How to Use Two Factor with Google Authenticator for Admin Access?

Zyxel_Stanley
Zyxel_Stanley Posts: 963  Zyxel Employee
edited August 3 in Security FAQ

In previous firmware versions, USG supports pin code by SMS/Email as two-factor authentication method. However, SMS-based two-factor authentication is not safe. Compared to SMS-based method, Google authenticator is the most secure method to receive verification code for 2-factor authentication. Google authenticator gives a new code every 30 seconds, so each code expires in just 30 seconds which make it a secure option to generate codes for 2-step verification. Furthermore, Google authenticator is free to download, easy to use, and is able to work without Internet. This example illustrates how to set up two factor with Google Authenticator for admin access.


Two Factor with Google Authenticator Flow

1. Enable Google Authentication on specific admin user

2. Set up Google Authenticator

3. Configure valid time and login service types.

 

Enable Google Authentication on specific admin user

Select a specific admin user and switch to Two-factor Authentication tab.

CONFIGURATION > Object > User/Group > admin user


Enable Two-Factor Authentication for Admin Access checkbox. In Two-factor Auth. Method, select "Google Authenticator". Click "Set up Google Authenticator" to start setting up Google Authenticator on your mobile phone and USG.


Set up Google Authenticator


1.     Download and install Google Authenticator on your mobile device.

2.     Register the admin account to Google Authenticator. Open Google Authenticator App and scan the barcode on Web GUI.



3.     Enter the token code which displays on Google Authenticator to “Step 3” and click “Verify code and finish” to submit and verify the code.


The pop-up window message informs the verification result.


4.     After 2FA registration is set up successfully, there are backup codes on web GUI. The backup codes are for device login in the case you don't have access to the application on your mobile device. Download the backup codes and record them in a safe place.


Configure valid time and login service types

Enable two factor authentication for admin access. Configure valid time and select which services require two-factor authentication for admin user. The valid time is the deadline that admin needs to submit the two-factor authentication code to get the access. The access request is rejected if submitting the code later than valid time. By default, the valid time is 3 minutes.

CONFIGURATION > Object > Auth. Method > Two-factor Authentication > Admin Access


Test the Result 

1.     Login with the admin account "testadmin".


2.     A pop-up window appears for administrator to enter the verification code.


3.     Enter the code shown on Google Authenticator and click "Verify". You can also enter the backup code if you don’t have mobile device on hand.


4.     Authorize with username, password and the token code successfully.

MONITOR > Log > View Log > Category and select "Authentication Server"


What Can Go Wrong?

1.     An admin user only can be registered on one Google Authenticator. If you would like to use another mobile device to authenticate the same admin user, click “Revoke” to revoke registered user and user another mobile device to set up Google Authenticator again.


2.     Each admin user has 5 backup codes and each backup code could be used only once for login.