For enhanced security, you can enforce the second layer of authentication for your users to access Securden. Users will have to authenticate through two successive stages. Securden integrates with a wide range of Two Factor Authentication (TFA) mechanisms and you may integrate with the one that suits you best.
Configuring TFA is a three step process:
Configure TFA
To configure TFA, navigate to Admin >> General >> Two Factor Authentication in the GUI.
Activate TFA
The first step in configuring TFA is to activate the option. Move the “Activate Two Factor Authentication” toggle to green.
The next step is to select the required TFA option from the various supported options.
At present, Securden supports:
Configuring Two-Factor Authentication
Once you select the required TFA option, you need to configure it.
How to Configure OTP through Email for TFA
Securden generates an OTP and emails it to the user who tries to login. This option requires that email addresses are associated with all users and also the ‘Mail Server Setting’ is configured. This OTP sent through the email will only be valid for the current session and expires when the user logs out.
To configure Mail OTP for TFA:
TOTP authenticators like Google Authenticator, Microsoft Authenticator, and others provide a six-digit code to authenticate the second level of access. Users just need to have the Google Authenticator/Microsoft Authenticator/TOTP Authenticator app on your mobile phones or tablet devices.
To use Google/Microsoft/TOIP Authenticator as your 2FA method,
Self-support any TOTP Authenticator
If you are using any other TOTP authentication mechanism, you may self-support it by configuring the TOTP authentication Identifier. When you click that, you will be prompted to enter an identifier name. Enter the name of your TOTP authentication mechanism and click save.
How to Configure the RADIUS Server as the 2FA Mechanism
You can integrate RADIUS server or any RADIUS-compliant two-factor authentication system like OneSpan Digipass, RSA SecurID, Swivel Secure etc. for the second factor authentication. You need to configure RADIUS server details for the integration to take effect.
To configure RADIUS server,
Navigate to Admin >> Authentication >> Two-Factor Authentication and click the “Configure” on “RADIUS Authentication”. In the ‘RADIUS Server Settings’ page that opens up, you need to enter the following details:
After entering the details, click “Save” and you may check RADIUS authentication once.
How to Configure the Email to SMS Gateway as the 2FA Mechanism
As part of two-factor authentication, Securden integrates with Email to SMS gateway providers (like ClickSend) to send one-time passwords as SMS to the phone numbers of the users. If you are using any such service, you may integrate that with Securden. You need to ensure that all your users have phone numbers added in Securden with the country code. Otherwise, OTP cannot be sent as SMS.
To configure Email to SMS Gateway as an option,
How to Configure Duo Authentication as the 2FA Mechanism
Securden PAM integrates with Duo Security for two-factor authentication. Once configured, users will be enforced to authenticate through Duo for accessing the web interface.
Prerequisite: Before proceeding with the configuration steps in Securden, you need to carry out a few steps at Duo security for enabling the integration with Securden. Once you complete the steps in Duo, you will get an integration key, secret key, and API hostname, which you need to supply in the Securden interface.
To handle the users who have not been enrolled to Duo yet, you have three options:
Configurations in Securden
Function | Input Parameters | Example | Output |
---|---|---|---|
stringAppend |
(String str, String suffix) |
stringAppend('This is', ' a test') |
This is a test |
toUpperCase |
(String str) |
toUpperCase('This is a test') |
THIS IS A |
toLowerCase |
(String str) |
toLowerCase('This is a test') |
this is a test |
substringBefore |
(String str, String searchString) |
substringBefore('abc@securden.com', '@') |
abc |
substringAfter |
(String str, String searchString) |
substringAfter('abc@securden.com', '@') |
securden.com |
How to Configure Yubikey Authentication as the 2FA Mechanism
Yubikey tokens supplied by Yubico can be integrated with Securden PAM for 2FA. To integrate Yubikey with Securden, navigate to Admin >> Authentication >> Two-Factor Authentication and select ‘Yubikey’.
To connect to Securden PAM after integrating it with Yubikey, users need to do the following:
Before generating a one-time password, you need to decide which of the two slots, slot 1 or slot 2, of the YubiKey you're going to use for authentication throughout.
Slot 1: If you tap the YubiKey once, it generates a 44-character security key whose first 12 characters are unique to this slot. For every subsequent login through this slot, the first 12 characters remain the same and the rest of the 32 characters are randomized.
Slot 2: If you tap and hold the YubiKey for 2-5 seconds, it generates a 44-character security key whose first 12 characters are unique to this slot. For every subsequent login through this slot, the first 12 characters will remain the same and the rest of the 32 characters will be randomized.
Here is a sample output from a YubiKey where the button has been pressed three times.
cccjgdwkdjkwjdkjwikjdkhhfgrtnnlgedjlftrbdeut
cccjgjubuebduhubnjkedjkehijeiocjbnublfnrev
cccjgjgkcbejnvchfkfhiiuunbtnvgihdfiktncvlhck
Note: By default, YubiKey generates slot 1 passcode for NFC configured mobile devices. You can set slot 2 passcodes as default by changing the setting from slot 1 to slot 2 using the Yubikey Personalization Tool.
Once you have selected the required TFA option, the next step is to choose enforcement options.
From “Global Enforcement” and “Selective Enforcement” options at the bottom of the TFA configuration page, you can do the following:
Allow Users to Trust Browser
You have the option to allow your users to mark their browsers as 'Trusted' and skip TFA. Upon entering the second authentication factor, the users can mark the browser as trusted for a specific number of days or forever. Once it is marked so, users won't be prompted to enter the second authentication code until the end of the trust period.
To enable this feature, click the ‘Configure Browser Trust Option’ link, and the pop-up box will appear. Here, you can specify the maximum period until which the browser trust option would be in effect. You may either enter a specific number of days or even choose to have it enabled forever. After the end of this period, the user will have to enter the second authentication factor code once and exercise the trust option again.
If your organization uses smart cards for authenticating user logons, you can leverage the same for Securden authentication. If the users have logged in to their machines using their smart cards, they will be allowed to access Securden web-interface too. During the process, Securden web-interface will display the available certificates. Users will have to choose their certificates. Securden validates them against the already configured trusted CA root certificate.
Smart card authentication serves as the primary authentication mode in Securden. It is different from the various 2FA options, which serve as the second authentication mode.
To integrate with Securden, you need to add the trusted CA root certificate and then tell Securden which part of the smart card certificate attribute uniquely identifies the user details in the product. You need to specify this mapping attribute detail for Local Authentication OR/AND Active Directory Authentication separately.
To Enable Smart Card Authentication,