Applies to Platform: UTM 6.8.x, 4i Edge 6.8.x, Switchboard 6.8.x
Last update: 24 Apr 2025
Introduction
With two-factor authentication, security is dramatically increased because instead of just requiring a username and password, an additional piece of information is required that is generated by a token. In this case the authentication procedure is a combination of something you know (username and password) and something you have (time-based token). This prevents unauthorized access even in the event your username and password are stolen or compromised since the attacker must also have the token information to successfully authenticate.
Now you can utilize two-factor authentication with the administrative login for any EndianOS appliance running a supported version. This is relevant given that the Endian administrative user has complete control over the configuration and operation of the appliance. Protecting this account against unauthorized or malicious access is critically important.
Before You Begin
For any administrative account requiring two-factor authentication, each user will require a smartphone application that supports OTP. A number of existing smartphone applications are already available for free (other applications exist as well, this is only a short list):
|
Platform |
Apps |
|
Android |
|
|
iOS |
Create a Backup Account (Optional)
This step is highly recommended to prevent being locked out of the appliance administrative web interface. By creating a backup account without two-factor authentication enabled, a user can be assured a way to login to the appliance in the event the OTP setup has issues. Once the two-factor is setup successfully, then you could choose to disable the backup account if you wish to enforce the use of 2FA for administrative access.
To create a backup account, go to System > Users and select Add web frontend user
- Enter a username for the backup account (you will use this to login to appliance)
- Enter and confirm a password to use for this backup account
- Ensure the user role is set to Administrator
- Click Add to create the new web user account
Once done you should see two web user accounts listed (primary and backup) on the Users page.
Enable OTP on Primary Account
Select the Edit action for the primary account and then under the field One Time Password secret click the Generate new secret button to create a new secret key.
When this is done, you can then click the Show QR Code button to have the QR code displayed. While it's displayed, you can save the image (by right-clicking Save As) or take a screenshot in order to send to the appropriate user. The user will need this image to setup their mobile OTP application.
Setup OTP Account on Mobile Application
In order to generate the one-time passwords, each user has to setup an account in the application. There are two ways for setting up the accounts:
-
create the account manually by copying the provided shared secret
-
taking a picture of the QR Code containing the account information from inside the application
This secret key will be used for all future logins. The application generates a new one-time password every 30 seconds – and since the algorithm is time-based this does not require an Internet connection.
Using your mobile OTP application, select the option to create a new account. You should then be able to scan a QR code to setup a new account at which point you can scan the Endian QR code which should automatically add the OTP token to your device (as shown in Figure 1).
Figure 1 - OTP Application
Enable OTP on Web Management Interface
You now need to enable OTP on the web management interface by navigating to Authentication > Providers and edit the Administration Web Portal provider
Here you can use the drop-down to select OTP as the Multi-Factor Type
Then click Save and Apply to apply the configuration
Once this is confirmed, you should then be able to login to your Endian appliance using the OTP account along with the token as shown below.
Comments