1FA / 2FA / 3FA

Previous

Next

 

Multi Factor Authentication

MFA is available in AADS for Windows Vista / Server 2008 and newer.

1FA

2FA

3FA


MFA (multi factor authentication) can be enabled by enabling either or both 2FA Mobile or 2FA Email:

2FA Mobile

2FA mobile requires that the user has installed an App on their Mobile Device that can generate so called TOTP (Time-based One Time Passwords), which are based on the Open Standard RFC 6238 .

Some examples of these mobile Apps:

 Google Playstore  Microsoft Authenticator  https://play.google.com/store/apps/details?id=com.azure.authenticator
 Google Playstore  Google Authenticator  https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
 Google Playstore  FreeOTP Authenticator  https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp
 Apple Appstore  FreeOTP Authenticator  https://apps.apple.com/us/app/freeotp-authenticator/id872559395
 Apple Appstore  Google Authenticator  https://apps.apple.com/us/app/google-authenticator/id388497605
 Apple Appstore  Microsoft Authenticator  https://apps.apple.com/us/app/microsoft-authenticator/id983156458
 FDroid  FreeOTP+  https://f-droid.org/en/packages/org.liberty.android.freeotpplus/
 FDroid  Aegis Authenticator  https://f-droid.org/en/packages/com.beemdevelopment.aegis/

Apps using TOTP , based on the Open Standard RFC 6238 :

The (Mobile) Device with the OTP App can be, and should be ( ), completely Offline. This is a relevant aspect of the solution, because it implies that the OTP is not somehow transmitted between the Server and the (Mobile) Device, and because nothing is transmitted, and because the (Mobile) Device is Offline, nothing can "capture" or "listen on the line" and steal the OTP code and send it to some hacker/crimimal.

Suggestion : when using the (Mobile) Device for a Logon, put the (Mobile) Device into "Flight Mode" prior to doing the Logon and the 2FA procedure.

The Open Standard RFC 6238 does require that the Server and the (Mobile) Device both have accurate clock settings, including accurate TimeZone settings.
It is not required that the Server and the (Mobile) Device are in the same TimeZone on this planet, but it is required that the clock is properly set.

2FA Email

2FA Email requires that the Administrator does "enter" the email address of the users into the Windows User Administration:


Nr. of Digits

The Nr. of Digits determines the number of digits of the OTP code as it has to be entered by the user:

In case 2FA Mobile is not used; in case only 2FA Email is used, then it is OK to choose any number of digits, because the recommendation for 6 or 8 digits does only apply to use of OTP Apps on Mobile Devices.

TimeOut (minutes)

When asked to enter the OTP, the user has to do this within the TimeOut. If the TimeOut is exceeded, the session will be disconnected.

This implies that the email with the OTP as received by the user, needs to be received within this Time Limit.
Unfortunately it does happen that email is received with delay, for example because of anti-spam filtering...

Nr. of Tries

The Nr. of Tries sets how many tries the user has for correctly entering the OTP.

The Nr. of Tries "is synchronized" / "is the same setting" as the Nr of Failed Login Attempts in the Firewall.
If the user has tried to enter the OTP incorrectly to often, the RDP Firewall will block the user.


Apply to the Console

Default it is not required to enter an OTP code when logging in onto the Console.

One should carefully consider the necessity before enabling "Apply to the Console", because the Console is often used / necessary in case of problems. And if there are problems, it would be "unfortunate" if it is not possible to login while using the Console because of 2FA reasons...See Trouble: 2FA ...

        Note : when the Server is rebooted in "Windows Safe Mode", 2FA is disabled.

Public / Private IP Address

Using Multi Factor Authentication for Public IP Address is required. This setting can not be disabled.

Using MFA for Private IP Addresses is optional. For example, it could be that the users within the office building are the only users / employees who are able to enter the office building, and therefore it does never happen that "others" are working on PCs / Clients within the office building. In such a case the Administrator can choose not to require 2FA for Private/Local IP Addresses.

SSL Gateway

The SSL Gateway as done by AADServer implies identification of both the client and the server. It is not possible for a random Client to do a SSL connection with an AADServer.
Therefore one can state that if the SSL Gateway is used, MFA is already done:

  1. The user has to enter an unique Windows username and password.
  2. The user has to install and use a specific AADS Client build with a SSL Client Certificate which is generated solely for this user.

If "Apply in case Client uses SSL Gateway" is enabled, one can state that the user is identified in 3 different ways:

  1. The user has to enter an unique Windows username and password.
  2. The user has to enter an OTP, based on an unique Token for this user.
  3. The user has to install and use a specific AADS Client build with a SSL Client Certificate which is generated solely for this user.

Start Menu of the User

Optional the user can have an 2FA-OTP Program Item in the Windows Start Menu. The 2FA-OTP program enables the user to "delete" the current Token, and generate a new Token with the next logon.
This can be compared to the functionality for the user to be able to change his/her Windows password.


All Users / If Member of

2FA can be applied to all users, or can be applied based on membership of a Windows Group.
This can be a local Group defined on the local AADServer, or a Group defined in the Domain.


© 2012-2023 AADS WorldWide. Terminal Server | Application Server | Remote Desktop solutions | Firewall

Previous

Next