Self-registration of the second factor for two-factor authentication based on the RADIUS protocol

In this article we want to talk about our product TOTPRadius . This is a RADIUS server designed for use in two-factor authentication systems. In addition to the standard for this protocol functional, TOTPRadius provides several additional functions, one of which is the possibility of organizing self-registration of the second factor for ordinary users.

RADIUS for two-factor authentication

RADIUS is a standard protocol for accepting and processing authentication requests. In addition to the usual (one-factor) authentication, many systems use the RADIUS protocol for two-factor authentication, most often for authentication of the second factor. The principle is quite simple: if we take as an example the TOTP algorithm, in which the current time and the secret key are used to generate a one-time password (one-time password-OTP), the OTP entered by the user is transmitted to the RADIUS server, which, in turn, verifies its authenticity. Of course, both the secret key and the current time must match the OTP generator. RADIUS for two-factor authentication is used, for example, in VMWare View / Horizon, Citrix NetScaler, Fortinet VPN, etc.

Self registration and why it is needed

It is often necessary to provide users with the opportunity to activate the second factor on their own. Standard implementations do not provide such an opportunity, and this is understandable: in the usual implementation of two-factor authentication, it is either there or there is none, there is no third. This can lead to difficulties - for example, when migrating a large number of users, the registration of the second factor should be centralized. If a soft token is used (for example, applications like Google Authenticator or Token2 Mobile OTP) on personal mobile devices, it is difficult to imagine the migration logistics.
In this case, self-registration can help. The idea is this: to users without the active second factor (in other words, without recording in the RADIUS server database) to launch into the system once (well, or two, assuming the possibility that something might go wrong the first time) - and then provide them the ability to independently start the process of registering the second factor (creating a TOTP profile in the application). Token2 TOTPRadius provides the ability to organize such registration through a simple RESTful API . In simplified form, this is a request in the format

  https: // Server Address / api? username = [username] & api-key = [connection-key] 

where the answer from the server in case of successful execution of the request will be a secret key generated for this user in text and QR-code format.

Integration Example: TOTPRadius with Citrix NetScaler + Storefront

The Citrix Netscaler + Storefront bundle is used to access Citrix XenApp and XenDesktop products. NetScaler out of the box supports the use of the RADIUS server as a source of authentication for the second factor. Additional integration in this case will be only the implementation of the TOTP self-activation of the soft-token profile in the Storefront interface via the RESTful API. The connection process is quite simple and is described in this document. What it looks like through the eyes of the end user is shown in the video:

')

Additional features

In addition to pre-built Storefront integration scripts, TOTPRadius also seamlessly integrates with Wordpress and Drupal (using Token2 plug-ins ). We will also be happy to help with integration with any other systems.


Thanks for attention!