Multi-Factor Authentication with DynamicID

Multi-factor authentication is a system where two or more different methods are used to authenticate users. Using more than one factor delivers a higher level of authentication assurance. DynamicID is one option for multi-factor authentication.

Users who successfully complete the first-phase authentication can be challenged to provide an additional credential: a DynamicID One Time Password (OTP). The OTP is sent to their mobile communications device (such as a mobile phone) via SMS or directly to their email account.

DynamicID is supported for all Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. and IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. clients.

How DynamicID Works

When logging in to the Mobile Access Portal, users see an additional authentication challenge such as:

Please type the verification code sent to your phone.

Users enter the one time password that is sent to the configured phone number or email address and they are then admitted to the Mobile Access Portal.

On the User Portal sign in screen, the I didn't get the verification code link shows. If the user does not receive an SMS or email with the verification code within a short period of time, the user can click that button to receive options for resending the verification code.

Administrators can allow users to select a phone number or email address from a list. Only some of the phone number digits are revealed. Users can then select the correct phone number or email address from the list and click Send to resend the verification code. By default, users can request to resend the message three times before they are locked out of the Portal.

Match Word feature:

The Match Word feature ensures that users can identify the correct DynamicID verification code in situations when they may receive multiple messages. Users are provided with a match word on the Login page that will also appear in the correct message. If users receive multiple SMS messages, they can identify the correct one, as it will contain the same match word.

The SMS Service Provider

This is configured in Gateway Properties > Network Management > Proxy.

To access the SMS service provider, configure the proxy settings on the Security Gateway:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management > Proxy.

  3. Define the Proxy settings.

    If no proxy is defined on this page, no proxy is used for the SMS provider.

Whichever provider you work with, in order for the SMS messages to be sent to users, valid account details must be obtained from the provider and be configured in Mobile Access.

DynamicID Authentication Granularity

You can make multi-factor authentication with DynamicID a requirement to log in to the Security Gateway. Alternatively, you can make DynamicID a requirement to access specified applications. This flexibility gives you different security clearance levels.

To make multi-factor authentication with DynamicID a requirement to access specified applications, configure a Protection Level to require multi-factor authentication, and associate the Protection Level with Mobile Access applications (see the "Two-Factor Authentication per Application" section).

In an environment with multiple Mobile Access Security Gateways, make multi-factor authentication a requirement for a specified Security Gateway, configure multi-factor authentication for that Security Gateway.

DynamicID authentication can be part of a login option that is required for the Mobile Access Portal or Capsule Workspace, or both.

Basic DynamicID Configuration for SMS or Email

The workflow for basic configuration of two-factor authentication with DynamicID is:

  1. Get these required SMS service provider settings from your SMS provider.

    • A URL in the format specified by the SMS provider or a valid email address.

    • Account credentials:

      • User name

      • Password

      • API ID (optional and may be left empty)

        Note - If DynamicID is configured to work with email only, an SMS Service Provider is not necessary.

  2. The default phone number and email search method is that the Security Gateway searches for phone numbers or email addresses in user records on the LDAP account unit, and then in the phone directory on the local Security Gateway. If the phone number configured is actually an email address, an email will be sent instead of an SMS message. The phone number and email search method can be changed in the Phone Number or Email Retrieval section of the Two-Factor Authentication with DynamicID - Advanced window.

    If users authenticate via LDAP, configure the list of phone numbers on LDAP by defining a phone number or email address for each user. By default, Mobile Access uses the Mobile field in the Telephones tab. If the phone number configured is actually an email address, an email will be sent instead of an SMS message.

    Configure the list of phone numbers or email addresses on each Mobile Access Security Gateway. For a Mobile Access clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., configure the directory on each cluster memberClosed Security Gateway that is part of a cluster..

    To configure a list of phone numbers on a Security Gateway:

    1. Connect to the command line on the Mobile Access Security Gateway using a secure console connection.

    2. Log in to the Expert mode.

    3. Back up the $CPDIR/conf/dynamic_id_users_info.lst file.

      Note - If this file does not yet exist, create it.

    4. Edit the $CPDIR/conf/dynamic_id_users_info.lst file.

    5. Add a list of user names and phone numbers, and/or email addresses.

      The list must be followed by a blank line. Use this syntax:

      <Username or Full DN> <Phone number or Email address>

    Parameter

    Meaning

    <Username>

    or

    <Full DN>

    Either a user name or, for users that log in using a certificate, the full DN of the certificate.

    <Phone number>

    All printable characters can be used in the phone number, excluding the space character, which is not allowed. Only the digits are relevant.

