Multi-Factor Authentication with DynamicID

Multi-factor authentication is a system where two or more different methods are used to authenticate users. Using more than one factor delivers a higher level of authentication assurance. DynamicID is one option for multi-factor authentication.

Users who successfully complete the first-phase authentication can be challenged to provide an additional credential: a DynamicID One Time Password (OTP). The OTP is sent to their mobile communications device (such as a mobile phone) via SMS or directly to their email account.

DynamicID is supported for all Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. and IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. clients.

How DynamicID Works

When logging in to the Mobile Access Portal, users see an additional authentication challenge such as:

Please type the verification code sent to your phone.

Users enter the one time password that is sent to the configured phone number or email address and they are then admitted to the Mobile Access Portal.

On the User Portal sign in screen, the I didn't get the verification code link shows. If the user does not receive an SMS or email with the verification code within a short period of time, the user can click that button to receive options for resending the verification code.

Administrators can allow users to select a phone number or email address from a list. Only some of the phone number digits are revealed. Users can then select the correct phone number or email address from the list and click Send to resend the verification code. By default, users can request to resend the message three times before they are locked out of the Portal.

Match Word feature:

The Match Word feature ensures that users can identify the correct DynamicID verification code in situations when they may receive multiple messages. Users are provided with a match word on the Login page that will also appear in the correct message. If users receive multiple SMS messages, they can identify the correct one, as it will contain the same match word.

The SMS Service Provider

This is configured in Gateway Properties > Network Management > Proxy.

To access the SMS service provider, configure the proxy settings on the Security Gateway:

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click Gateways & Servers and double-click the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

    The Security Gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Network Management > Proxy.

  3. Define the Proxy settings.

    If no proxy is defined on this page, no proxy is used for the SMS provider.

Whichever provider you work with, in order for the SMS messages to be sent to users, valid account details must be obtained from the provider and be configured in Mobile Access.

DynamicID Authentication Granularity

You can make multi-factor authentication with DynamicID a requirement to log in to the Security Gateway. Alternatively, you can make DynamicID a requirement to access specified applications. This flexibility gives you different security clearance levels.

To make multi-factor authentication with DynamicID a requirement to access specified applications, configure a Protection Level to require multi-factor authentication, and associate the Protection Level with Mobile Access applications (see the "Two-Factor Authentication per Application" section).

In an environment with multiple Mobile Access Security Gateways, make multi-factor authentication a requirement for a specified Security Gateway, configure multi-factor authentication for that Security Gateway.

DynamicID authentication can be part of a login option that is required for the Mobile Access Portal or Capsule Workspace, or both.

Basic DynamicID Configuration for SMS or Email

The workflow for basic configuration of two-factor authentication with DynamicID is:

Advanced Two-Factor Authentication DynamicID Configuration

This section describes the advanced settings for DynamicID. For basic settings, see Basic DynamicID Configuration for SMS or Email.

Configure the applicable settings:

  1. Configure the "Dynamic ID Authentication Enforcement"

  2. Configure the "DynamicID Message"

  3. Configure the "DynamicID Settings".

  4. Configure the "Display User Details"

  5. Configure the "Country Code"

  6. Configure the "Phone Number or Email Retrieval"

  7. Click OK.

  8. Install the Access Control policy.

Configuring Resend Verification and Match Word

You configure the DynamicID troubleshooting and match word features with Database Tool (GuiDBEdit Tool) or dbedit (see skI3301).

The Database Tool (GuiDBEdit Tool) table to edit depends on the Two-Factor Authentication with SMS One Time Password (OTP) setting that you configured in SmartDashboard in the Mobile Access Gateway Properties > Authentication.

  • If your DynamicID One Time Password settings are global across all of your Security Gateways (use the global settings configured in the Mobile Access tab is selected), in the Database Tool (GuiDBEdit Tool) select Other > Mobile Access Global Properties.

  • If your DynamicID One Time Password settings are configured for a specific Security Gateway (this Security Gateway has its own two-factor authentication settings is selected), in the Database Tool (GuiDBEdit Tool) select network_objects and then select the specific Security Gateway you want to edit.

This table shows the DynamicID features that can be configured, and where in Database Tool (GuiDBEdit Tool) to configure them.

