TOTPRadius - TOTP Self-service enrollment methodsIf you have many users, manually configuring the second factor may be quite cumbersome. TOTPRadius allows setting up two different self-service enrollment methods using LDAP authentication for the initial setup.
As both of the methods described below require LDAP to identify the user, the requirement for this is a correctly set LDAP configuration. You can specify your LDAP or LDAPS server (or servers) by navigating to Admin Panel, then selecting LDAP Settings.
Please note that the first parameter (LDAP) only controls the LDAP proxy mode of TOTPRadius and not the LDAP enrollment portals. LDAP enrollment portals are controlled by "Allow LDAP enrollment" and "Allow LDAP web enrollment" settings as described further in this guide.
LDAP Enrollment (legacy)
This option enables the legacy LDAP self-service enrollment portal accessible inside your LAN (it is hosted on the same web interface as the TOTPRadius web admin page). While it is fully active, it is missing the new features that is available with the new internet facing self-service portal (explained in the next section). The legacy LDAP portal by default will redirect to the new portal ("/vpn/ldap/" - controlled by "Ldap web url redirect" parameter). The only use case for keeping the legacy portal accessible is when you want to allow TOTP app re-enrollment: this is not possible on the internet-facing LDAP portal.
LDAP web enrollment
The new portal allows enrollment from external (public internet facing) Web VPN portal. Only initial enrollment will be allowed, changing TOTP secret is possible using internal LDAP enrollment page or from the admin portal.
The enrollment process is described below:
Enrolling software tokens
- Install a TOTP mobile app on your smartphone. You can use any TOTP compliant mobile authenticator, such as Google Authenticator , Microsoft Authenticator, Token2 TOTP+, FreeOTP and others
- Scan the QR code shown on the enrollment page with the TOTP mobile app. Then enter the OTP code generated by the app in the verification field. Click on 'verify OTP' button to complete the process
Enrolling hardware tokens
In addition to software token enrollment, the new portal also allows hardware token enrollment:
The enrollment process is described below:
- Your administrator has to import the hardware tokens to the database before you can use the token
- The serial number is laser engraved on the back of your token device. Enter the serial number exactly as it appears, without spaces or other non-numeric symbols
- Press the button on the token and enter the 6 digit code into the OTP field
- Important: only TOTP hardware tokens with 30 seconds offset and 6 digits OTP are supported
- Installation and initial configuration
- Network configuration
- Migrating from older versions
- LDAP Configuration
- Azure AD Configuration
- Self-service enrollment portal
- Web and LDAPS Certificates
- Syslog configuration
- Single-factor authentication exceptions
- Slave appliance mode
- Dynamic RADIUS Attributes
Manage and use TOTP/HOTP codes via Python CLI script using a PC/SC device (USB NFC) or directly via USB. A cross-platform solution that works under Windows, macOS and Linux platforms.
Python-based tools are essential not only for their cross-platform compatibility, but also because their source-available nature allows experts/developers to examine the source code, ensuring transparency and minimizing the risk of hidden vulnerabilities or malicious elements. A GUI wrapper for the script is also available.
Token2 is excited to announce the upcoming mass production of their revolutionary PIN+ series, a line of FIDO2 Security keys. These security keys feature advanced PIN complexity rules that set a new standard for security. The firmware development for the PIN+ series is now complete, and the company is currently making preparations for mass production.
In a significant development for iOS users, Microsoft Azure Active Directory (AD) has expanded its support for FIDO2 security keys on the Safari browser. This advancement is a crucial step towards enhancing security and usability on Apple's mobile devices, ensuring seamless authentication experiences for Azure AD users. With FIDO2 security keys, users can now enjoy passwordless access to their Azure AD accounts, boosting convenience and significantly reducing the risk of password-related attacks. Let's dive deeper into this exciting development and explore the benefits it brings to iOS users.