    <Email address>

    A valid email address in the format user@domain.com

    Example of acceptable ways to enter users and their phone numbers or email addresses in $CPDIR/conf/dynamic_id_users_info.lst

    bob +044-888-8888
    jane.tom@domain.com
    CN=tom,OU=users,O=example.com +044-7777777
    CN=mary,OU=users,O=example.com +mary@domain.com

    You can let users choose from multiple phone numbers when resending the verification code.

    To configure choice of numbers:

    Edit the configuration file $CPDIR/conf/dynamic_id_users_info.lst on the Security Gateway.

    Note - If this file does not yet exist, create it.

    • Enter one number in the LDAP directory in the Mobile field and one or more phone numbers in configuration file.

    • Enter multiple phone numbers separated by white space in the configuration file.

      For example: user_a 917-555-5555 603-444-4444

  3. Configure the Authentication settings to make two-factor authentication necessary for all mobile devices.

    This table explains parameters used in the SMS Provider and Email Settings field. The value of these parameters is automatically used when sending the SMS or email.

    Parameter

    Meaning

    $APIID

    The value of this parameter is the API ID.

    $USERNAME

    The value of this parameter is the username for the SMS provider.

    $PASSWORD

    The value of this parameter is the password for the SMS provider.

    $PHONE

    User phone number, as found in Active Directory or in the local file on the Security Gateway, including digits only and without a + sign.

    $EMAIL

    The email address of the user as found in Active Directory or in the local file on the Security Gateway - $CPDIR/conf/dynamic_id_users_info.lst.

    If the email address should be different than the listed one, it can be written explicitly. if the file does not exist, create it.

    $MESSAGE

    The value of this parameter is the message configured in the Advanced Two-Factor Authentication Configuration Options in SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings..

    $RAWMESSAGE

    The text from $Message, but without HTTP encoding.

    1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access.

      Click Open Mobile Access Policy in SmartDashboard.

      SmartDashboard opens and shows the Mobile Access tab.

    2. From the navigation tree, click Authentication.

    3. In the Dynamic ID Settings section, click Edit.

      The DynamicID Settings window opens.

    4. Fill in the SMS Provider and Email Settings field using one of these formats:

      1. To let the DynamicID code to be delivered by SMS only, use the following syntax:

        2. https://api.example.com/http/sendmsg?api_id=$APIID&user=$USERNAME&password=$PASSWORD&to=$PHONE&text=$MESSAGE

      2. To let the DynamicID code to be delivered by email only, without an SMS service provider, use the following syntax:

        • For SMTP protocol:

          mail:TO=$EMAIL;SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

        • For SMTPS protocol on port 465:

          mail:TO=$EMAIL;SMTPSERVER=smtps://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

        • For SMTP protocol with START_TLS:

          mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://username:password@smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

        • For SMTP protocol on port 587 with START_TLS:

          mail:TO=$EMAIL;SSL_REQUIRED;SMTPSERVER=smtp://username:password@smtp.example.com:587;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

      3. To let the DynamicID code to be delivered by SMS or email, use the following syntax:

        sms:https://api.example.com/sendsms.php?username=$USERNAME&password=$PASSWORD&phone=$PHONE&smstext=$MESSAGE mail:TO=$EMAIL;SMTPSERVER=smtp.example.com;FROM=sslvpn@example.com;BODY=$RAWMESSAGE

      Note - If the SMTP username and password contain special characters, use these:

      !

      #

      $

      %

      &

      '

      (

      %21

      %23

      %24

      %25

      %26

      %27

      %28

      )

      *

      +

      ,

      /

      :

      ;

      %29

      %2A

      %2B

      %2C

      %2F

      %3A

      %3B

      =

      ?

      @

      [

      ]

       

       

      %3D

      %3F

      %40

      %5B

      %5D

       

       

    5. In the SMS Provider Account Credentials section, enter the credentials received from the SMS provider:

      • Username

      • Password

      • API ID (optional)

    6. For additional configuration options, click Advanced.

      See Advanced Two-Factor Authentication DynamicID Configuration.

    7. Click OK.

    8. Click Save and then close SmartDashboard.

    9. In SmartConsole, install policy.

    1. In SmartConsole, click Gateways & Servers and double-click the Security Gateway.

      The Security Gateway window opens and shows the General Properties page.

    2. From the navigation tree, click Mobile Access > Authentication.

    3. In the Two-Factor Authentication section, configure these settings:

      • For a Security Gateway that uses the global authentication settings, select Global settings.

      • For a Security Gateway that uses different authentication settings, select Custom settings.

      • For mobile devices, select Allow DynamicID for mobile devices.

    4. Click OK.

    5. Install the policy.

    1. Browse to the URL of the Mobile Access Portal.

    2. Log in as a user.

    3. Supply the Security Gateway authentication credentials.

    4. Wait to receive the DynamicID code on your mobile communication device or check your email.

    5. Enter the DynamicID code in the portal.

      Make sure that you are logged in to the Mobile Access Portal.

Advanced Two-Factor Authentication DynamicID Configuration

This section describes the advanced settings for DynamicID. For basic settings, see Basic DynamicID Configuration for SMS or Email.

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. From the navigation tree, click Authentication.

  3. In the DynamicID Settings section, click Edit.

    The DynamicID Settings window opens.

  4. Click Advanced.

    The Two-Factor Authentication with DynamicID - Advanced window opens.

  1. In SmartConsole, click Gateways & Servers.

  2. Double-click the Security Gateway.

    The Security Gateway window opens and shows the General Properties page.

  3. From the navigation tree, click Mobile Access > Authentication.

  4. In the DynamicID Settings section, clear Use Global Settings.

  5. Click Edit.

    The DynamicID Settings window opens.

  6. Click Advanced.

    The Two-Factor Authentication with DynamicID - Advanced window opens.

Configure the applicable settings:

  1. Configure the "Dynamic ID Authentication Enforcement"

    Select the applicable option:

    • Optional - Allow users to log in but deny access to applications that require DynamicID authentication: When users log in, they are given the option to "Skip" the two-factor authentication. Users who choose skip are allowed to log in, but are denied access to applications that require two-factor authentication.

    • Mandatory - Users must successfully authenticate using DynamicID in order to log in.

  2. Configure the "DynamicID Message"

    In the Message text to be sent to the user field, enter the applicable text.

    By default, the text of the message is "Mobile Access DynamicID one time password:".

    The message can contain the template fields shown in the following table to include the user's name and prompt users to use enter a One Time Password.

    For example, the message could say:

    $NAME, use the verification code $CODE to enter the portal.

    Parameter

    Meaning

    $NAME

    User name used in the first phase of authentication to the portal.

    $CODE

    Replaced with the One Time Password.

    By default, $CODE is added to the end of the message.

  3. Configure the "DynamicID Settings".

    Configure the applicable values:

    • Length of one time password - By default, it is 6 digits.

    • One time password expiration (in minutes) - By default, it is 5 minutes. Ensure there is a reasonably sufficient time for the message to arrive at the mobile communication device or email account, for the user to retrieve the password, and to type it in.

    • Number of times users can attempt to enter the one time password before the entire authentication process restarts - By default, the user has 3 tries.

  4. Configure the "Display User Details"

    By default, the phone number to which the SMS message was sent is not shown.

    To change this, select In the portal, display the phone number or email address that received the DynamicID.

  5. Configure the "Country Code"

    The default country code is added if the phone number stored on the LDAP server or on the local file on the Security Gateway starts with 0.

    To change this, in the Default country code for phone numbers that do not include country code field, enter the applicable value.

  6. Configure the "Phone Number or Email Retrieval"

    Select the applicable option:

    • Internal user, LDAP server, or local file

      Try to retrieve user details from the internal user object or LDAP user record.

      If unsuccessful, retrieve from the local file on the Mobile Access Gateway:

      $CVPNDIR/conf/dynamic_id_users_info.lst

    • Internal user or LDAP server only

      Retrieve user details from the internal user object or LDAP user record.

    • Local File Only

      Retrieve the user details from the local file on the Mobile Access Gateway:

      $CVPNDIR/conf/dynamic_id_users_info.lst

    Note - If this file does not exist yet, create it.

  7. Click OK.

  8. Install the Access Control policy.

Configuring Resend Verification and Match Word

You configure the DynamicID troubleshooting and match word features with Database Tool (GuiDBEdit Tool) or dbedit (see skI3301).

The Database Tool (GuiDBEdit Tool) table to edit depends on the Two-Factor Authentication with SMS One Time Password (OTP) setting that you configured in SmartDashboard in the Mobile Access Gateway Properties > Authentication.

  • If your DynamicID One Time Password settings are global across all of your Security Gateways (use the global settings configured in the Mobile Access tab is selected), in the Database Tool (GuiDBEdit Tool) select Other > Mobile Access Global Properties.

  • If your DynamicID One Time Password settings are configured for a specific Security Gateway (this Security Gateway has its own two-factor authentication settings is selected), in the Database Tool (GuiDBEdit Tool) select network_objects and then select the specific Security Gateway you want to edit.

