OTP 2FA OMG

With users working from home, sales reps needing to access backend systems, engineers updating systems on a customer's infrastructure and many more reasons for users not to be in an office, VPN has become extremely common in today's work environment. 

A security admin's task is to ensure all these connections are secure while not hindering people's ability to work. Ensuring a sufficiently secure encryption protocol is one thing ,(you don't want an md5 - 3DES tunnel), but it doesn't stop there. 

Even the most rigid encryption algorythms can easily be bypassed if the password that's used to establish the tunnel is guessed ('123456' and 'password' are still the most widely used passwords, has no one seen Hackers?)

Requiring users to remember 256-character long passwords, including wingdings characters, is also not an option. One solution is to introduce Multifactor Authentication where users add a PIN to their password or, even better, use only One Time Passwords (OTP) to authenticate to GlobalProtect.

SivasekharanRajasekaran ( @srajasekar ), a Senior Technical Engineer with Palo Alto Networks, wrote a really cool article on how to set up OTP based 2FA using RADIUS or SAML so you have full freedom of choice when picking which OTP provider suits your needs best.

You can read up on the implementation here:

GlobalProtect: One Time Password based Two Factor Authentication

Feel free to leave remarks or questions in the comments below.

Stay secure!

Reaper out!