Multifactor authentication is an identification and authentication mode where two or more different types of authentication data (factors) are used. This additional level of security provides more effective protection from unauthorized access to the account.
NGFW supports multi-factor authentication using the username and password as the first authentication factor and the following types as the second factor:
-
TOTP (Time-based One Time Password) token: a TOTP token creates a time-based single-use password, i.e., time is a parameter here. For more details on TOTP, see https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm. The token may come in the form of various devices or software installed on users' smartphones, such as Google Authenticator.
-
SMS: a one-time password sent by SMS. To receive SMS messages, each user must have their phone number entered in their local NGFW user account or Active Directory domain user account.
-
Email: a one-time password sent by email. To receive emails, each user must have their email address entered in their local NGFW user account or Active Directory domain user account.
To configure multi-factor authentication, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Configure captive-portal authorization. |
Multi-factor authorization works only when users are authorized using the captive portal. For more details, see the relevant section. |
|
Step 2. Create a multi-factor authorization profile. |
In the Users and devices ➜ MFA profiles section of the console, create a multifactor authorization profile with the desired second-factor delivery settings. Three delivery types are available:
|
For MFA by TOTP, provide these settings:
|
Name |
Description |
|---|---|
|
Name |
The name of the MFA profile. |
|
Description |
A description of the MFA profile. |
|
TOTP initialization |
To receive TOTP tokens, you need to initialize the client device or software by entering a unique key into the device. The TOTP initialization code can be communicated by:
|
|
Show QR code |
Show a QR code on the captive portal page or in the email to facilitate TOTP device or software configuration. |
If the user has lost the token, the administrator can trigger a mandatory re-initialization of the TOTP token If the user has lost the token, the administrator can trigger a mandatory re-initialization of the TOTP token Для этого ему необходимо выбрать данного пользователя в списке пользователей (Пользователи и устройства ➜ Пользователи) и выбрать действие Сбросить ключ TOTP. On the next login attempt, the user will be asked to re-initialize their token.
For MFA by SMS, provide these settings:
|
Name |
Description |
|---|---|
|
Name |
The name of the MFA profile. |
|
Description |
A description of the MFA profile. |
|
Auth delivery profile |
The SMPP profile that will be used to send passwords by SMS. For more details on configuring profiles for sending SMS messages, see the Notification Profiles section. |
|
From |
The person or entity in whose name notifications will be sent. |
|
Body |
The body of the notification message. In the message body, you can use a special variable named {2fa_auth_code} that will be replaced by the one-time password. |
|
Auth code lifetime |
The validity period of the one-time password. |
For MFA by email, provide these settings:
|
Name |
Description |
|---|---|
|
Name |
The name of the MFA profile. |
|
Description |
A description of the MFA profile. |
|
Auth delivery profile |
The SMTP profile that will be used to send passwords by email. For more details on configuring profiles for sending email messages, see the Notification Profiles section. |
|
From |
The person or entity in whose name notifications will be sent. |
|
Subject |
Notification subject. |
|
Body |
The body of the notification message. In the message body, you can use a special variable named {2fa_auth_code} that will be replaced by the one-time password. |
|
Auth code lifetime |
The validity period of the one-time password. |