04-11-19 | References

Two-Factor Authentication for VPN Login FAQ

References

Product Summary
What is two-factor authentication?
What is an authentication factor?
What is the process for logging in?
What are the authentication choices?
Who needs two-factor authentication?
Why do we offer two-factor authentication?
Why do people need two-factor authentication?
When do people use two-factor authentication?
What does two-factor authentication work with?
What is required for two-factor authentication?
What is two-factor authentication incompatible with?
What is two-factor authentication compatible with?
How do we deploy two-factor authentication?
What is the SLA on two-factor authentication?
How do we deliver two-factor authentication?
What partners/brands do we use for two-factor authentication?
Why did we choose Duo Security?
What is unique about Duo Security’s product?
What kind of limitations do we have with two-factor authentication?
What should a user do if they lose their phone or change their phone number?
Additional Resources

Product Summary

Online Tech offers two-factor authentication for VPN access as part of its VPN security solutions that protect against online fraud and unauthorized access for clients who connect to their networks from a remote location.

Adding an extra layer of protection is highly recommended for any client concerned with security. It is required by PCI DSS compliance, and recommended to meet HIPAA compliance. With the advent of widespread mobile phone use, linking the second authentication factor to a personal device makes achieving secure access an easy task.

How does it work?

It is a simple, mobile phone-based authentication method that clients can set up for users that need to connect to their network remotely. After initial configuration, Online Tech sends the client a custom URL. Users will login with a username and password, then complete a secondary authentication of their choice to achieve network access – by using push authentication, a smartphone passcode, text message or phone call (read more about each method in What are the authentication choices? below).

What are the benefits?

  • Ease of integration and installation
  • Can be controlled and implemented by the client
  • Inexpensive but adds a significantly higher level of security
  • Meets regulatory compliance requirements for sensitive data protection
  • Supports any type of phone, including smartphones, features and landlines

What is two-factor authentication?

Two-factor, also known as dual-factor or multi-factor, authentication requires the presence of two or more of the three authentication factors (something the user knows, something the user has, and something the user is).

In other words, instead of simply requiring a password to gain access to an account, you need an additional method in place to prove you are truly the account holder. Usually this second factor comes from something physical like a random number-generating key fob (hardware device with built-in authentication mechanisms) or a cell phone in order to further ensure that the account holder is, in fact, the one logging into the account.

This is one of the best ways to protect against phishing attacks, account takeover and data theft.

We are providing this product solely for VPN (virtual private network) access at this time, although it can, in theory, be used for many different forms of access to provide an extra layer of security.

What is an authentication factor?

An authentication factor is any one method of authorizing your identity to achieve access to your account, i.e., entering a username and password to login.

What is the process for logging in?

Setting up two-factor authentication for a user for the first time:

  1. A user will go to the URL given to them by OT support and enter their username and password.
  2. After logging in, they’ll be prompted to input their phone number and verify it with a simple phone call or text message.
  3. The next step is to install Duo Mobile, a smartphone app that generates passcodes and supports Duo Push (on iPhone and Android).
  4. After installing the app, it needs to be activated in order to be linked to the user’s account.
  5. Lastly, the user is shown a success message and the login prompt that they’ll normally see when logging in.

To connect via VPN using two-factor authentication after set-up:

  1. Go to the URL and login with their username and password.
  2. Choose which authentication method: Duo Push, phone call, text or passcode.
  3. If they choose Duo Push, a notification will be sent to their phone. They simply have to select the “Approve” button to redirect their browser to the SSL VPN service homepage.
  4. Then they can launch “Tunnel Mode” to direct traffic through their VPN.
  5. See What are the authentication choices? for more information on how each method works.

Who needs two-factor authentication?

Any organization concerned about security should consider implementing two-factor authentication for their VPN, regardless of their compliance requirements.

If you have sensitive data that can be accessed from your VPN, or if you are concerned about your password security, this product is ideal for you. Two-factor authentication is an essential part of high-quality VPN security solutions.

The Payment Card Industry Data Security Standards (PCI DSS) mandate that organizations who “hold, process, or pass cardholder information” meet a minimum level of security. Part of this security is protecting remote access logins with strong authentication. PCI requirement 8.0 states organizations must assign a unique ID to each person with computer access.

Specifically, section 8.3 requires organizations to implement two-factor authentication for remote access to the network by employees, administrators, and third parties.[1] To achieve compliance with this requirement, you should use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.

It is required to meet PCI DSS compliance and we recommend it in order to meet HIPAA compliance.

Why do we offer two-factor authentication?

We offer it because it provides an extra layer of security at a low cost. We also offer it due to client demand to meet PCI requirements. Two-factor authentication has become increasingly easier due to the prevalence of cell phone use. As a result, more and more companies are seeing lower barriers to entry.

Why do people need two-factor authentication for VPN?

Simply put, dual factor authentication lowers a company’s risk of a data breach. If the cost of implementing such a system is lower than the increased benefit of a lower risk of breach, then a company will see the value of this product.

As stated before, it is also a required technology to meet PCI compliance, and we recommend it for HIPAA compliance.

When do people use two-factor authentication?

People will use two-factor authentication any time they log into their VPN. They will need to enter their username and password as well as authenticate through their phone. Generally, these users are administrators, not end-users of systems, so it’s critical to have an additional layer of security for their access.

What does two-factor authentication work with?

Currently Online Tech supports two-factor services with VPN access on a virtual or dedicated firewall. While that is our standard offering, we may be able to accommodate other login applications on a case-by-case basis. Note that clients who use our shared firewall cannot add this feature to the VPN. If they want to have two-factor VPN, they have to upgrade to a dedicated virtual or physical firewall.

 

What is required for two-factor authentication?

  • Two-factor only applies to remote VPNs, not point-to-point VPNs.
  • For clients who have Cisco ASA’s and have purchased VPNs, there is a limit to 2 two-factor VPNs per ASA device. This is because these devices use SSL and we have to purchase additional SSL licenses for each VPN.

What is two-factor authentication incompatible with?

We cannot add two-factor authentication to our shared firewall VPN access at this time.

What is two-factor authentication compatible with?

Two-factor authentication includes an application that is downloaded to the user’s phone. For example, in the case of an iPhone, the user can download the application from iTunes. There is also an app for Android. For those phones that do not have an app, the user can use the SMS feature. So, any phone that can support text messages is compatible with our two-factor solution.

How do we deploy two-factor authentication?

We set up all of our clients with their own URL, give all of their users separate accounts and walk them through the process of logging in and setting up their account through a kick-off meeting.

In terms of technical deployment, the process involves setting up a VPN, setting up primary authentication (first factor authentication), configuring to integrate with dual factor, and then registering users with Duo (this can be done by the client). See deployment punch list for more information on how this product is deployed.

What is the SLA on two-factor authentication?

We do not have a SLA on this product at this time. All we warrant is that if they ask us to make a change to the users (add, edit, or change a user), we will.

How do we deliver two-factor authentication?

Each client will have their own URL with which they can login and access their VPN through the two-factor authentication method.

What partners/brands do we use for two-factor authentication?

We use a company called Duo Security.

Every day, over 500 organizations in 40+ countries around the world rely on Duo for their security.

Duo Security is based in Ann Arbor, Michigan, and is a privately held company with the following investors: Google Ventures, True Ventures, and Resonant Venture Partners.

Why did we choose Duo Security?

We chose Duo Security because it was a natural fit for us. They are an award-winning Ann Arbor-based company with one of the best products on the market that makes a great addition to Otava’s VPN security solutions.

What is unique about Duo Security’s product?

Duo leverages the mobile phone as the second factor in authentication. It’s a device that people already have, know how to use, and notice when it’s missing. Using an existing device reduces deployment and training costs, and improves the end-user experience of the entire system.

Duo Security works with all phone types, from landlines to smartphone platforms. In the simplest case, users just answer a phone call and press a button to authenticate. Duo Security works internationally with customers authenticating from 42 countries around the world.

What kind of limitations do we have with two-factor authentication?

It may require a central authentication system and allows for only 100 logins a month per user.

Additionally, if a client buys VPN connections and two-factor authentication, all of those VPN accounts must be two-factor or none of them for optimal security.

If the client is using our shared central authentication service, we cannot disable two-factor on a per user basis. It has to be activated/deactivated for all users at the same time.

What should a user do if they lose their phone or change their phone number?

Contact Online Tech support and we can resend your activation link or link your account with a different phone number.

Additional Resources

Two-Factor Authentication Product Overview by Duo Security (PDF)
Two-Factor Authentication Features and Benefits by Duo Security (PDF)
Flexible Multifactor Authentication White Paper by Duo Security (PDF)
Fortinet FortiGate SSL VPN Integration Documents by Duo Security
PCI DSS Quick Reference Guide for Version 2.0 (PDF)


Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved