6.6. MFA (Multi-Factor Authentication) Profiles

Multi-factor authentication is an authentication mode where two or more different types of authentication data (factors) are used. This additional level of security provides more effective protection from unauthorized access to the account.

UserGate supports multi-factor authentication using the username and password as the first authentication factor and the following types as the second factor:

  • TOTP (Time-based One Time Password) token: a TOTP token creates a time-based single-use password, i.e., time is a parameter here. For more details on TOTP, see https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm. The token may come in the form of various devices or software installed on users' smartphones, such as Google Authenticator.

  • SMS: a one-time password sent by SMS. To receive SMS messages, each user must have their phone number entered in their local UserGate user account or Active Directory domain user account.

  • Email: a one-time password sent by email. To receive emails, each user must have their email address entered in their local UserGate user account or Active Directory domain user account.

To configure multi-factor authentication, follow these steps:

Task

Description

Step 1. Configure captive-portal authorization.

Multi-factor authentication works only when users are authorized using the captive portal. For more details, see the relevant section.

Step 2. Create an MFA profile.

In the Users and devices --> MFA profiles section of the console, create a multi-factor authentication profile with the desired second-factor delivery settings. Three delivery types are available:

  • MFA by TOTP: deliver the second factor using TOTP tokens.

  • MFA by SMS: deliver the second factor using SMS.

  • MFA by email: deliver the second factor using email.

For MFA by TOTP, provide these settings:

Name

Description

Name

The name of the MFA profile.

Description

A description of the MFA profile.

TOTP initialization

To receive TOTP tokens, you need to initialize the client device or software by entering a unique key into the device. The TOTP initialization code can be communicated by:

  • Showing it on the captive portal page after first successful login. To do this, select Show key on captive portal page.

  • Sending it by SMS. To receive SMS messages, each user must have their phone number entered in their local UserGate user account or Active Directory domain user account. This option requires selecting an appropriate SMS sending profile (SMPP profile) created earlier.

  • Sending it by email. To receive emails, each user must have their email address entered in their local UserGate user account or Active Directory domain user account. This option requires selecting an appropriate email sending profile (SMTP profile) created earlier.

Show QR code

Show a QR code on the captive portal page or in the email to facilitate TOTP device or software configuration.

If the user has lost the token, the administrator can trigger a mandatory re-initialization of the TOTP token by selecting this user in the user list (Users and devices --> Users) and choosing the Reset TOTP key option. On the next login attempt, the user will be asked to re-initialize their token.

For MFA by SMS, provide these settings:

Name

Description

Name

The name of the MFA profile.

Description

A description of the MFA profile.

Auth delivery profile

The SMPP profile that will be used to send passwords by SMS. For more details on configuring profiles for sending SMS messages, see the section Notification Profiles.

From

The person or entity in whose name notifications will be sent.

Body

The body of the notification message. In the message body, you can use a special variable named {2fa_auth_code} that will be replaced by the one-time password.

Auth code lifetime

The validity period of the one-time password.

For MFA by email, provide these settings:

Name

Description

Name

The name of the MFA profile.

Description

A description of the MFA profile.

Auth delivery profile

The SMTP profile that will be used to send passwords by email. For more details on configuring profiles for sending email messages, see the section Notification Profiles.

From

The person or entity in whose name notifications will be sent.

Subject

Notification subject.

Body

The body of the notification message. In the message body, you can use a special variable named {2fa_auth_code} that will be replaced by the one-time password.

Auth code lifetime

The validity period of the one-time password.