5 Two-Factor Authentication

this section describes how to configure two factor authentication enable otp to active 2fa feature on a user group, follow the steps below log in to the single connect web gui navigate to administration > 2fa provisioning open the “user group management” tab click the “enable otp” button of user group hardware token management single connect users can use a hardware token besides sms and mobile application for 2fa in this case, system admins should import the hardware token seeds to single connect to import hardware token seeds and assign hardware token to users log in to single connect web gui navigate to administration > 2fa provisioning > hardware token management enter serial number and base32 seed number of hardware token, username of who is assigned, totp algorithm save configuration to activate hardware token system admins can delete assignment of an existing hardware token and delete hardware token from inventory hardware token bulk import to bulk import hardware tokens into the single connect inventory, follow the steps below log in to single connect web gui navigate to administration > 2fa provisioning > hardware token management download the template and fill the downloaded form upload the file to single connect click “import token” button to import the hardware tokens assign hardware token users can assign tokens that have not been assigned to someone before user access to this menu should be restricted by the portal functions rules to assign hardware tokens, users should follow the steps below log in to the single connect web gui navigate to administration > 2fa provisioning > assign hardware token enter serial number of hardware token save configuration otp system configuration for single connect web gui to activate otp for the single connect gui login, follow the steps below log in to the single connect web gui navigate to administration > system config man set the required parameters sc portal otp enabled=true (one time password enabled for gui login) otp rest url= http //127 0 0 1 note the rest url should be set as single connect public ip and port otp system configuration for ssh proxy please ask consultation from kron technical support https //sc support\@kron com epdestek\@kron com tr otp system configuration for rdp proxy to activate otp for an rdp connection to target device, follow the steps below log in to the single connect web gui navigate to administration > system config man set the required parameters as; sc rdp connection otp enabled=true one time password enabled for rdp connections sc rdp otp cache enabled=true if cache parameter activated, user will not be asked for otp during the cache duration after entering otp sc rdp otp cache seconds=240 cache time in seconds offline/online mode settings to adjust 2fa offline/online settings, follow the steps below; log in to the single connect web gui navigate to administration > system config man enter in the “parameter name” as “2fa” and click the search button set the value of the “iga 2fa token create count, iga 2fa token timestep” parameters sms settings to adjust 2fa sms settings, follow the steps below; log in to the single connect web gui navigate to administration > system config man enter in the “parameter name” as “2fa” and click the search button set the value of the “iga 2fa sms http body, iga 2fa sms http headers, iga 2fa sms http secret body, iga 2fa sms http url, iga 2fa token create count, iga 2fa token timestep” parameters 2fa configuration for vpn services two options available for the vpn 2fa support 1\ both the first authentication (with username and password) and the secondary authentication (with otp) are provided via single connect to activate this feature, define the vpn device according to enable otp on the user group (navigate to administration > 2fa provisioning > user group management) 2\ only the second authentication with otp is provided via single connect to activate this feature, define the vpn device in single connect and define the device group realm with related users (see define element type property in the element type of the vpn device i log in to the single connect web gui ii navigate to device management > element type iii click the options button of the element type and select show properties iv set the “radius auth only token enabled” property with value, “true”