Two-Factor OATH Authentication with Google Authenticator

Google Authenticator generates verification code as a dynamic component to a static password to increase account security.

Fudo Enterprise allows configuring default settings for the OATH authentication so they are automatically added to the user definition, when administrator selects OATH as an active authentication method.

Note

When configuring two-factor OATH authentication in Fudo Enterprise you can also consider using alternative applications such as Microsoft Authenticator.

Protocols Supporting OATH Authentication Method

When logging in, OATH authentication can be performed either in Challenge-Response mode or by concatenating the dynamic code generated by Google Authenticator to the end of the static password defined in the authentication method, such as password481418. Please note that not all protocols support this authentication method.

OATH Availability Across Protocols

Platform or Protocol

Challenge-Response Mode

Password + Dynamic Code

Logging into Access Gateway

available

available

Logging into Admin Panel

available

available

VNC

available

available

SSH

available

available

RDP

available

available

Telnet 3270

not available

available

Telnet 5250

not available

available

Telnet

not available

available

MySQL

not available

available

MS SQL(TDS)

not available

not available

HTTP/S

not available

not available

TCP

not available

not available

X11

not available

not available

Modbus

not available

not available


Configuring the OATH Authentication Method

In order to configure default settings for the OATH authentication method, follow the instruction:

  1. Select Settings > Authentication > Global tab.

  2. Go to OATH section and select token type: TOTP (time-base) or HOTP (counter-base).

  3. Fill out the Issuer field.

  4. Fill out the Token length field.

  5. Input Time step if selected Token type was TOTP (time-base).

  6. Click Save next to the OATH section name.

../../_images/6-1-oath-auth-settings.png

In order to configure OATH as an active authentication method for a user, follow the steps:

  1. Select User Management > Users.

  2. Find and click the user for whom you want to add the OATH authentication method.

  3. Scroll down to the Authentication section.

  4. Choose OATH type from the Add authentication method drop-down list.

  5. Choose the Static password or External authentication as a first factor.


If Password is chosen:

  • Enter password’s static part.

  • Fields Token type, Token length and Time step will be filled out automatically as default settings claim. Their value is editable.

  • Enter a secret that will be used by Google Authenticator. Note, that the secret must be a Base32 encoded value. Alternatively, click Generate to generate it automatically or QRCode to show the QR code.

  • (Optional) Enable Allow reuse option to permit the same valid TOTP code to be accepted more than once within its current time window. This is useful for parallel access scenarios such as automated SSH access, CI/CD operations, or bulk file transfers.


If External authentication is chosen:

  • Select External authentication source.

  • Fields Token type, Token length and Time step will be filled out automatically as default settings claim. Their value is editable.

  • Enter a secret that will be used by Google Authenticator. Note, that the secret must be a Base32 encoded value. Alternatively, click Generate to generate it automatically or QRCode to show the QR code.

  • (Optional) Enable Allow reuse option to permit the same valid TOTP code to be accepted more than once within its current time window. This is useful for parallel access scenarios such as automated SSH access, CI/CD operations, or bulk file transfers.

../../_images/6-1-oath-allow-reuse.png

Note

Optional:

  • Enable Allow reuse option to permit the same valid TOTP code to be accepted more than once within its current time window. This is useful for parallel access scenarios such as automated SSH access, CI/CD operations, or bulk file transfers.

  • The Initialized option serves for the user’s initialization via the QR code. When their static password as a First factor setting is filled or External authentication source if configured, the QR code is displayed during their first connection. After successful first authentication the Initialized option becomes checked and takes uneditable state.

  1. Click Save.

  2. Launch Google Authenticator and add new service.

Manual entry

QR Code

  • Select Enter a provided key.

../../_images/google_authenticator_add_account.png
  • Enter account name.

../../_images/google_authenticator_account_name.png
  • Enter the secret defined in OATH authentication method.

Note

Click . on the user edit form in the Authentication section to reveal the secret.

../../_images/google_authenticator_account_secret.png
  • Select Counter based.

../../_images/google_authenticator_account_type.png
  • Select ADD.

../../_images/google_authenticator_account_add.png
  • Click . on the user configuration form, next to the Secret field in the Authentication section.

  • Select Scan a barcode in Google Authenticator.

../../_images/google_authenticator_add_account_scan_qr.png
  1. When logging in, the password string consists of a static password defined in the authentication method and dynamic part generated by the Google Authenticator, e.g. password481418.

../../_images/google_authenticator_token.png

TOTP Code Reuse for Parallel Access

The Allow reuse option enables the same valid TOTP code to be accepted more than once within its current time window. This feature is designed for scenarios where parallel access is required and protected with two-factor authentication.

Use Cases

This feature is particularly useful for:

  • Scripted SSH access

  • Ansible playbooks

  • Parallel scp or rsync operations

  • CI runners connecting to multiple systems

  • Access through multiple bastion hosts

  • Bulk RDP gateway hand-offs

Default Behavior

By default, the Allow reuse option is disabled. Each TOTP code can be used only once. After successful verification, another attempt using the same code will be rejected. This ensures the highest security level for standard use cases.

Behavior When Enabled

When Allow reuse is enabled for an OATH/TOTP authentication method:

  • The same TOTP code can be accepted multiple times within its current time window

  • An operator can use the same TOTP code for multiple parallel connections within one timestep

  • Once the timestep expires, the previous code becomes invalid and a new code is required

  • This allows supporting automation and bulk access scenarios without changing the standard TOTP expiration model

Note

The Allow reuse option is available only for TOTP (time-based) tokens. HOTP (counter-based) and other authentication methods do not support code reuse.

Warning

Enable this option only when necessary for specific use cases. Allowing TOTP code reuse reduces the security level compared to single-use codes. Always evaluate the security implications for your specific environment before enabling this feature.

Related topics: