Introduction
Jurisdictions around the world are requiring that mission-critical infrastructure enable multi-factor authentication (MFA) for many tasks – in particular, for administrative access to systems deemed mission-critical or with sensitive data. This section describes how to setup MFA for the StrongKey Tellaro appliance.
While there are many ways to meet this requirement, StrongKey focuses on leveraging the following components to enable MFA:
- Username
- Password (a secret – “something you know”)
- PIN (personal identification number – another secret – “something you know”)
- Cryptographic hardware device (a Security Key - “something you have”)
- Optionally, a biometric template (“something you are”)
Depending on the degree of risk that must be managed, customers may choose to combine many of these factors to authenticate humans to a system before authorizing them to perform administrative functions.
Capabilities
- PAM-Console Login: This use-case configures a FIDO Security Key to authenticate to the console of the StrongKey Tellaro appliance - whether the console is displaying a graphic login screen or a text login prompt. The user attempting to authenticate to the appliance must be present in front of the machine, and must have the Security Key to be able to successfully configure and test this use-case.
- OpenSSH Login: This use-case configures a FIDO Security Key to support MFA authentication to a remote StrongKey Tellaro appliance using the Secure Shell (SSH) protocol. The StrongKey Tellaro appliance, functioning as the SSH server, does not require any Security Key related configuration - the MFA capability for this use-case is on enabled on the Client side of the SSH session.
- TLS ClientAuth: This use-case configures a FIDO Security Key to support MFA authentication to a remote StrongKey Tellaro appliance using the TLS Client Authentication (ClientAuth) protocol. This is useful when restricting access to the graphical console of the Payara Application Server on the appliance. The administrator must have an X509 digital certificate from a trusted CA that will be used to enable the MFA capability for this use-case.
- OpenVPN Authentication: This use-case configures a FIDO Security Key to support MFA authentication to a remote StrongKey Tellaro appliance using the OpenVPN protocol. This is useful when enabling remote access to the StrongKey Tellaro appliance over a virtual private network. The administrator must have an X509 digital certificate from a trusted CA that will be used to enable the MFA capability for this use-case.
- FIDO Authentication: This use-case is the standard FIDO use-case for the Security Key. Unless the Security Key has a PIN or biometric capability enabled, nothing needs to be done on the client side to use this feature to enable MFA authentication to a FIDO-enabled web-application (see StrongKey Demos).
Tested MFA Configurations
StrongKey generally supports all FIDO Certified Security Keys when used for FIDO Registration and FIDO Authentication with the StrongKey FIDO Server (SKFS). However, not all Security Keys support non-FIDO use-cases for MFA access to various applications. Where specific Security Keys support MFA use-cases for non-FIDO operations, StrongKey has tested and documented how to configure them for use on/with the StrongKey Tellaro appliance. Please see tested configurations below to enable MFA strong-authentication. (Current as of September 2023).
|
Security Key |
Console
|
OpenSSH
|
TLS
ClientAuth
|
OpenVPN
|
FIDO
Registration
|
|---|---|---|---|---|---|
| GoTrust Idem Key Plus | ✓ | ✓ | ✓ | ✓ | ✓ |
| TrustKey Solutions |
✓ | ✓ | ✓ | ||
| Yubico Yubikey |
✓ | ✓ | ✓ | ✓ | ✓ |
Not all models work with tested capabilities. Refer to this page for more information.