Two-factor OATH authentication with Google Authenticator

Google Authenticator allows for adding a dynamic component to a static password for increased account security.


Protocols Supporting OATH Authentication Method

When logging in, OATH authentication can be performed either in Challenge-Response mode or by concatenating the dynamic code generated by Google Authenticator to the end of the static password defined in the authentication method, such as password481418. Please note that not all protocols support this authentication method.

OATH Availability Across Protocols
Platform or Protocol Challenge-Response Mode Password + Dynamic Code
Logging into Access Gateway available available
Logging into Admin Panel available available
VNC available available
SSH available available
RDP available available
Telnet 3270 not available available
Telnet 5250 not available available
Telnet not available available
MS SQL(TDS) not available not available
HTTP/S not available not available
TCP not available not available
MySQL not available not available
X11 not available not available
Modbus not available not available

Configuring the OATH Authentication Method

In order to configure default settings for the OATH authentication method, follow the instruction:


  1. Select Management > Users.
  2. Find and click the user for whom you want to add the OATH authentication method.
  3. Click Add authentication method.
  4. From the Type drop-down list, select OATH.
  5. Choose the first factor: Password, or External authentication.

If Password is chosen:

  • Enter password’s static part.
  • From the Token type drop-down list, select HOTP (counter-based).
  • Enter a secret that will be used by Google Authenticator. Note, that the secret must be a Base32 encoded value. Alternatively, click . to generate it automatically. Click to show the QR code.
  • In the Length field, enter 6.
../../_images/5-1-users-oath-password.png

If External authentication is chosen:

  • Select External authentication source.
  • From the Token type drop-down list, select HOTP (counter-based).
  • Enter a secret that will be used by Google Authenticator. Note, that the secret must be a Base32 encoded value. Alternatively, click . to generate it automatically. Click to show the QR code.
  • In the Length field, enter 6.
../../_images/5-1-users-oath-ext-auth.png
  1. Click Save.
  2. Launch Google Authenticator and add new service.
Manual entry QR Code
  • Select Enter a provided key.
../../_images/google_authenticator_add_account.png
  • Enter account name.
../../_images/google_authenticator_account_name.png
  • Enter the secret defined in OATH authentication method.

Note

Click . on the user edit form in the Authentication section to reveal the secret.

../../_images/google_authenticator_account_secret.png
  • Select Counter based.
../../_images/google_authenticator_account_type.png
  • Select ADD.
../../_images/google_authenticator_account_add.png
  • Click . on the user configuration form, next to the Secret field in the Authentication section.
  • Select Scan a barcode in Google Authenticator.
../../_images/google_authenticator_add_account_scan_qr.png
  1. When logging in, the password string consists of a static password defined in the authentication method and dynamic part generated by the Google Authenticator, e.g. password481418.
../../_images/google_authenticator_token.png

Related topics: