The Departmental No-Password Policy

The Department of Computer Science wants to limit the use of the departmental password as much as possible. The KU Leuven MFA is the preferred alternative.

Currently the following uses are impacted and should be replaced with the given alternative:

  • logging in with SSH: use KU Leuven MFA SSH Certs
    • this includes the deprecation of your own SSH keys for interactive use because they do not have a limited life time, which is one of the key factors of the additional security the SSH Certs give
  • connecting with VPN:
    • departmental VPN: not yet implemented
    • use the KU Leuven VPN - Dutch - English - for the time being
  • web site login: will be replaced by KU Leuven Shibboleth MFA login where possible

Do notice that your password remains the only way to log into the (directly attached) console of a (system group administered) machine - there are currently no plans to look for alternatives there.

The main reasons for this change are the usual ones: passwords can be unsafe if not created or handled well, KU Leuven MFA is readily available and must be used for other uses anyway, the SSH Certs are time-limited and therefore change (very) regularly.

The KU Leuven MFA

The KU Leuven enforces the use of multi-factor authentication on its central login page (the page were you authenticate using your KU Leuven u- or r-number and corresponding password) - other services will follow.

There is documentation about the use of the KU Leuven Multi-Factor Authentication in Dutch and in English.

The authentication app is available in the Apple and Google App Stores but for Android devices that cannot (or do not want to) use the Google Play Store the authenticator APK is available here.

Some additional details about what to do if you are having problems with your MFA device(s):

  • you can create a Reset Code with which you can delete your registered devices yourself and start over with new devices - do notice that you will have to register at least 1 new MFA device after resetting before you can use the KU Leuven Central Login again because the reset code does not disable the MFA requirement

  • if you do not have such a Reset Code you can/should contact the departmental helpdesk - we can delete your devices for you such that you can take a fresh start - there are also some other ways in which you can reset your device registration(s).

  • if your registered devices are not available (broken, lost, forgot, ...) and you really need to login, you can ask central ICTS service point to (temporarily) suspend the MFA requirement for your account - this will not be taken lightly though: you will need to authenticate yourself in some way (e.g. by giving personal details on the phone) and it will not be suspended for long - this really is an emergency-only service

  • do notice that we, the departmental helpdesk, cannot suspend the MFA requirement, you have to contact service point for that - we can delete your registered devices though, so you can start over with new devices