Two Factor Authentication StoredSafe¶
2FA StoredSafe – Two Factor Authentication Made Easy.
Our turnkey appliance enables your organization to implement two factor authentication to various information sources. 2FA StoredSafe makes 2FA implementation a breeze and add a second layer of security to your existing information resources. Our highly recommended solution for easy roll-out and low cost lifecycle management of two factor authentication tokens is Yubikeys from Yubico. There is also support for standard OATH using TOTP where you can use your favourite 2FA app such as but not limited to Google Authenticator, Microsoft authenticator, HE app etc.
Sample of Implementations:
- Adding 2FA to current VPN solution
- Adding 2FA for Network Equipment
- Adding 2FA to critical applications
- Adding 2FA to Unix/Linux and Windows Servers
The primary goal of 2FA StoredSafe is to strengthen an existing authentication mechanism such as AD/LDAP or another 2FA by adding the second factor (currently Yubikeys and Google Authenticator).
In this mode the user authenticates as normal with the backend username/password, if successful he will be challenged and asked to enter an One Time Password (OTP) from YubiKey or Google Authenticator. If that is successfully validated then the user is accepted.
In this mode the user authenticates with the backend username/password+OTP, the OTP will be stripped from the password. The username/password will be validated against the backend and if that is successful then we validate the OTP, if that returns ok then the
user is accepted.
Secondary Auth Mode
In this mode we only validate the OTP and return ok or not. Only use this mode if you already have a primary authentication mode that you need to strengthen.
- AD or LDAP, user is validated via LDAP bind (with or without TLS/SSL).
- RADIUS, the user is validated via another RADIUS server.
To ease administration we have a feature called Auto Provisioning which glues the username of a successfully authenticated user together with the yubico id of a validated OTP. This only occurs the first time the user authenticates, next time the user will already be associated with his/her YubiKey id.
There is also support for doing OTP-bypass if you have service accounts that cant handle OTP, for example RANCID or tufin or similar.
2FA StoredSafe will forward the original ip of the client as a Calling-Station-ID and will of course also proxy back attributes set by a backend RADIUS server.