Multi-factor authentication for VPN systems, such as Meraki Client VPN or Fortinet VPN will soon be possible using FIDO Security keys, both FIDO2 and U2F.
While classic OTP (and namely TOTP) still remains industry standard for two-factor authentication and is supported out of the box by the majority of VPN servers and clients, there is not a lot of products that can leverage the FIDO keys for securing VPN access. The majority of the current solutions that are being marketed as supporting FIDO and FIDO2 keys are using the OTP functionality of the security keys (most USB FIDO keys, in addition to U2F and/or WebAuthN features, also have an additional module that can generate OTP, i.e. HOTP by pressing a button, or TOTP via a companion app). This may look like a solution but is still OTP based 2FA. While OTP solutions are still secure, utilizing FIDO keys’ main features to protect VPN access may improve security even further.
[as per our research, only one solution seems to exist to have true support of FIDO authentication, which is a commercial VPN client, Viscosity, costs $14 and is limited to OpenVPN protocol only]
FIDO-VPN solution from TOKEN2
To address this gap, TOKEN2 is currently finalizing a feature as a part of its TOTPRadius solution, to provide VPN access with FIDO security keys protection option, in addition to classic TOTP authentication. The solution will work with both FIDO2 and legacy U2F keys (WebAuthN implementation with fallback to U2F for older keys) and will work via modern web-browsers supporting FIDO keys authentication. No special VPN client installation is required, although we will be releasing VPN helper apps to simplify the user experience and make the process as fast as possible; one click will be enough to establish a VPN link. FIDO-VPN will support systems relying on standard VPN protocols (LT2TP and L2TP/IPSec), such as Meraki Client VPN and Fortinet VPN solutions. We are currently finalizing the solution and it will be a part of TOTPRadius at no additional cost, starting from version 0.2.5.
Migrating from the older version to the new release should be smooth as there will be a possibility to export both user and configuration data from the old appliance and import it to a newly deployed appliance.
The video below demonstrates how the process looks like from the end user’s perspective
Token2 TOTPRadius provides the RADIUS RFC-2865 for TOTP RFC-6238 based authentication. With TOTPRadius you can integrate a large variety of third-party products and systems with multi-factor authentication. A number of enterprise products and services like VPNs, Citrix XenApp/XenDesktop, VMWare View and many others provide support for RADIUS servers to validate the second factor of user authentications. Additionally, TOTPRadius appliance is providing RESTful API for second-factor authentication and enrolment (including self-service enrolment where possible). This allows implementing a fully on-premises secure and user-friendly two-factor authentication supporting RADIUS and LDAP protocols together with HTTP API with one appliance. TOTPRadius does not send or download any data from the internet and can function in complete isolation from the public internet. TOTPRadius supports OTP-only authentication based on RFC-6238 algorithm (TOTP: Time-Based One-Time Password Algorithm), Local password + OTP combined authentication as well as LDAP+OTP combined authentication. It provides a web-based administration panel and an HTTPS REST-based API service designed to enable users’ self-enrollment
TOKEN2 Multifactor authentication products and services (short name TOKEN2 MFA) is a group of companies providing various security solutions, such as hardware tokens, a mobile application, TOTPRadius server, and Token2 Cloud API, a hosted two-factor authentication service designed to protect primarily Web-based applications (e.g. member area of a CMS based website). An on-premises version of this service is also offered via TOTPRadius Web API.