Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

AstaroOS: Support for Two-Factor Authentication (SMS,Token, OTP, Moble App etc..)

Dual-factor authentication is much stronger than password-based authentication which Astaro now using. Astaro has implemented the certificate authority and OpenVPN project has implemented support for PKCS#11 in version 2.1. What there is left ? Only to implement dual-factor authentication in Astaro.

633 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Ales KotmelAles Kotmel shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →
    Gunnar HermansenGunnar Hermansen shared a merged idea: Radius challenge response  ·   · 
    AnonymousAnonymous shared a merged idea: real 2 way OTP SMS Authentication  ·   · 
    TurkTurk shared a merged idea: Google Authenticator support for VPN  ·   · 
    Pat WardPat Ward shared a merged idea: VPN: Tokenless One Time Password  ·   · 
    Nick GleesonNick Gleeson shared a merged idea: WebAdmin: Two-Factor Token Authentication for Login  ·   · 
    S.KlagesS.Klages shared a merged idea: Authentication: One Time Password Server  ·   · 
    Ramon LustratiRamon Lustrati shared a merged idea: Web Application Security: Two-Factor Token Authentication  ·   · 
    benben shared a merged idea: Token / OTP Support for VPN/Remote Access  ·   · 
    T. AustT. Aust shared a merged idea: SSLVPN: One time Password by Astaro  ·   · 
    Ramon LustratiRamon Lustrati shared a merged idea: UserPortal: Two-Factor Token Authentication  ·   · 
    Paul Traue, Jr.Paul Traue, Jr. shared a merged idea: VPN: Extend Support of RSA SecurID  ·   · 
    Daniel PiazziDaniel Piazzi shared a merged idea: Authentication: Two-factor SMS authentication  ·   · 

    62 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        Any more details on release date of 9.2?
        The plan for later in 2013 (from May 2013) seem rather outdated

      • WSWS commented  ·   ·  Flag as inappropriate

        Please allow authentication against SMSPasscode and RSAId for the second factor. Perhaps it could be implemented as a Radius Client for the second factor? Seen it done as a second factor via Radius to say, RSAId or SMSPasscode which can be a Radius server.

      • rbarbrowrbarbrow commented  ·   ·  Flag as inappropriate

        Google Authenticator and yubico are my votes on this. (also just as a fyi yubico has a nfc option that doesn't work with iphone as of iphone 5 but should work with most new android and the iphone 5s if that has nfc)

      • Leon KrownLeon Krown commented  ·   ·  Flag as inappropriate

        Adding compliance with Google Authenticator would wonderful. Codes via SMS would be a nice fallback option. Don't try to home bake your own system, use a system already proven, accepted and very well tested and free like GA.

      • GunnarGunnar commented  ·   ·  Flag as inappropriate

        I do hope for Radius Challenge Response to be added, as real time session secure based 2FA is a market demand today.
        We have customers that used to use Astaro, but have changed this with something else, that supports Challenge response.

      • Markus KreisslMarkus Kreissl commented  ·   ·  Flag as inappropriate

        Finally, there's a solution: you can use the 2FA product of SecurEnvoy (www.securenvoy.com). I downloaded, installed, configured to work together with the ASG and tested it: it really works! Why? No challenge-response process but Passcodes via SMS in advance or via seed-based calculation as a Softtoken App on your smartphone. It's up to you what you want to secure, all is possible from Webadmin, over Enduser portal to VPN connections. Instead of merely user name and password (which is e.g. even the Microsoft AD password of the user) you now use username in one line and in the password line the original password followed by the 6-digit dynamic passcode. Any further questions? Contact me: markus.kreissl@ceracon.com (English Oder German language).

      • Markus KreisslMarkus Kreissl commented  ·   ·  Flag as inappropriate

        To my opinion, YubiKey's would not be that good. As far as I can see, there's no possibility to integrate devices which has no acceptance of a usb keyboard, like smartphones and tablets etc...

      • Anonymous commented  ·   ·  Flag as inappropriate

        Please provide a build in dual Factor authentication as soon as possible. Especially if the HTML5-VPN Feauter is used, a more secure way to Auithenticate ist needed!!

      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        There are very separate features merged and mixed in this thread:

        Implementation of challenge-response support for the SSL VPN client and for RADIUS on Sophos UTM to support highly authenticated VPN access.

