While classic OTP (and namely TOTP) still remains industry standard for two-factor authentication and is supported out of the box by the majority of VPN clients, there is not a lot of products that can leverage the FIDO keys for securing VPN access. The majority of the current solutions that are being marketed as supporting FIDO and FIDO2 keys are using the OTP functionality of the security keys (most USB FIDO keys, in addition to U2F and/or WebAuthn features, also have an additional module that can generate OTP, i.e. HOTP by pressing a button, or TOTP via a companion app). This may look like a solution but is still an OTP-based approach. While OTP solutions are still secure, utilizing FIDO keys' main features to protect VPN access may improve security even further. In addition to FIDO security keys, using single sign on features of Azure AD is also something that we see as a critical feature to offer.
To address these gaps, TOKEN2 has introduced an additional feature, called VPN Portal, as a part of its TOTPRadius solution, to provide VPN access beyond in the classic TOTP authentication: FIDO Security keys and Azure AD OAuth2 based Single Sign On (SSO) .
The FIDO VPN Portal solution will work with both FIDO2 and FIDO keys (WebAuthn implementation with fallback to U2F for older keys), with a possibility to enable Passwordless method (FIDO2 only) and will work via modern web-browsers supporting FIDO keys authentication.
The OAuth2 Portal will leverage Azure AD OAuth2 SSO option and will allow extending the login procedures the users are already familiar with, to the VPN connectivity procedures. If users have previously logged on to any M365 resource using the same Azure AD Account, the OAuth2 login will be automatic and will not ask to re-login again to use the VPN Portal.
No special VPN client installation is required, although we will be releasing VPN helper apps to simplify the user experience and make the process as fast as possible; one click will be enough to establish a VPN link. The VPN Portal will support systems relying on standard VPN protocols (LT2TP and L2TP/IPSec), such as Meraki Client VPN and Fortinet VPN solutions. read more...
FIDO VPN Interface
- Classic 2FA or Passwodless login
- FIDO2 and FIDO (U2F) hardware support
- Self-enrollment using LDAP or local passwords
- read more...
OAuth2 VPN Interface
- Simple configuration in Azure AD
- Seamless user login experience (SSO)
- Azure AD controlled access restrictions
- read more...