Solved: Re: PSA300 with Google authenticator

j_ngrh · ‎04-11-2018

Dear Community,

I would like to implement PSA300 with Google authenticator as a secondary authentication. Primary authentication would be Microsoft AD. Before I make this proposal to my management, I would like to find out the following:

1. How does the PSA300 device generate the QR code? Is the QR code generated internally in the device or does is the device required to connect to some Google server to retrieve the QR code?

2. What are the firewall ports to open in order for the PSA device to communicate with the Google server?

3. What happens if the mobile phone with Google authenticator is misplaced? Does that mean that the one who picked up the mobile device can access the corporate network, assuming he/she bypass the Primary authentication?

4. If the mobile device is missing, how can the user continue to access the corporate network? eg: Can the user download Google authenticator on a new phone and start using it?

5. In terms of security, is Google authenticator secure enough to replace the "Standard" SMS 2FA?

6. Imagine this scenario, if the PSA300 is synced to a NTP source from asia and the end user is going on a holiday to Europe, there will be a time difference. In this scenario, user will need to set the time manually? On a corporate environment, it could be a hassle.

Appreciate if I can have some advice.

Thank you very much.

j_ngrh · ‎04-12-2018

Thank mspiers and flip for your replies.

Actually before posting for help, I have already googled and went through the links provided by mspiers. However, I am new to how 2FA works (the concept) and needed confirmation and so I posted here to confirm my understandings.

You have answered my questions flip.

Thank you again.

View solution in original post

mspiers · ‎04-12-2018

Support for TOTP like Google authenticator was added in PCS 8.2R5, see the following for more information:

https://docs.pulsesecure.net/WebHelp/Home.htm#PCS/PCS_AdminGuide_8.2/Using%20a%20Time-Based%20One-Ti...

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40172/

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB41050/

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40823/

You can contact our Sales team via https://www.pulsesecure.net/contact-us/

flipPipe · ‎04-12-2018

As mspiers refer, Google Authenticator is just one of the many applications which supports the TOTP (RFC 6238) Wikipedia TOTP

Answers for your question

1. QRCode are generated internally and do not depend on Google services.

You can generate your how qrcode, as long as you know your secret (and settings).
https://freeotp.github.io/qrcode.html

QRCode is just a nice way to push the information needed to TOTP configuration
https://github.com/google/google-authenticator/wiki/Key-Uri-Format

2. No network connection is needed.

3. TOTP depends on the secret shared between the server (PCS as example) and the client (device). To not allow some 3rd person have access to that secret it must implement security measures within the device and that is out of scope of this specification. Therefore, if a device with the secret is misplaced, it must have security measures to prevent access (as example: device locked, TOTP applications should have a PIN to be used and the storage where the secret is save should be encrypted).

Exist commercial and propriety 2FA which garantee that security.

But keep in mind this is a second authentication.

4. Just install a TOTP software, reconfigured the secret (and settings) and it is good to go.
But, the user should remove the previous one and generate a new one.

5. As long as you security measures in place (like I explain in 3), it is better in my opinion.

6. TOTP uses Unix Time, which is UTC based. So as long as the device it is synchronized and has the correct time zone configured there is no problems.

And do not forget to read the information given by mspiers.

j_ngrh · ‎04-12-2018

Thank mspiers and flip for your replies.

Actually before posting for help, I have already googled and went through the links provided by mspiers. However, I am new to how 2FA works (the concept) and needed confirmation and so I posted here to confirm my understandings.

You have answered my questions flip.

Thank you again.