        Setting up the wireless hotspot to capture mobile number for deliver of OTP (one time password) requiring challenge response support also. Wireless hotspot access authentication needs beefing up.

        It would be fantastic to have built in support for dual factor authentication out of the box - but this is completely separate feature. It does not require support for challenge response - but it would be so much better - especially for the hotspot feature above - if it did.

        The full implementation of challenge response user dialogue handlers for each of WebAdmin, User Portal and Hotspot Portal (as well as for the SSL VPN client of course).

      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        I would like to see this done for Hot Spot authentication. You provide a username and password to the user in the normal way printed on a bit of paper. They then enter these details into the hotspot portal, which then asks them for a mobile number to send a One Time Password to. They get an SMS with a OTP which they then enter to gain access.

        Benefits:

        1. Astaro gets to register a Mobile number against an otherwise anonymous internet user.

        2. Access is limited to the owner of the mobile phone, people who pick up a discarded paper with U/P cannot do anything with it.

        It now costs 20 euros per month for unlimited texts. Challenge response is the perfect way to interface this form of two factor authentication to the back end AD system. You could even use this to get Users to register themselves onto an AD system.

        What's not to like.

        Also see http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/184787-astaroos-support-for-two-factor-authentication-s
        for similar feature request.

      • Adrien BelcourtAdrien Belcourt commented  ·   ·  Flag as inappropriate

        Wow - this feature request has been open since 2009, and 2FA has been around since what, the 90s???

        I would like to be able to have a Sophos UTM provide a dual factor authentication mechanism - out of the box - for locking down

        1. Webadmin
        2. User Portal
        3. Roadwarrior VPN access

        At the moment WebAdmin out of the box is vulnerable to

        a) shouldersurfing
        b) keylogging
        c) password harvesting duplicate passwords (i.e. Webadmin pw = Twitter pw)
        d) TCP session replay
        e) Brute force attacks
        f) Man in the middle attacks

        I know I am supposed to be unbearably upbeat about this security product here, but seriously guys - a security device who's primary means of authentication is still only passwords. You must be kidding, right?

        I am pretty sure that most security experts think that passwords are not a good enough form of authentication for a security device that is protecting the IP (which does not stand for Internet Protocol in this context) of the companies it is sold to. Any hacker's response to the statement - that passwords were enough - would be to ROFLOL pause for a second and then ROFLOL some more.

        Please don't say - "but you can buy a bolt on RADIUS server from RSA/Vasco/etc. to fix this - and BTW sorry about the lack of challenge response". The whole point of Astaro is that 99/100 I should not need to spend extra money buying enhanced and more expensive versions of smart features like WAF, Wireless or RED from third parties. I want a smart feature like 2FA and preferably with the following features:

        - One Time Passwords
        - Password is tied to the SSL Session ID
        - Uses SMS messaging which now costs 20 euros per month for unlimited texts

      • FirebearFirebear commented  ·   ·  Flag as inappropriate

        Would like to say something to the comment :
        "Elmar Haag commented · December 15, 2009 9:38 a.m"
        The workaround you discribe here maybe could be the Userportal?

      • DennisDennis commented  ·   ·  Flag as inappropriate

        you could argue if it's benificial to just the certificates in combination with a username/password. But i think there is differentiation between SMS/OTP and/or hardware 2 factor authentication. The other users seem to think so aswell as there are at the time of my comment 134 votes to this request.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Solutions like PhoneFactor and Duosecurity works for OTP and SMS but for actually getting a phone call and pressing a number to authenticate, the ssl vpn client disconnects before it can finish. Extending the time before soft failing the authentication would be great.

      • Daniel RufDaniel Ruf commented  ·   ·  Flag as inappropriate

        It's nice to know, that there is exactly one product supporting two factor authentication with the sophos UTM. But nearly every other competitor supports challenge and response, so we probably need to change our UTM product to one from another vendor, if you are not willing to support this soon.

      • MARK-KDTMARK-KDT commented  ·   ·  Flag as inappropriate

        It looks as if some solutions such as PhoneFactor will work through AD/RADIUS implmentation. This is also one of the most expensive solutions. Sonicwall, Cisco, Fortinet offer many more options. Our clients are requesting options beyond certificates for VPN access. I think this is a critical feature moving forward.

      ← Previous 1 3 4

      Feedback and Knowledge Base