Strengthening the security infrastructure around HPC systems has become an urgent and important task, driven especially by the impact of a recent large-scale attack on the world-wide HPC community by a yet unknown party. Multiple European HPC systems had to be shut down for several weeks in mid-May of 2020 after backdoors were found on the systems. In the aftermath of the attack, two core security issues were identified: the absence of strong authentication, and a wide-spread practice of insecure handling of SSH key pairs.
We present our approach for extending an existing, open source, federated identity management system with user-friendly two-factor authentication (2FA) using Time-Based One-Time Password (TOTP) and centralized, secure SSH key management. A special focus will be put on how we integrated scientific workflows and automation with the new security measures by combining 2FA, SSH key management and security policies in an elegant, secure and user-friendly way.