Two-factor authentication is an authentication method that requires two independent pieces of information to establish identity and privileges. Two-factor authentication is stronger and more rigorous than traditional password authentication that only requires one factor (the user’s password).
Dell SonicWALL’s implementation of two-factor authentication partners with two of the leaders in advanced user authentication: RSA and VASCO.
Beginning in SRA 5.5, two RADIUS servers can be used for two-factor authentication, allowing users to be authenticated through the Web portal or with an SRA client such as NetExtender or Secure Virtual Assist.
See the following sections:
Two-factor authentication offers the following benefits:
Two-factor authentication requires the use of a third-party authentication service, or two separate RADIUS authentication servers.
With two-factor authentication, users must enter a valid temporary passcode to gain access. A passcode consists of the following:
When two RADIUS servers are used, the second stage PIN or password can be sent to the user via SMS or email. NetExtender login and Secure Virtual Assist both provide extra challenge(s) for entering it.
When a third-party authentication service is used, it consists of two components:
Users receive the temporary token codes from their RSA or VASCO token cards. The token cards display a new temporary token code every minute. When the RSA or VASCO server authenticates the user, it verifies that the token code timestamp is current. If the PIN is correct and the token code is correct and current, the user is authenticated.
Because user authentication requires these two factors, the dual RADIUS servers solution, the RSA SecureID solution, and the VASCO DIGIPASS solution offers stronger security than traditional passwords (single-factor authentication).
RSA is an algorithm for public-key cryptography. RSA utilizes RSA SecurID tokens to authenticate through an RSA Authentication Manager server. RSA is not supported on all hardware platforms and is supported via RADIUS only.
VASCO is a public company that provides user authentication products. VASCO utilizes Digipass tokens to authenticate through a VASCO IdentiKey server. VASCO is supported on all SRA platforms.
VASCO Data Security delivers reliable authentication through the use of One Time Password technology. VASCO IdentiKey combined with Dell SonicWALL SRA and firewall VPN appliances creates an open-market approach delivered through VASCO IdentiKey technology.
VASCO IdentiKey allows users to utilize the VASCO DIGIPASS concept that uses One Time Passwords that are assigned for time segments that provide easy and secure SRA remote access. The One Time Password within the authentication request is verified on the VASCO IdentiKey. After verification, a RADIUS access-accept message is sent to the SRA server for authentication.
This section provides examples of the two-factor authentication login prompts when using Web login and NetExtender.
With Web login, the Username and Password fields are used to enter the first-stage credentials.
When prompting the user to input the challenge code, the message “Please enter the M.ID PIN:” is the reply message from the RADIUS server in this example; different RADIUS servers may have different reply message formats.
Some RADIUS servers may require the user to respond to several challenges to complete the authentication. In this example, the M.ID server asks the user to supply two challenges. The following passcode can be received through email or cellphone (if SMS is configured).
When using two-factor authentication with the NetExtender Windows client, the login process through the client is very similar to logging in through the Web page. Initially, the Username and Password fields are used to enter the first-stage credentials.
This is followed by the PIN challenge.
Last, the Passcode challenge is displayed.
