Merge pull request 'Duo MFA guide' (#10) from jshiffer/site:mfa-guide into main

Reviewed-on: lug/site#10

content/wiki/emails.md

@@ -3,40 +3,77 @@ title: Email Account Guide
 description: "How to log in with an email client, change your password, and the latest updates on the upcoming multi-factor authentication (MFA) mandate."
 ---
 
+---
+
 ## NEW: Multi-Factor Authentication
 
-The University is mandating that multi-factor authentication (MFA) be enabled for all email accounts by **May 1, 2025**. Specifically, we are using [Cisco Duo](https://duo.com/docs/duounix) as our MFA service, to be consistent with MyUCLA, UCLA Google Apps, and the UCLA Campus VPN.
+The University is mandating that multi-factor authentication (MFA) be enabled for all email accounts by May 1, 2025. Specifically, we are using [Cisco Duo](https://duo.com/docs/duounix) as our MFA service, to be consistent with MyUCLA, UCLA Google Apps, and the UCLA Campus VPN. Even if you have UCLA Duo set up already, this uses a slightly different instance belonging to UCLA Computer Science specifically.
 
-Your cooperation is **required** because you will eventually have to manually enroll your mobile device over SSH. If you fail to respond by the deadline, we will be forced to close your email account.
+We have activated MFA starting on April 25. You must follow the below instructions to access your inbox.
 
-No immediate action is required, because we are still waiting on the CS department to get in touch with Cisco and host their own Duo server. That being said, you must check your email inbox (or this page) regularly for future updates.
+### Enrollment Instructions
 
-**For non-UCLA students**: Please install the Duo app on your mobile device ([iOS](https://apps.apple.com/us/app/duo-mobile/id422663827), [Android](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en-US&pli=1)) at your earliest convenience if you haven't already.
+1. Install the Duo app on your mobile device ([iOS](https://apps.apple.com/us/app/duo-mobile/id422663827), [Android](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en-US&pli=1)). You can also use a compatible [security key](https://guide.duo.com/security-keys).
+2. SSH into your virtual machine.
+3. Run `ssh [your username]@10.0.0.10` in the shell—this connects to the mail server.
 
+{{< figure src="/duo/Screenshot from 2025-04-25 16-46-23.png" >}}
+
+4. You will be prompted to enroll in Duo MFA. Paste any one of the links into your browser and follow the on-screen instructions.
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-43-30 Duo Security - Device Management.png" >}}
+
+We recommend against using text messages as your authentication method, because they leave you vulnerable to [SIM swap attacks](https://www.cnet.com/news/privacy/do-you-use-sms-for-two-factor-authentication-heres-why-you-shouldnt/).
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-43-47 Duo Security - Device Management.png" >}}
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-44-11 Duo Security - Device Management.png" >}}
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-44-24 Duo Security - Device Management.png" >}}
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-44-34 Duo Security - Device Management.png" >}}
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-44-55 Duo Security - Device Management.png" >}}
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-45-28 Duo Security - Device Management.png" >}}
+
+{{< figure src="/duo/Screenshot 2025-04-25 at 16-45-42 Duo Security - Device Management.png" >}}
+
+5. You can Ctrl+C out of the SSH password prompt once you've enrolled.
+
+6. Try rerunning the last SSH command. You should now get a Duo push on your phone, which logs you in once accepted.
+
+{{< figure src="/duo/IMG_6215.jpg" height="400" >}}
+
+{{< figure src="/duo/Screenshot from 2025-04-25 16-59-20.png" >}}
+
+Now would be a good time to change your password if you haven't done so already! Just run the `passwd` command on the "paris" server.
+
+7. Now, you can log into your email inbox as you did before, with the added step of accepting the Duo push on your phone.
+
+**NOTE:** your IMAP session is supposed to be cached for an hour to avoid spamming repeat Duo requests. Please contact us right away if this doesn't work as intended&mdash;hitting "deny" on the Duo pushes repeatedly will only lock you out of your account, requiring manual intervention from the CS Department! You can reach us on [Discord](/discord), [XMPP](https://xmpp.link/#main@room.linux.ucla.edu%3Fjoin), or use an alternative account to email [board@linux.ucla.edu](mailto:board@linux.ucla.edu).
+
+---
 
 ## Logging in
 
 I am using the following settings with Thunderbird to get in. I haven't  tried it with another email client but you are welcome to.
 
-SMTP: 
+### SMTP
 
-Server Name: mail.linux.ucla.edu 
+Server Name: `mail.linux.ucla.edu`
 
-Port: 587 
-
-[![img](https://linux.ucla.edu/mediawiki/images/thumb/9/9b/Hackerman.png/300px-Hackerman.png)](https://linux.ucla.edu/mediawiki/index.php/File:Hackerman.png)
-
-Look at all the hackers getting banned for too many failed login attempts!
+Port: `587`
 
 Authentication method: Normal password 
 
 Connection security: STARTTLS 
 
-IMAP: 
+### IMAP
 
-Server Name: mail.linux.ucla.edu 
+Server Name: `mail.linux.ucla.edu`
 
-Port: 993 
+Port: `993`
 
 Authentication method: Normal Password 
 
@@ -44,6 +81,6 @@ Connection security: SSL/TLS
 
 ## Changing your password
 
-To change the password, please ssh into your web server and ssh to [your  username]@10.0.0.10. Then use passwd to change your password.
+To change the password, SSH into your virtual machine and run the shell command `ssh [your  username]@10.0.0.10`. Accept the Duo MFA push, or follow the MFA enrollment instructions if it's your first time. Then use the `passwd` command to change your password.
 
 (Yes we know, this is a pretty crappy and inelegant solution, but it's good enough for now)

layouts/partials/now.html

@@ -15,18 +15,18 @@
 <ul>
     <li>
         <a href="/events">
-            Next Weekly Meeting: <span class="magic"></span> at 6 PM, Slichter Hall Room 2834
+            Next Weekly Meeting: <span class="magic" id="next-meeting-date"></span> at 6 PM, Slichter Hall Room 2834
         </a>
     </li>
     <li>
         <a href="/wiki/emails">
-            Email Multi-Factor Authentication deadline: <span class="magic">Thu May 01 2025</span>
+            <span class="magic">ACTION REQUIRED:</span> Enroll in Email Multi-Factor Authentication
         </a>
     </li>
 </ul>
 <script>
     document.addEventListener('DOMContentLoaded', function () {
         var nextThursday = new Date(Date.now() + (((4 - new Date().getDay() + 7) % 7) * 86400000));
-        document.querySelector('span.magic').innerHTML = nextThursday.toDateString();
+        document.getElementById('next-meeting-date').innerHTML = nextThursday.toDateString();
     });
 </script>