Home

Help Documents

Need help figuring out how to do something on this site? Below are some write-ups that could help.

Article Quick Links

How to Create (Register) a New Account.
Logging in without verifying your email first.
How to Login to the site.
How to Login to the site with 2FA.
What is MFA, 2FA, OTP, and TOTP.

Creating (Register) a New Account
- To create a new account in the system, click the Create New Account link from the Login page. This will take you to the form needed to create or register a new account with the system.
- Fill out the form with the appropriate values.
  
  User Name
  
  This will be your unique username.
  
  Password
  
  This will be your password to log into the system. It must follow the requirements listed at the top of the create new user page.
  
  Confirm Password
  
  Type in your password again. These passwords must match to create an account.
  
  E-mail
  
  This is the email account registered to you in the system. This email address must be confirmed to be able to complete your registration. Therefore, make sure that it is an account that you have access to. All communication from the site comes to this email address. Therefore, it should also be an email you check regularly.
  
  Security Question
  
  This will be your personal security question used to verify your account if you need to reset your password. Pick a question that is not answered by anyone other than yourself.
  
  Security Answer
  
  This is the answer to the security question that you've just chosen, which we store encrypted in our system to verify yourself in the case that you forget your password.
- Click the Create user button to submit the form to create your account. Any errors will be listed on page. Correct these issues, and submit the form again.
- After successfully submitting the form, you will be informed that an email has been sent with a confirmation link.
- Check your email. You should have an email containing instructions for verifying your email account. From the email you can either click on Confirm Email link or copy the included address and paste it into your browser.
  
  Until an email address has been confirmed, you will not be able to log in.
  
  If you do not see the email, check your SPAM or Junk mail folders. If you need to resend the email, follow the directions in the Logging in without verifying your email first section.
- After successfully confirming your email address, a message that the email was confirmed will be displayed on the page.
  
  Click the Login link to return to the login page and log into the site.
  
  Instructions for logging into the site can be found in the logging in to the site section.
- If your email address could not be confirmed, it may be due to an expired link. Follow the direction in the Logging in without verifying your email first section.
Logging in without verifying your email first.
You will be unable to log in to the system until you have verified your email address.

Check your email account associated with this account. If you are unable to find the email, follow these steps to resend your confirmation email.
- Attempt to log in with the correct credentials.
  
  Without your email address verified, you will be notified that your email has not been confirmed.
- Reenter your credentials and click the Resend Confirmation button to resend the email to you.
  
  Make sure to check your SPAM and Junk Email folders.
- When the email has been sent, you will see a confirmation message that the email has been sent.
  
  At this point, check the email address associated with this account. You may need to check your SPAM or Junk mail folders.
Logging in to the site.
- To login to the system, you will need a couple of things:
  1. A confirmed email address.
    - If you do not have a confirmed email address, refer to the Logging in without verifying your email first section.
    - You will not be able to log in until your email address has been confirmed.
  2. Access to the email address that has been confirmed.
    - An email is sent as part of the login process, you must have access to your email to complete the process.
- Enter your credentials on the Login page.
  
  The checkbox is to help you stay logged in with less interruptions, but should only be selected on a computer that is only for your use. If you are on a computer used by multiple people or not able to be physically secured, you should not use this option.
  
  After entering your credentials, click the Log In button.
- After your credentials have been validated, an email will be sent to you containing a validation code. You will be redirected to another page that will ask you for the validation(OTP) code specified in the email.
- Check your email for a code required to log in. You may need to check your SPAM or Junk mail folders.
  
  Remember this code to continue your login experience. This code is only valid for 10 minutes.
- Return to your browser and enter the code that was in the email and click the Log In button to complete the login process.
- You should then be logged into the site.
Logging in to the site using 2FA and a TOTP Authenticator App.
- To log in to the system, you will need a couple of things:
  1. A confirmed email address.
    - If you do not have a confirmed email address, refer to the Logging in without verifying your email first section.
    - You will not be able to log in until your email address has been confirmed.
  2. An Authenticator App that has been associated to your account.
    - You must have previously associated your account to a TOTP secret stored in your Authenticator app.
    - If you do not have an authenticator app associated with your account, you will need to log in using the steps in the Logging in to the site section.
- Enter your credentials on the Login page.
  
  The checkbox is to help you stay logged in with less interruptions, but should only be selected on a computer that is only for your use. If you are on a computer used by multiple people or not able to be physically secured, you should not use this option.
  
  After entering your credentials, click the Log In button.
- After your credentials have been validated, you will be redirected to another page to complete the login process using your authenticator app.
- Check your authenticator app for the code associated with NEUP Proposals.
  