Feature

Attributes to Edit

Values and their Descriptions

Match Word

use_message_matching_helper

true: match word provided

false: match word not provided (default)

Resend message

enable_end_user_re_transmit_message

true: enable resend SMS feature (default)

false: disable resend SMS feature

Display multiple

phone numbers

enable_end_user_select_phone_num

true: enable option to choose from multiple phone numbers or email addresses when resending the verification code (default)

false: one phone number or email address from the LDAP server or local file is used automatically without choice

Conceal

displayed phone

numbers

Edit these attributes:

reveal_partial_phone_num

and

number_of_digits_revealed

For reveal_partial_phone_num:

true: conceal part of the phone number or email address (default)

false: display the full phone number or email address

For number_of_digits_revealed:

1-20: Choose the amount of digits to reveal (default is 4)

After editing the values in the Database Tool (GuiDBEdit Tool):

  1. Save all changes: File menu > Save All.

  2. Close the Database Tool (GuiDBEdit Tool).

  3. Open SmartConsole.

  4. Install the Access Control policy on the Security Gateway.

Configuring the Number of Times Messages are Resent

By default, users can request to resend the verification code message three times by clicking the I didn't get the verification code link before they are locked out of the Mobile Access Portal. The number of times the message can be resent is configured using the cvpnd_settings command from the Mobile Access CLI in expert mode.

The instructions below relate to actually resending the verification code message. The number of times users can try to input the verification code is configured in SmartDashboard in the Two Factor Authentication Advanced window.

To change the number of times the verification code message can be resent to 5, run this command in the Expert mode on the Security Gateway:

cvpnd_settings set smsMaxResendRetries 5

You can replace "5" with any other number to configure a different amount of retries.

After making the changes, run the "cvpnrestart" command to activate the settings.

If the Mobile Access Security Gateway is part of a cluster, be sure to make the same changes on each cluster member.

Two-Factor Authentication per Security Gateway

  1. Configure basic Two-Factor Authentication.

    See Basic DynamicID Configuration for SMS or Email.

  2. For each Security Gateway, in the Security Gateway Properties, go to Gateway Properties > Mobile Access > Authentication.

  3. Configure one of these options:

    • To use the global settings - Select Global settings and the global settings are used from the Authentication to Gateway page of the Mobile Access tab. This is the default.

    • To turn off two-factor authentication for the gateway - Select Custom Settings for this Gateway and click Configure. In the window that opens, do not select the check box. This turns off two-factor authentication for this Security Gateway.

    • To activate two-factor authentication for the gateway with custom settings -Select Custom Settings for this Gateway and click Configure. In the window that opens, select the check box. You must then configure custom SMS Provider Credentials for this Security Gateway. Optionally, configure Advanced options.

  4. Repeat Step 2 and Step 3 for all other Security Gateways.

  5. Install the Access Control policy.

Two-Factor Authentication per Application

To configure two-factor authentication per application:

  1. In SmartConsole, select Security Policies > Shared Policies > Mobile Access and click Open Mobile Access Policy in SmartDashboard.

    SmartDashboard opens and shows the Mobile Access tab.

  2. Configure basic two-factor authentication (see Basic DynamicID Configuration for SMS or Email).

    1. Configure the phone directory.

    2. Configure the application settings in Mobile Access tab > Authentication.

    3. Configure the Mobile Access Security Gateways to let the mobile devices use DynamicID.

  3. Configure the Mobile Access Applications.

    1. In the Protection Level window, from the navigation tree click Authentication.

    2. Select User must successfully authenticate via SMS.

    3. Click OK.

  4. Assign the protection level to Mobile Access applications that require Mobile Access Applications.

  5. Click Save.

  6. Close SmartDashboard.

  7. In SmartConsole, install the Access Control policy.

Changing the SMS Provider Certificates and Protocol

By default, it is recommended to use a secure (https) protocol for communication with the SMS provider. Mobile Access also validates the provider server certificate using a predefined bundle of trusted CAs.

If your SMS provider uses a non-trusted server certificate you can do one of the following:

  • Add the server certificate issuer to the trusted CA bundle in $FWDIR/database/{} and run this command in the Expert mode:

    $CVPNDIR/bin/rehash_ca_bundle

  • Ignore the server certificate validation by editing the $CVPNDIR/conf/cvpnd.C file and replacing the "SmsWebClientProcArgs" value with ("-k").

If your SMS provider is working with the non-secure HTTP protocol, edit the file $CVPNDIR/conf/cvpnd.C and replace the "SmsWebClientProcArgs" value with ("").