04-11-19 | References
What is two-factor authentication?
What is an authentication factor?
What is the process for logging in?
What are the authentication choices?
Who needs two-factor authentication?
Why do we offer two-factor authentication?
Why do people need two-factor authentication?
When do people use two-factor authentication?
What does two-factor authentication work with?
What is required for two-factor authentication?
What is two-factor authentication incompatible with?
What is two-factor authentication compatible with?
How do we deploy two-factor authentication?
What is the SLA on two-factor authentication?
How do we deliver two-factor authentication?
What partners/brands do we use for two-factor authentication?
Why did we choose Duo Security?
What is unique about Duo Security’s product?
What kind of limitations do we have with two-factor authentication?
What should a user do if they lose their phone or change their phone number?
Online Tech offers two-factor authentication for VPN access as part of its VPN security solutions that protect against online fraud and unauthorized access for clients who connect to their networks from a remote location.
Adding an extra layer of protection is highly recommended for any client concerned with security. It is required by PCI DSS compliance, and recommended to meet HIPAA compliance. With the advent of widespread mobile phone use, linking the second authentication factor to a personal device makes achieving secure access an easy task.
It is a simple, mobile phone-based authentication method that clients can set up for users that need to connect to their network remotely. After initial configuration, Online Tech sends the client a custom URL. Users will login with a username and password, then complete a secondary authentication of their choice to achieve network access – by using push authentication, a smartphone passcode, text message or phone call (read more about each method in What are the authentication choices? below).
Two-factor, also known as dual-factor or multi-factor, authentication requires the presence of two or more of the three authentication factors (something the user knows, something the user has, and something the user is).
In other words, instead of simply requiring a password to gain access to an account, you need an additional method in place to prove you are truly the account holder. Usually this second factor comes from something physical like a random number-generating key fob (hardware device with built-in authentication mechanisms) or a cell phone in order to further ensure that the account holder is, in fact, the one logging into the account.
This is one of the best ways to protect against phishing attacks, account takeover and data theft.
We are providing this product solely for VPN (virtual private network) access at this time, although it can, in theory, be used for many different forms of access to provide an extra layer of security.
An authentication factor is any one method of authorizing your identity to achieve access to your account, i.e., entering a username and password to login.
Any organization concerned about security should consider implementing two-factor authentication for their VPN, regardless of their compliance requirements.
If you have sensitive data that can be accessed from your VPN, or if you are concerned about your password security, this product is ideal for you. Two-factor authentication is an essential part of high-quality VPN security solutions.
The Payment Card Industry Data Security Standards (PCI DSS) mandate that organizations who “hold, process, or pass cardholder information” meet a minimum level of security. Part of this security is protecting remote access logins with strong authentication. PCI requirement 8.0 states organizations must assign a unique ID to each person with computer access.
Specifically, section 8.3 requires organizations to implement two-factor authentication for remote access to the network by employees, administrators, and third parties. To achieve compliance with this requirement, you should use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.
It is required to meet PCI DSS compliance and we recommend it in order to meet HIPAA compliance.
We offer it because it provides an extra layer of security at a low cost. We also offer it due to client demand to meet PCI requirements. Two-factor authentication has become increasingly easier due to the prevalence of cell phone use. As a result, more and more companies are seeing lower barriers to entry.
Simply put, dual factor authentication lowers a company’s risk of a data breach. If the cost of implementing such a system is lower than the increased benefit of a lower risk of breach, then a company will see the value of this product.
As stated before, it is also a required technology to meet PCI compliance, and we recommend it for HIPAA compliance.
People will use two-factor authentication any time they log into their VPN. They will need to enter their username and password as well as authenticate through their phone. Generally, these users are administrators, not end-users of systems, so it’s critical to have an additional layer of security for their access.
Currently Online Tech supports two-factor services with VPN access on a virtual or dedicated firewall. While that is our standard offering, we may be able to accommodate other login applications on a case-by-case basis. Note that clients who use our shared firewall cannot add this feature to the VPN. If they want to have two-factor VPN, they have to upgrade to a dedicated virtual or physical firewall.
We cannot add two-factor authentication to our shared firewall VPN access at this time.
Two-factor authentication includes an application that is downloaded to the user’s phone. For example, in the case of an iPhone, the user can download the application from iTunes. There is also an app for Android. For those phones that do not have an app, the user can use the SMS feature. So, any phone that can support text messages is compatible with our two-factor solution.
We set up all of our clients with their own URL, give all of their users separate accounts and walk them through the process of logging in and setting up their account through a kick-off meeting.
In terms of technical deployment, the process involves setting up a VPN, setting up primary authentication (first factor authentication), configuring to integrate with dual factor, and then registering users with Duo (this can be done by the client). See deployment punch list for more information on how this product is deployed.
We do not have a SLA on this product at this time. All we warrant is that if they ask us to make a change to the users (add, edit, or change a user), we will.
Each client will have their own URL with which they can login and access their VPN through the two-factor authentication method.
We use a company called Duo Security.
Every day, over 500 organizations in 40+ countries around the world rely on Duo for their security.
Duo Security is based in Ann Arbor, Michigan, and is a privately held company with the following investors: Google Ventures, True Ventures, and Resonant Venture Partners.
We chose Duo Security because it was a natural fit for us. They are an award-winning Ann Arbor-based company with one of the best products on the market that makes a great addition to Otava’s VPN security solutions.
Duo leverages the mobile phone as the second factor in authentication. It’s a device that people already have, know how to use, and notice when it’s missing. Using an existing device reduces deployment and training costs, and improves the end-user experience of the entire system.
Duo Security works with all phone types, from landlines to smartphone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. Duo Security works internationally with customers authenticating from 42 countries around the world.
It may require a central authentication system and allows for only 100 logins a month per user.
Additionally, if a client buys VPN connections and two-factor authentication, all of those VPN accounts must be two-factor or none of them for optimal security.
If the client is using our shared central authentication service, we cannot disable two-factor on a per user basis. It has to be activated/deactivated for all users at the same time.
Contact Online Tech support and we can resend your activation link or link your account with a different phone number.
Two-Factor Authentication Product Overview by Duo Security (PDF)
Two-Factor Authentication Features and Benefits by Duo Security (PDF)
Flexible Multifactor Authentication White Paper by Duo Security (PDF)
Fortinet FortiGate SSL VPN Integration Documents by Duo Security
PCI DSS Quick Reference Guide for Version 2.0 (PDF)