2FA authentication by EMail

Options
2»

Comments

  • NicoBan
    NicoBan Posts: 2 image  Freshman Member
    First Comment Third Anniversary

    Quote QuiteSmart

  • PavelCh
    PavelCh Posts: 2 image  Freshman Member
    First Comment Third Anniversary

    I vote to return the 2FA email authentication feature to the Flex H series!!!

  • nielsscheldeman
    nielsscheldeman Posts: 95 image  Ally Member
    First Comment Friend Collector Third Anniversary

    So I had another topic running

    Domain zone forwarder through tunnel — Zyxel Community

    And I mentioned my problem of 2FA not possible with EXT-GROUP-USER which now works fine in older FLEX Series. This answer from ZyXEL_Melen concerns me a bit:

    image.png

    Why would ZyXEL implement a 2FA method from a concurrent (Cisco)?

    We use now for years at all our clients IS Decisions Userlock, so if we have to move to a payed model, I'd prefer to use Userlock, and not 2 products like Cisco Duo. In that way 2FA through mail was very acceptable. I also see that Cisco Duo will only work with SecuExtender and not the new implementation of OpenVPN?

    But as I see ZyXEL will implement it for local users, then why not for EXT-GROUP-USERS?

    I have now 90 FLEX non H firewalls in production en 6 H firewalls. In future if the old FLEX Series become out of support I have to replace them to newer models, but features like 2FA through mail with EXT-GROUP-USER will have to be migrated to off course, or at least decent support by multiple other 2FA suppliers(if it's Google authenticator, that's fine by me) and of course with OpenVPN which we all have been waiting for years on the old FLEX series now.

    I have a client with Barracuda firewall and 30 VPN Users which also use 2FA. I finally was able to let that client to decide to replace his Barracuda firewall to a FLEX H in combination with 4 extra firewalls on different sites, but if I can't implement proper 2FA on EXT-GROUP-USER with OpenVPN, I will have a problem.

  • QuiteSmart
    QuiteSmart Posts: 68 image  Ally Member
    Zyxel Certified Network Administrator - Nebula Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - WLAN

    since this old thread now and then gets some new feeding, i take the point to ask a general question for anyone in Zyxel: why are you not developing 2FA by email on H series? I am a bit astonished because, apart judging whether it is useful or not (this is personal), it was something existing back to the old usg40/60 series, why should we reduce features instead of increasing them?
    Is there any technical problem that i don't see that makes this development difficoult? The firewall already sends email, the page for the code already exist… i must be missing something.

    Most of my firewalls are ATP, most of my configuration involve VPNs with 2FA, most of my users prefer email to Google Authenticator.
    Some employees use personal smartphone and are not willing to install another app (i know, it seems strange nowadays that someone doesn't use 2FA at all but most of the times that i implement google 2FA the new user has to install the app for the first time)

    So please Zyxel let 2FA by email work on H series