2FA authentication by EMail

Options
PeterUK
PeterUK Posts: 3,963  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary

2FA authentication by EMail on FLEX H models

allow 2FA authentication from other IP then the connecting VPN IP is from

allow 2FA authentication by WAN

11 votes

Active · Last Updated

«1

Comments

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited January 15

    Hi @PeterUK ,

    Could you share your specific reasons for wanting to use email-based 2FA authentication on FLEX H models?

    Have you considered using Google Authenticator as an alternative?

    allow 2FA authentication by WAN

    Could you provide more details about your requirements/ scenario?
    Why do you need to enable 2FA authentication by WAN?

    Zyxel_Judy

    Untitled Image
  • PeterUK
    PeterUK Posts: 3,963  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 15

    One might only like email-based 2FA authentication over Google Authenticator or your not able to have Google Authenticator

    At this time for my setup that a hope Kay gets round to looking at 2FA just does not work with firewall on for some reason.

    So what I don't know is does 2FA page meant to work over the VPN tunnel when connected then the full connect is allowed? as that would explain some things

  • PeterUK
    PeterUK Posts: 3,963  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited January 18

    So another use case for Email is the remote user is a long way away and you don't want to give them admin access to the FLEX they can't scan the QR code on there phone for Google Authenticator so ok their is "Can not scan the QR code?" so you send this info by Email for them to add it manually then they have to send you the code for Verify your device on FLEX by Email which will be a pain and needs to be done in time.

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @PeterUK ,

    Since there is a voting system in the Zyxel community, we recommend submitting only one idea per post. This makes it easier for members to track and vote on specific suggestions.

    Please keep this post focused on your first idea "2FA authentication by EMail on FLEX H models". Thank you for providing the scenario and explaining your requirements for this feature. We will evaluate your request thoroughly. Please follow our Firewall News & Releases channel to stay informed about future feature implementations.

    News and Release - Zyxel Community

    Regarding your other issues and suggestions, Kay has already provided a response in the original post:

    allow 2FA authentication from other IP then the connecting VPN IP is from

    https://community.zyxel.com/en/discussion/comment/73884/#Comment_73884

    allow 2FA authentication by WAN

    https://community.zyxel.com/en/discussion/comment/73609/#Comment_73609

    Zyxel_Judy

    Untitled Image
  • nielsscheldeman
    nielsscheldeman Posts: 74  Ally Member
    First Comment Friend Collector Third Anniversary
    edited January 29

    Another reason could be because with Ext-group-user connected to AD, you can only use 2FA mail.

    1: this is also something that might be implemented with Google Authenticator, would be very nice, even if it's still on the non H models

    2: Ext-group-user not supported on FLEX 200H models.

    So it was already a crippled feature, now it is even more crippled with H series with lack of Ext-Group-User support.

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi users,

    Recognizing the potential usefulness of the feature as 2FA authentication by email for users, we are considering this as a potential feature.

    Please follow the Firewall News & Release to know about the enhancements and new features.

    Zyxel_Judy

    Untitled Image
  • nielsscheldeman
    nielsscheldeman Posts: 74  Ally Member
    First Comment Friend Collector Third Anniversary

    I'm setting up now in production a FLEX200H for my own company, because Ext-Group-User works now. I can wait for 2FA for the VPN users for now.

    But on my old FLEX I had 2FA through mail enabled for admin web access. I do it for all my clients like that, so I don't have to set up dozens of Google authenticator profiles on my smartphone. It seems now that feature is missing?

    On old flex you could set up next to admin an emailaddres and then press send code. After that enable Admin Access through mail.

    If I want to do that now I get this:

    afbeelding.png

    We're not there yet with the FLEX H Series. Thank god all my current cliënts are 100% moved to FLEX Series, so I'm good for some years for existing cliënts. New cliënts will be a little problem with 2FA, but it's very good that Ext-Group-User is now available.

  • QuiteSmart
    QuiteSmart Posts: 63  Ally Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Hello, apart from the technincal reasons well exposed by @PeterUK my personal reason is that many of the employees of my clients do not use google authenticator nor have a smartphone provided by their company and they do not want to install new apps on their personal phone while they have an email account on it

  • QuiteSmart
    QuiteSmart Posts: 63  Ally Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    Besides, when you connect to a full tunnel VPN with 2FA with your laptop the connection is totally freezed until you make the second authentication.

    This means that you have to use another device to authenticate

    Usually this is the smartphone

    Now with Google Authenticator the procedure is not so easy:

    1. open G auth
    2. copy the code
    3. open the web browser
    4. open the firewall web page (with the correct 2FA port
    5. past the code
    6. click authenticate

    expecially point 4 is often a struggle for many end users: they have to bookmark the url in a browser, remember that they bookmarked it

    The procedure from point 2 to point 6 must has to be completed within 30 seconds (Google auth code lasts 30")

    while by email it is just

    1. open the email
    2. click authenticate
    3. click authenticate

    unless there is a fast track for google authentication that i newer understood (please tell me), i think that everybody will agree that email is simpler by far🧐