TOTP (SNS 2FA)
The 2FA authentication method, which uses time-based one-time passwords (TOTP), increases the security of authentications that the firewall manages.
This additional step to protect access is built into the firewall and does not require any third-party TOTP solution. Users who authenticate with an SNS TOTP only need to use an application on their smartphones or in their browsers to generate TOTPs.
The advantage of this method is that it can be enabled for all types of authentication: captive portal, SSL VPN tunnel, web administration interface, console or SSH connections and IPsec/Xauth VPN tunnels.
Since this 2FA method is built into each firewall, users must use as many TOTPs as the number of firewalls to which they must connect.
Stormshield strongly recommends that you enable NTP time synchronization for the firewall by selecting Synchronize firewall time (NTP), and by specifying the NTP servers (System module > Configuration > General configuration tab ).
Time-based one-time password (TOTP)
Select the authentication methods that the firewall manages and which will use TOTP.
The possible types of authentication are:
- Captive portal,
- SSL VPN tunnels,
- Web administration interface,
TOTP code settings
This information will be presented on the firewall’s captive portal during the user’s TOTP enrollment.
|Issuer||Specify the issuer of the TOTP (e.g., the name of your company).
The default value is Stormshield Network Security.
Customize the TOTP user enrollment message
|Message to display (max. 1024 characters)||You can set the message (optional) that will be shown on the firewall’s captive portal during the user’s TOTP enrollment.
Enter this message in the text field within the limit of 1024 characters.
If you are using Google Authenticator or Microsoft Authenticator, changing these settings will prevent TOTP authentication from functioning.
|Lifetime (s)||Specify the validity period of a TOTP.
The user’s application will automatically generate a new TOTP when this period expires.
The default value is 30 seconds.
|Code size||Indicate the length (number of characters) of generated TOTPs.
The default value suggested is 6.
|Number of valid codes before and after current code||When the time on the firewall and the device that hosts the TOTP code generator (e.g., smart phone or computer) is slightly desynchronized, or to give the user a reasonable time frame to enter the code, this option allows you to specify how many codes generated before or after the currently valid code will be considered valid and accepted for authentication.
Select the hash algorithm used when generating TOTPs.
The default value is SHA1.
The two buttons found in this section allow you to perform operations on the database of users who have completed TOTP enrollment.
|Reset the TOTP database||
Clicking on this button will reset the entire database of users who have completed their TOTP enrollment.
If you wish to reset the entire TOTP database:
|Show TOTP orphans||
Orphan users are those found in the TOTP database but cannot be found in the LDAP directories configured on the firewall, and who last used a TOTP at least 3 months ago.
This button makes it possible to show orphan users and delete them from the TOTP database (deletes all TOTP orphans).
If you wish to show the orphan users found in the TOTP database:
To delete all the orphan users listed in this grid:
To quit the grid without deleting orphan users, click on Cancel.