This table shows the DynamicID features that can be configured, and where in Database Tool (GuiDBEdit Tool) to configure them.

Feature

Attributes to Edit

Values and their Descriptions

Match Word

use_message_matching_helper

true: match word provided

false: match word not provided (default)

Resend message

enable_end_user_re_transmit_message

true: enable resend SMS feature (default)

false: disable resend SMS feature

Display multiple

phone numbers

enable_end_user_select_phone_num

true: enable option to choose from multiple phone numbers or email addresses when resending the verification code (default)

false: one phone number or email address from the LDAP server or local file is used automatically without choice

Conceal

displayed phone

numbers

Edit these attributes:

reveal_partial_phone_num

and

number_of_digits_revealed

For reveal_partial_phone_num:

true: conceal part of the phone number or email address (default)

false: display the full phone number or email address

For number_of_digits_revealed:

1-20: Choose the amount of digits to reveal (default is 4)

After editing the values in the Database Tool (GuiDBEdit Tool):

  1. Save all changes: File menu > Save All.

  2. Close the Database Tool (GuiDBEdit Tool).

  3. Open SmartConsole.

  4. Install the Access Control policy on the Security Gateway.

Configuring the Number of Times Messages are Resent

By default, users can request to resend the verification code message three times by clicking the I didn't get the verification code link before they are locked out of the Mobile Access Portal. The number of times the message can be resent is configured using the cvpnd_settings command from the Mobile Access CLI in expert mode.

The instructions below relate to actually resending the verification code message. The number of times users can try to input the verification code is configured in SmartDashboard in the Two Factor Authentication Advanced window.

To change the number of times the verification code message can be resent to 5, run this command in the Expert mode on the Security Gateway:

cvpnd_settings set smsMaxResendRetries 5

You can replace "5" with any other number to configure a different amount of retries.

After making the changes, run the "cvpnrestart" command to activate the settings.

If the Mobile Access Security Gateway is part of a cluster, be sure to make the same changes on each cluster member.

Two-Factor Authentication per Security Gateway

  1. Configure basic Two-Factor Authentication.

    See Basic DynamicID Configuration for SMS or Email.

  2. For each Security Gateway, in the Security Gateway Properties, go to Gateway Properties > Mobile Access > Authentication.

  3. Configure one of these options:

    • To use the global settings - Select Global settings and the global settings are used from the Authentication to Gateway page of the Mobile Access tab. This is the default.

    • To turn off two-factor authentication for the gateway - Select Custom Settings for this Gateway and click Configure. In the window that opens, do not select the check box. This turns off two-factor authentication for this Security Gateway.

    • To activate two-factor authentication for the gateway with custom settings -Select Custom Settings for this Gateway and click Configure. In the window that opens, select the check box. You must then configure custom SMS Provider Credentials for this Security Gateway. Optionally, configure Advanced options.

  4. Repeat Step 2 and Step 3 for all other Security Gateways.

  5. Install the Access Control policy.

Two-Factor Authentication per Application

To configure two-factor authentication per application:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. Configure basic two-factor authentication (see Basic DynamicID Configuration for SMS or Email).

    1. Configure the phone directory.

    2. Configure the application settings in Mobile Access tab > Authentication.

    3. Configure the Mobile Access Security Gateways to let the mobile devices use DynamicID.

  3. Configure the Mobile Access Applications.

    1. In the Protection Level window, from the navigation tree click Authentication.

    2. Select User must successfully authenticate via SMS.

    3. Click OK.

  4. Assign the protection level to Mobile Access applications that require Mobile Access Applications.

  5. Click Save.

  6. Close SmartDashboard.

  7. In SmartConsole, install the Access Control policy.

Changing the SMS Provider Certificates and Protocol

By default, it is recommended to use a secure (https) protocol for communication with the SMS provider. Mobile Access also validates the provider server certificate using a predefined bundle of trusted CAs.

If your SMS provider uses a non-trusted server certificate you can do one of the following:

  • Add the server certificate issuer to the trusted CA bundle in $FWDIR/database/{} and run this command in the Expert mode:

    $CVPNDIR/bin/rehash_ca_bundle

  • Ignore the server certificate validation by editing the $CVPNDIR/conf/cvpnd.C file and replacing the "SmsWebClientProcArgs" value with ("-k").

If your SMS provider is working with the non-secure HTTP protocol, edit the file $CVPNDIR/conf/cvpnd.C and replace the "SmsWebClientProcArgs" value with ("").