  TOTP codes are only valid for a certain time window and expire after a set time. You must use the code displayed within this window.
  
  Because each authenticator app is different, we cannot cover how each app is used. You will need to check the documentation for your specific app on how to get the appropriate code.
- Enter the code from your Authenticator App and click the Log In button to complete the login process.
- You should then be logged into the site.
What is MFA, 2FA, OTP, and TOTP?
Here are some terms with some definitions:
Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a security measure that requires two or more verification methods to gain access to a resource, such as an application, online account, or a VPN. The idea behind MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network, or database. If one factor is compromised or broken, an attacker still has at least one more barrier to breach before successfully breaking into the target.

The factors in MFA are generally categorized into three groups:

Something You Know:

This is knowledge-based authentication. It's something the user must remember and input when prompted.

Examples: Passwords, PINs, security questions, or passphrases.

Something You Have:

This refers to something the user physically possesses.

Examples: Smart cards, key fobs, smartphone apps (like an authenticator app that generates one-time codes), or even a USB security key.

Something You Are:

This involves biometric verification, which is unique to the individual.

Examples: Fingerprint scans, facial recognition, voice recognition, or iris scans.

Some systems may also include additional factors, such as:

Somewhere You Are (Location):

This factor confirms the user's location, usually through GPS or IP address tracking.

Something You Do (Behavior):

This can include patterns like the way you type, the angle at which you hold your phone, or even your routine login times and locations.

In practice, MFA could look like entering a password (something you know) and then receiving a text with a code on your phone (something you have) or being prompted for a fingerprint scan (something you are). This multi-layered approach significantly increases security.

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a subset of MFA that specifically uses two distinct forms of identification before granting access to a user. It’s designed to add an extra layer of security by combining two different types of authentication factors, typically from two of the three categories I mentioned above: something you know, something you have, or something you are.

Here is a common example of two-factor authentication:

Password and One-Time Passcode (OTP):

The user enters their username and password (something they know). After the password is entered, the user is prompted to enter a one-time passcode. This passcode can be received via SMS on the user’s phone, generated by an authenticator app, or sent through email (something they have).

The goal of 2FA is to create a more robust defense against unauthorized access by combining these different types of evidence that the user is who they claim to be. If one factor is compromised, such as a password being stolen, the unauthorized user would still need the second factor to gain access, which significantly reduces the risk of a security breach.

One-Time Passwords (OTP)
A one-time password (OTP) is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs are a form of two-factor authentication (2FA) and are designed to be more secure than static passwords.

Here's why:
- Time-sensitive: Most OTPs are designed to be used within a short period of time. After the time window has expired, the password is no longer valid, and even if it is intercepted or somehow stolen during transmission, it cannot be used again.
- Unique to Each Login: Each time a user initiates a login process, a new OTP is generated. This ensures that even if a previous OTP was intercepted, it cannot be used to access the system at a later time.
OTPs can be delivered to the user in various ways such as Email-based OTPs where the OTP is sent to the user’s email account.

The generation of OTPs is often based on algorithms that use a secret known only to the service which allows for predictable and unique generation that can be easily verified by the service.
Time-based One-Time Passwords (TOTP)

Time-based One-Time Passwords (TOTP) are a specific type of one-time password that are valid for only a short period of time, usually 30 to 60 seconds. Using applications or software (like Microsoft Authenticator, Google Authenticator, or Authy) that generate an OTP on the user’s device, such as a smartphone or computer. After the time expires, a new TOTP is generated. The generation of TOTPs relies on two main components: a shared secret and the current time.

Here's how TOTP works in simple terms:

Shared Secret:

When you set up TOTP for an account, a unique secret is shared between the server (the service you're trying to access) and your TOTP generator (often a mobile app like Microsoft Authenticator, Google Authenticator, or other authenticator app).

This secret is usually represented as a QR code that you scan with your device.

Algorithm:

Both the server and your TOTP generator use the same cryptographic algorithm using the current time as the moving factor.

Current Time:

The server and your device both know the current time. The algorithm uses the current time and the shared secret key to generate the TOTP. Because the time is always moving forward, the generated password is only valid for a short window.

Authentication:

When you attempt to log in, you enter your username and password (something you know) and the TOTP from your device (something you have). The server also generates the TOTP on its end using the shared secret and the current time.

If the TOTP you provide matches the server's generated TOTP, you're granted access.

The main advantage of TOTP is that it's resistant to replay attacks. Even if a malicious actor intercepts the password, it will be useless after the time window has expired. This makes TOTP a popular choice for enhancing the security of online accounts.
This was generated with the help of AiVA (an INL proprietary AI).