17.4. Multi-Factor Authentication

When a roaming client tries to access resources located behind a Clavister firewall, RADIUS based authentication can be strengthened by utilizing multi-factor authentication. This is sometimes also referred to as 2-factor authentication or 2-step authentication. The first factor is usually a conventional username and password credential combination. The other factor is typically a multi-character code which is sometimes referred to as a one-time password (OTP).

Multi-Factor Support is Automatic

By default, cOS Stream provides automatic support for multi-factor authentication by being able to recognize a RADIUS Access-Challenge message and requiring that an additional code is provided by the authenticating client. The code that the client returns might be sent to the user at the time of authentication by the RADIUS server, perhaps using SMS or email. Alternatively, the code might be generated by the user with a code generation application which has been previously synchronized with the server.

The PhenixID Authentication Server (PAS) product is an example of a RADIUS server that provides these multi-factor capabilities (PhenixID is a Clavister subsidiary). See the separate PhenixID documentation for a description of how to set up different multi-factor RADIUS authentication scenarios.

Multi-Factor Processing Sequence

The sequence of processing for multi-factor authentication with cOS Stream is as follows:

The diagram below illustrates all the steps up to this point. In this diagram, it is assumed that the RADIUS server sends an SMS message with a one-time code to the user's smartphone.

Multi-Factor Authentication Processing

Figure 17.1. Multi-Factor Authentication Processing

The process now completes with the following steps:

Notes on Multi-Factor Authentication

The following points should be noted about setting up multi-factor authentication with cOS Stream: