Two-Factor Authentication on the 5400-RM

Digi International
December 21, 2016
The 5400-RM is the first Accelerated Concepts device to support Two-Factor Authentication (2FA) with TOTP and HOTP verification. This feature adds the security of 2FA to logins over SSH, helping to keep intruders out of the 5400-RM and the devices it manages remotely.
Two-Factor Authentication (2FA) refers to a standard for system logins that require a secondary method of identity confirmation in addition to a user-defined password. Many web services, including email providers, social media platforms, and banks, use 2FA for privileged actions such as signing in from new locations or transferring funds to a new destination account.
A One-Time Password (OTP) is often used for the second authentication method, where the user enters a code that can be used only once. It is common for OTPs to also have a limited window of validity, which helps mitigate brute-force attacks by making the two-factor secret a moving, transient target comprised of the user password and OTP. That way, even if the entire secret is exposed to attackers, by a keylogger for instance, the OTP cannot be reused since it would be expired.
For web services, users may be issued OTPs over a secondary communication channel registered with their account, such as an email address or phone number. The service provider is responsible for issuing the OTPs provisioned in these situations, and will control the duration of validity for the distributed codes.
The user may alternatively be entrusted with hardware or software capable of generating OTPs that are then validated using a cryptographic hash function. This requires that the server and client both know the secret, the source of the transient input, and the specific mathematical algorithm (the hash) used to obscure the OTP. Users are granted access only when the server and client agree on the currently valid OTP issued by these parameters.
HMAC-Based One-Time Passwords (HOTPs) and Time-Based One-Time Passwords (TOTPs) are open industry standards that define the methodology for transient input and OTP generation. They differ in how each anticipates a login session’s cryptographic hash: HOTPs are driven by a logon event counter, switching to a new hash code after a set increment (rendering the previous code invalid), while TOTPs are refreshed after a fixed unit of time.
The popularity of both these methods has resulted in a number of applications that manage secret keys and create HOTP/TOTP codes – FreeOTP, Google Authenticator, and SafeNet MobilePASS are good choices for mobile platforms.
To enable 2FA for a user on your 5400-RM:
  1. Navigate to the Configuration tab of the device interface.
  2. Drill down to the Two-factor authentication settings by expanding the following nested menus: Authentication ? Users ? [Selected User] ? Two-factor authentication.NOTE: Replace [Selected User] with the user account that requires 2FA. For example, an account named “serial” is shown in the screenshot below.
  3. Select the Enable checkbox to activate 2FA for the selected user account.
  4. Define the Verification type as either TOTP or HOTP.
  5. The Secret key must also be defined once 2FA is enabled. This should be a random string of characters rather than an easily remembered password or phrase.NOTE: The Generate secret key option under the Secret key pulldown menu populates the field automatically with a 128-bit string of randomly generated characters.
  6. Once established, the secret key must be stored securely in a OTP manager.
  7. This can be streamlined by selecting Show secret key QR code from the Secret key pulldown. The QR code can then be scanned by mobile devices to easily load the secret key and other settings into the OTP manager. (Otherwise the 2FA OTP information must be entered manually.)
  8. The Scratch codes field stores single-use emergency codes as an alternative means of secondary authentication. These can be used in place of the HOTP/TOTP at any time, which is useful for regaining access to the system if the secret key is lost, the clocks become unsynchronized (for TOTP), or the login count is lost (for HOTP).After the configuration has been saved, SSH logins to the 5400-RM will first prompt for a verification code. After entering the 6-digit OTP code generated by the HOTP/TOTP manager – or a scratch code if using the emergency bypass – the login process resumes and the conventional, user-defined password is requested.