit passcode generated by the app into the IDM portal to confirm you've linked the account correctly. If so, you'll see the token added and enabled. If this failed, you'll see the error Failed to verify token and you can try again.

Don't have a camera to scan the QR code?
If you do not have the ability to scan the QR code, click on the "Show URI" link under the QR code. This will display a long string containing a secret that you must copy into the authentication app. Copy the section of the string between secret= and &period paste this into your authentication app. For example, for this URI path: 

otpauth://totp/ccruser@CBLS.CCR.BUFFALO.EDU:ccb17777-b91f-4be1-9f31-0c6304968608?digits=6&secret=XU4ECLFSJO675KDTAXMV2Y2ANFOXC25XEMYJEI7JFX33NI7EQXMY34H5&period=30&algorithm=SHA1&issuer=ccruser%40CBLS.CCR.BUFFALO.EDU
you would copy XU4ECLFSJO675KDTAXMV2Y2ANFOXC25XEMYJEI7JFX33NI7EQXMY34H5 into your authentication app. Then enter the six digit passcode generated by the app into the IDM portal to confirm you've linked the account correctly.

Managing tokens for devices

You may view all OTP tokens linked to your CCR account by logging into the IDM portal here and clicking on the OTP Tokens menu option. This is where you can add new tokens for additional devices to your account or remove tokens you no longer need. You can add multiple OTP tokens to your account. If you're planning to change phones, be sure to add a token for your new phone before you get rid of your old phone. If you won't have access to both devices, disable 2FA on your CCR account prior to swapping phones. When you get your new phone re-enable 2FA.

Warning

If you can't login because you no longer have access to the authentication app linked to your CCR account, or somehow the token no longer works, you must contact CCR help to have this reset. You will be required to prove your identity to us. Details will be provided by CCR staff.

Logging In

You will be prompted to enter a one time passcode when authenticating to CCR's web portals including OnDemand, ColdFront, Lake Effect cloud, and IDM. You must launch the authentication app on your device and enter the one time passcode generated for your CCR account. These passcodes regenerate every 30 seconds. Some authentication apps display the passcodes with a space between the first set of 3 digits and the second. However, there should be no spaces or extra characters between these when you enter this in the box labeled OTP six digit code during login.

Push Notifications are NOT supported

There are NO push notifications. The time based passcodes are generated on your device and available offline. They are never sent to you via text message or push notification.

You can also watch the video below which demonstrates the login process:

Disable two factor authentication

To disable 2FA on your CCR account, login to the identity management portal and click on the Security menu option. Click on the Enabled button and when prompted to confirm, click the Disable button. You should now see that 2FA is turned off for your account. You'll receive an email notifying you that 2FA was disabled for your account.

Danger

You will not be able to login to any CCR portals, except IDM, without 2FA enabled!

Troubleshooting

If you're still having trouble with two factor authentication, check the following:

  • Be sure you enter the six digit code from your authenticator app. Remember they change every 30 seconds.
  • If you recently changed phones and did not setup a new OTP token on your new device you will be locked out of your account. Please contact CCR Help to receive instructions on how to proceed.
  • If you forgot your password you can reset it here.
  • Please check the FAQ for additional help and solutions.