SSProtect is empowered to make extensive use of two-factor authentication:
- When you login with the :Foundation Client
- When you protect or access a managed file
- When you protect or access a managed email
- When you perform a Management task
- When you perform an Administrative task
This is a far more effective than the more common, "login gate" that only uses two-factor authentication when you present Login credentials that unlock access to a large amount of material or subsequent activity that is then also more accessible to attackers lying in wait.
Login and Task 2FA
SSProtect uses a Login Session to establish (and authorize) your Identity. Login requires a Username and Password, and can be extended with 2FA using Duo Security, the subject of this article. Subsequent Tasks utilize your Login Session Identity and either Hardware 2FA or Software Simulation to authorize execution, protecting against impersonation by attackers lying in wait who would then have access to your sensitive operations and content.
Second Factor Authentication Types
SSProtect supports three types of 2FA:
- Software-generated RFC 4226 HMAC-based OTPs (OATH) for Task 2FA
- OATH-based USB Hardware Tokens for Task 2FA
- Third-party Enhanced 2FA services for Login (today) using Duo Security
Software-generated HMAC One-Time Passwords facilitate immediate deployment and application use during evaluation or while provisioning 2nd factor tokens for long-term use. Once you choose an OATH-compatible solution, our team will work with you to acquire, program, and distribute hardware since each has its' own facilities that can be used to simplify the process. Most often, procedures make use of import/export to reduce repetition.
Enhanced Login 2FA using Duo Security
SSProtect integrates directly with Duo Security's cloud-based authentication solution to provide Enhanced 2FA operation when establishing a Session. Duo Security provides a feature-rich authentication capability supporting multiple tokens for a single user, group management, policy-based authentication (including geo-fencing), endpoint technology patch management, and additional services complementary to SSProtect's data protection capabilities.
Administrators: Link SSProtect and Duo Security
Individual Account holders and the one Organization Administrator can setup Duo Security Login 2FA with the following procedure:
- Open a Web Browser and navigate to Duo Security's management portal
- Login to your Organization's Duo Security Account.*
- From the Duo Security Administrator Dashboard, choose Applications
- On the Applications page, choose Protect an Application
- Scroll down to Auth API and choose Protect this Application
* Choosing a Duo Security Account name that matches your SSProtect Account email address can lead to confusion. See Considerations, below, for more details.
The Duo Security Auth API configuration displays the identity, key, and host information you will enter into SSProtect:
- Click the SSProtect notification icon, then choose Administer Resources
- Choose Configure in the Duo Security Login 2FA control group
- Use Auth API for the SSProtect IKey, SKey, and Host configuration
Finish setting up Duo Security Login 2FA as follows:
- In SSProtect, check Mobile for Login to enable Duo Push for Login 2FA
- In SSProtect, choose Enable then Save to apply changes
- In the Duo Security Application page, complete the Auth API configuration
- In the Duo Security Application page, scroll down to choose Save
This enables Duo Security Login 2FA for Individual Account holders and, for an Organization, for all Users though this can be individually enabled/ disabled as noted toward the end of this article.
Users: 1st Time Self-Service Configuration
After you complete the previous Administrative procedure, Duo Security two-factor authentication services will be invoked on subsequent SSProtect Login (as a result of checking Mobile for Login), as shown below:
Yes will redirect to the Duo Security self-service setup, shown below:
NOTE: This (and other) Duo Security web pages will change, though the general approach is suitable to integrate Duo Security 2FA with SSProtect Login.
SSProtect requires a Duo Push device for Enhanced Login 2FA:
- In What type of device are you adding,? choose Mobile Phone - Continue
- Enter your phone number, acknowledge it's correct - Continue
- Verify ownership - Continue
- In My Settings & Devices, choose the default device
- Check Automatically send me a: then choose Duo Push*
- Choose Save, then scroll past My Devices and choose Done:
* Duo Security configuration has changed over time, adding new options such as U2F and the option to be prompted for Duo Push or a Phone Call. Do NOT choose to be prompted, and avoid choosing new/ alternative methods as they utilize different mechanisms not (yet) supported.
Under the Covers with Enhanced Login 2FA
When you login to SSProtect, your password, along with additional identifying information, gets packaged in a protected manner and delivered to KODiAC Cloud Services for authentication and authorization. KODiAC recognizes that your Account is protected by Duo Security 2nd-factor services as a result of the Administrative configuration noted above, and as a result dispatches authentication requests to Duo Security cloud servers. These requests lookup your individual Duo Security configuration and query for the first configured Duo Push device.
If a Duo Push device is not found, an error is returned and routed through KODiAC to your :Foundation Client where you receive the error and Login fails.
On the other hand, when a Duo Push device is found, Duo Security dispatches the Push authentication request that you can then respond to, for example with an app on your phone. Once you acknowledge the request and permit access, KODiAC processes the Duo Security response and returns results to your :Foundation Client complete Login and establish your Session.
This operation is generally pretty quick - 5s or so, but can sometimes take 10-20s or more.
Administrators: Overriding Enhanced Login 2FA
Privileged Organization Users can disable Enhanced Login 2FA for individual Accounts as follows:
- From the SSProtect notification icon, choose Administer Users/ Manage
- Choose the target User you wish modify, then choose Edit
- When Org Enh2FA is checked, your Account is configure to use Enhanced Login 2FA
- Check Ignore Enh2FA to disable this process for the target Account
- Choose Save
Note that this differs from the No 2nd Factor setting, which manages Task 2FA described at the beginning of this article.
Make note of the following Considerations when using Duo Security Enhanced Login 2FA:
1. When using Enhanced Login 2FA, it's better to avoid directly accessing protected content after your Login Session has expired. When this happens, you are first prompted for your Username/ Password which then dispatches the Duo Security processing request noted above. During this time, the application that is attempting to load protected content may time out, resulting in an application-specific error. SSProtect will however continue with the authentication process, and when complete you can retry your operation.
2. Take care to avoid resetting your Duo Security Auth API Application keys without first disabling the SSProtect Enhanced 2FA Configuration. You can do this by navigating to Administer Resources from the notification icon, choosing Configure, then either choosing Disable or unchecking Mobile for Login followed by Save/ Commit.
3. Avoid using your SSProtect Administrator/Delegate or Individual account Username as the Admin login for Duo Security services, since Duo Security services separate Administrators from authorized users. SSProtect does not make this distinction, and the inconsistency creates a disconnect when you try to use Duo Security with your Administrator/ Delegate or Individual Account.
4. Make sure to take full advantage of the features Duo Security provides, especially geo-fencing and user-based policy controls. These facilities significantly increase the overall effectiveness of SSProtect - the two operating together offer a formidable protective profile.
For More Information
For information regarding product features and content, consult the Document Index, or send email with specific questions to firstname.lastname@example.org.
This article was updated w/ v9.1.3 of the :Foundation Client