Multi-factor authentication is a user identification method that combines two or more different authentication data types. An additional security level provides better protection of accounts from unauthorized access.
UserGate supports multi-factor authentication with user credentials as the first authentication type together with any of following types as the second type:
-
TOTP (Time-based One Time Password) of a token as the second authentication method. A TOTP token creates a time-based one-time password; for more details on TOTP, please refer to https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm. As a TOTP token, you can use various hardware or software installed on user smartphones, such as Google Authenticator.
-
SMS. Obtain one-time passwords in SMS. For SMS notifications, each user must have a phone number specified in their local UTM account or in their domain account in Active Directory.
-
Email. Obtain one-time passwords by email. For email notifications, each user must have an email address specified in their local UTM account in or in their domain account in Active Directory.
To set up multi-factor authentication, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Set up authentication using the Captive portal. |
Multi-factor authentication is supported only when users authorize through the Captive portal. Please refer to Section Configuring a Captive portal. |
|
Step 2. Create a multi-factor authentication profile. |
In the console, go to Users and devices-->MFA profiles and create a multi-factor authentication profile. Provide the following delivery parameters for the second authentication factor when creating a new profile. You can create 3 delivery types:
|
For MFA by TOTP, make sure to provide the following parameters:
|
Name |
Description |
|---|---|
|
Name |
Name of the MFA profile. |
|
Description |
Description of the MFA profile. |
|
TOTP initialization |
To obtain TOTP tokens, make sure to initialize the hardware or software on the client side. To do this, enter a unique key in the hardware or software on the client side. You can send the initial code for TOTP initialization in any of the following ways:
|
|
Display a QR code |
Displays a QR code on the Captive portal or in email messages for easier setting up of the TOTP hardware or software on the client side. |
If a user lost their token, the administrator can request them to initialize their TOTP token again. To do this, the administrator should select this user from the list (Users and devices-->Users) and choose Reset the TOTP key. During the next authentication, this user will be asked to initialize their token again.
For MFA by SMS, make sure to provide the following parameters:
|
Name |
Description |
|---|---|
|
Name |
Name of the MFA profile |
|
Description |
Description of the MFA profile |
|
Auth delivery profile |
SMPP profile that will be used for sending passwords in SMS. For more details on how to set up sending of passwords in SMS, please refer to Notifications |
|
From |
Specify on whose behalf the message will be sent |
|
Body |
Body of the message. You can use special variables {2fa_auth_code} in the text which will be automatically replaced with the actual passcode. |
|
Auth code lifetime |
Lifetime of passcode |
For MFA over email, make sure to provide the following parameters:
|
Name |
Description |
|---|---|
|
Name |
Name of the MFA profile |
|
Description |
Description of the MFA profile |
|
Auth delivery profile |
SMTP profile that will be used for sending passwords by email. For more details on how to set up sending of passwords by email, please refer to Notifications |
|
From |
Specify on whose behalf the message will be sent |
|
Subject |
Subject of the notification |
|
Body |
Body of the message. You can use special variables {2fa_auth_code} in the text which will be automatically replaced with the actual passcode. |
|
Auth code lifetime |
Lifetime of passcode |