Configuring Appliance Two Factor Authentication

Two factor authentication is a verification process where two recognized factors are used to identify you before granting you access to a system or website. In addition to your password, you must correctly enter a different numeric one-time passcode or the verification code to finish the login process. This provides an extra layer of security to the traditional authentication method.

In order to provide this functionality, a trust is created between the appliance and the mobile device being used for authentication. The trust is simply a shared-secret or a graphic barcode that is generated by the system and is presented to the user upon first login.

There is an advantage of using the two-factor authentication feature. If a hacker manages to guess your password, then entry to your system is not possible. This is because a device is required to generate the verification code.

The verification code is a dynamic code that is generated by any smart device such as smartphone or tablet. The user enters the shared-secret or scans the barcode into the smart device, and from that moment onwards the smartphone generates a new verification-code every 30-60 seconds. The user is required to enter this verification code every time as part of the login process. For validating the one time password (OTP), ensure that the date and time on the ESA and your system are in sync.

Protegrity appliances and authenticators

There are a few requirements for using two factor authentication with Protegrity appliances.

• For validating one time passwords (OTP), the date and time on the ESA and the validating device must be in sync.
• Protegrity appliances only support use of the Google, Microsoft, or Radius Authenticator apps.
• Download the appropriate app on a mobile device, or any other TOTP-compatable device or application.

The Security Officer configures the Appliance Two Factor Authentication by any one of the following three methods:

• Automatic per-user shared-secret is the default and recommended method. It allows having a separate shared-secret for each user, which is generated by the system for them. The shared-secret will be presented to the user upon the first login.

• Radius Authentication is the authentication using the RADIUS protocol.

• Host-based shared-secret allows a common shared-secret for all users, which can be specified and distributed to the users by the Security Officer. Host-based shared-secret method is useful to force the same secret code for multiple appliances in clustered environments.