 Thank you very much for the second introduction and welcome to this talk. So this talk here it gets more technical. And I think we will start with a simple information what is two factor authentication or multi-factor authentication. But I won't go into much detail because I assume if you came to a talk with all these buzzwords in the title you know what I'm talking about. But to bring everyone on the same level you have to know that nowadays passwords get stolen, are reused by users on multiple platforms are often too short or too simple and they can be cracked. That's a fact. And we can solve the situation nowadays by establishing two factor authentication or multi-factor authentication and this talk is about how does this work in Moon. FIDO 2 to the rescue. So FIDO 2 is a modern framework for secure authentication and FIDO 2 are in particular web authentication as a component is available in modern browsers and operating systems. Users have started to get used to it so you shouldn't have or hopefully don't have to need to explain your users how this works. And especially FIDO 2 can be used as a secure factor in addition to your passwords and you can use hardware keys like these to support your security needs and add hardware factors by using hardware. So that sounds interesting. Let's do it. How can we add MFA to Moon? Basically it's quite simple. Use a Moon authentication plug-in which redirects the user to an external login page like Shibboleth, OpenID Connect or something like that and the external identity provider can take care of MFA with FIDO 2 and we are done. Checkmark, problem solved, let's get a coffee. But can we do it better? Of course we should because you should consider this. If this multi-factor authentication is realized within Moon, MFA policies can be built on Moon internal information like cohort memberships or user roles which user group is required to have which additional factors. And in addition to that users nowadays expect a seamless login experience and do not really like or expect that they get redirected to other systems just to login in a system. So does Moodle Core support MFA? Not yet. If you have been in Matt's presentation this morning, you know it will happen. So stay tuned. But this is the situation which we faced in last summer and is there a plug-in for that? Of course. Tool MFA to the rescue. The brilliant plug-in by Catalyst IT kicks in after Moodle has successfully authenticated the user and administrators can add additional authentication factors which are based on sophisticated rule sets. And does Tool MFA support 502? The nice authentication framework which we talked about before and the possibility to use all these hardware tokens unfortunately not yet. But there are other useful factors like email, OTP and SMS in Tool MFA already. So this is just a small advertisement block for this brilliant plug-in. So let's join forces. Some weeks or months ago we decided to realize this goal and there was a partnership by SwissBit. SwissBit is a security hardware manufacturer. They offered the iShield Key Pro for strong authentication. This hardware is made in Germany and SwissBit fully funded the development of Fighter 2 support in Tool MFA. So thanks to SwissBit. And we joined forces with Catalyst IT. Catalyst is a Moodle partner with a long record in open source contributions to Moodle and Catalyst IT carried out the implementation of the Fighter 2 support in addition to their existing plug-in. The third party was Lernling. Lernling is the Moodle partner which I'm working for. We are specializing in Moodle services for small and medium sized enterprises and we carried out the project management and end user testing. Successful factors in all this project were partner with experts, do not re-invent real and most important contribute your solutions back to the community. So it's demo time. I'm locked in as a normal user. I have the hardware token in my pocket. I plug it into the notebook and I have this additional link, multi-factor authentication preferences in my user preferences page. When I click on this link I come to this page here. I am invited to add a security key. Security key is just a general term. You can name it whatever you like in the Moodle language customization. And if I click on the button set up security key I am asked to give my hardware token a name because I can add multiple of them of course. And after clicking this register security button a browser user interface pops up. So this is done in Safari on macOS. It looks differently on other systems and other operating systems. But now the browser takes over control and the browser is interacting with the hardware and is doing some cryptographic magic, generating some keys and the security key is registered in Moodle. Afterwards after this simple step the security is there in this list and I simply log out and log in again with the standard existing Moodle login so I do not need to hook up any external identity provider just to mention that again. After I have successfully authenticated with my passwords I am asked to verify my security key. This is a standard dialog by tool MFA and I have two buttons. Let's first click on the first one, the blue one, verify security key. Again I see the browser interface. I am asked to have the security key. There is some touch area here. I touch this area and afterwards I am logged in. That's it. But what happens if I do not have this token with me? Then I can click the second button. I don't have my security key and it's now up to you what you will support in. You can add sophisticated rules, fallbacks, whatever for example if the user is within your university campus network and is able to receive his emails then you can send him a one time login to his email account. Otherwise if you do not configure anything there is a nice error message which you can again customize in your language tool and for example direct the user to the administrator's desk. Looking at the plugin from the administrator's point of view and looking at this 5.2 factor you have two important settings. The first is types of security keys. So here you can limit down the type of security key is allowed. By default everything is allowed which supports 5.2 but if you do not want your users to use for example NFC or Bluetooth low energy whatever and just want to support USB keys you can configure it here. And the other thing is user verification. You can ignore user verification. You can enforce it or you can recommend it and user verification means that in this hardware case with the hardware tokens the users are required to add an additional pin on other devices maybe they would have to add their fingerprint. So much about that. This is the situation now. The thing is usable. You can get the hardware. You can deploy it on your site. It's fully usable. Whatever you like. But one more thing. It's core integration. Moodle HQ is working hard on integrating this plugin to the MFA including 5.2 into Moodle core for Moodle 4.3 on. As you have heard before by Matt this morning some pieces have already landed. Some pieces are still underway. For example there is a user experience improvement. At the right side you see a mock up of this button of this dialogue which will appear as soon as I have successfully entered my password and have logged in and you can watch the project under this MDL number. Coming to a close. It's your turn now. You can visit us. You are invited to visit us with the Swiss bit and learning in the service sponsors area at the Swiss bit desk. You can try MFA there with the key pro. You can have a look at the administrative interface of the plugin and of course you can also have a look at the authentication service package which we offer. Thank you very much for listening. I'm open for your questions. Obviously I have a question. Like two questions. One how much more or less it costs the key in general? I am not the salesperson so please direct these questions to the Swiss bit staff or to my boss Guido who is sitting behind you. In a way Guido. And the second one do you need the key to be plugged in the whole session or is it only for authentication? It's only used once during the login and as soon as you have tapped on the device you can plug it out, put it away, lose it, whatever. It's just needed for this one step phrase. I'm the one with the prices if everyone has a question. And we have a special offer if you want to give 10 of these keys to your administration department. It's 380 euro one time, yes. If you want to pay it in three years you can split up the hardware cost and pay it in monthly base for three years. We have also prices for 1,000, 5,000, 10,000 users. No, you just buy the hardware and if you buy it at learning you also get some support for introducing the plugin to your model system. And more details at the end of the desk.