AstaroOS: Support for Two-Factor Authentication (SMS,Token, OTP, Moble App etc..)
Dual-factor authentication is much stronger than password-based authentication which Astaro now using. Astaro has implemented the certificate authority and OpenVPN project has implemented support for PKCS#11 in version 2.1. What there is left ? Only to implement dual-factor authentication in Astaro.
A 2 factor solution based off of OATH TOTP was released in UTM 9.200, and subsequent authenticator apps were released for mobile OSes, though other OATH clients such as google authenticator are also fully compatible.
A further feature for SMS based 2fa for select features will be included in UTM 9.300.
2 factor for SMS in 9.4 is missing...
We are having Sophos SG430 with firmware 9.355 but it doesn't support SMS for 2 factor authentication.
so far TOTP is the one and only option to use 2FA feature.
Any update on this concerning Radius Challenge and Response?
Gunnar Hermansen commented
Hi Angelo, Is this implemented with Radius Challenge response ?
Any more details on release date of 9.2?
The plan for later in 2013 (from May 2013) seem rather outdated
Please allow authentication against SMSPasscode and RSAId for the second factor. Perhaps it could be implemented as a Radius Client for the second factor? Seen it done as a second factor via Radius to say, RSAId or SMSPasscode which can be a Radius server.
Google Authenticator and yubico are my votes on this. (also just as a fyi yubico has a nfc option that doesn't work with iphone as of iphone 5 but should work with most new android and the iphone 5s if that has nfc)
Leon Krown commented
Adding compliance with Google Authenticator would wonderful. Codes via SMS would be a nice fallback option. Don't try to home bake your own system, use a system already proven, accepted and very well tested and free like GA.
i want that, too!
I do hope for Radius Challenge Response to be added, as real time session secure based 2FA is a market demand today.
We have customers that used to use Astaro, but have changed this with something else, that supports Challenge response.
Markus Kreissl commented
Finally, there's a solution: you can use the 2FA product of SecurEnvoy (www.securenvoy.com). I downloaded, installed, configured to work together with the ASG and tested it: it really works! Why? No challenge-response process but Passcodes via SMS in advance or via seed-based calculation as a Softtoken App on your smartphone. It's up to you what you want to secure, all is possible from Webadmin, over Enduser portal to VPN connections. Instead of merely user name and password (which is e.g. even the Microsoft AD password of the user) you now use username in one line and in the password line the original password followed by the 6-digit dynamic passcode. Any further questions? Contact me: email@example.com (English Oder German language).
Markus Kreissl commented
To my opinion, YubiKey's would not be that good. As far as I can see, there's no possibility to integrate devices which has no acceptance of a usb keyboard, like smartphones and tablets etc...
YubiKey's could be great for this!
Please provide a build in dual Factor authentication as soon as possible. Especially if the HTML5-VPN Feauter is used, a more secure way to Auithenticate ist needed!!
There are very separate features merged and mixed in this thread:
Implementation of challenge-response support for the SSL VPN client and for RADIUS on Sophos UTM to support highly authenticated VPN access.
Setting up the wireless hotspot to capture mobile number for deliver of OTP (one time password) requiring challenge response support also. Wireless hotspot access authentication needs beefing up.
It would be fantastic to have built in support for dual factor authentication out of the box - but this is completely separate feature. It does not require support for challenge response - but it would be so much better - especially for the hotspot feature above - if it did.
The full implementation of challenge response user dialogue handlers for each of WebAdmin, User Portal and Hotspot Portal (as well as for the SSL VPN client of course).
Please consider integrating Duo Security two factor authentication support.
I would like to see this done for Hot Spot authentication. You provide a username and password to the user in the normal way printed on a bit of paper. They then enter these details into the hotspot portal, which then asks them for a mobile number to send a One Time Password to. They get an SMS with a OTP which they then enter to gain access.
1. Astaro gets to register a Mobile number against an otherwise anonymous internet user.
2. Access is limited to the owner of the mobile phone, people who pick up a discarded paper with U/P cannot do anything with it.
It now costs 20 euros per month for unlimited texts. Challenge response is the perfect way to interface this form of two factor authentication to the back end AD system. You could even use this to get Users to register themselves onto an AD system.
What's not to like.
Also see http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/184787-astaroos-support-for-two-factor-authentication-s
for similar feature request.
Wow - this feature request has been open since 2009, and 2FA has been around since what, the 90s???
I would like to be able to have a Sophos UTM provide a dual factor authentication mechanism - out of the box - for locking down
2. User Portal
3. Roadwarrior VPN access
At the moment WebAdmin out of the box is vulnerable to
c) password harvesting duplicate passwords (i.e. Webadmin pw = Twitter pw)
d) TCP session replay
e) Brute force attacks
f) Man in the middle attacks
I know I am supposed to be unbearably upbeat about this security product here, but seriously guys - a security device who's primary means of authentication is still only passwords. You must be kidding, right?
I am pretty sure that most security experts think that passwords are not a good enough form of authentication for a security device that is protecting the IP (which does not stand for Internet Protocol in this context) of the companies it is sold to. Any hacker's response to the statement - that passwords were enough - would be to ROFLOL pause for a second and then ROFLOL some more.
Please don't say - "but you can buy a bolt on RADIUS server from RSA/Vasco/etc. to fix this - and BTW sorry about the lack of challenge response". The whole point of Astaro is that 99/100 I should not need to spend extra money buying enhanced and more expensive versions of smart features like WAF, Wireless or RED from third parties. I want a smart feature like 2FA and preferably with the following features:
- One Time Passwords
- Password is tied to the SSL Session ID
- Uses SMS messaging which now costs 20 euros per month for unlimited texts
Would like to say something to the comment :
"Elmar Haag commented · December 15, 2009 9:38 a.m"
The workaround you discribe here maybe could be the Userportal?
you could argue if it's benificial to just the certificates in combination with a username/password. But i think there is differentiation between SMS/OTP and/or hardware 2 factor authentication. The other users seem to think so aswell as there are at the time of my comment 134 votes to this request.