Enhanced Login 2FA With Duo Security

ProtectNow! Support
  • Updated
Follow

This article shows you how to use Duo Security to enhance SSProtect Login.

Introduction

SSProtect is empowered to make extensive use of two-factor authentication: 

  • When you Log In with the :Foundation Client
  • When you protect or access a managed file
  • When you protect or access a managed email message
  • When you perform a Management task
  • When you perform an Administrative task

Login Gates

A, "login gate" is a term we use for 2FA applied to Login, but not used thereafter. This so-called Login Gate, "unlocks" access to a potentially large amount of sensitive information while the Login Session remains active. During that time, an attacker lying in wait can attempt to Impersonate the Authenticated User to access and/ or exfiltrate, "unlocked" material.

Login and Task 2FA

SSProtect uses a Login Session to establish (and authorize) your Identity. Login requires a Username and Password, and can be extended with 2FA using Duo Security, the subject of this article. Subsequent user activities utilize your Login Session Identity along with Hardware 2FA or Software Simulation to keep attackers lying in wait from easily Impersonating the User who has already provided 2FA credentials. The use of a physical presence component for Hardware 2FA complicates a remote attacker's challenge.

SSProtect 2FA Types

SSProtect supports three methods of 2FA:

  • Third-party 2FA services for Login, today using Duo Security
  • OATH-based USB Hardware Tokens for Task-Specific 2FA
  • Software-generated RFC 4226 HMAC-based OTPs (OATH) for Task-Specific 2FA

SSProtect tasks require 2FA in some form, all the time, since it's built directly into all related layers of system processing. Software-generated HMAC-based One-Time Passwords facilitate immediate deployment and use, commonly for evaluation or while provisioning 2nd factor tokens for long-term use.

Once you choose an OATH-compatible solution, our team will work with you to acquire, program, and distribute hardware since each has its' own facilities that can be used to simplify the process. Most often, procedures make use of import/export to reduce repetition.

Enhanced Login 2FA using Duo Security

SSProtect integrates directly with Duo Security's cloud-based authentication solution to provide 2FA when establishing a Login Session. Duo Security provides a feature-rich authentication capability supporting multiple tokens for a single user, group management, policy-based authentication (including geo-fencing), endpoint technology patch management, and additional services that are complementary to SSProtect's data protection capabilities.

Administrators: Link SSProtect and Duo Security

Individual Account holders can configure Enhanced Login 2FA for their own Account, while Organizations have to be configured by the one and only Organization Administrator. The latter applies to all Users in the Organization, though individual Accounts can be configured to disable Enhanced Login 2FA as described later in this article.

Configuration, however, is the same for both Roles:

  • Open a Web Browser and navigate to Duo Security's management portal
  • Log In to your Organization's Duo Security Account.*
  • From the Duo Security Administrator Dashboard, choose Applications
  • On the Applications page, choose Protect an Application
  • Scroll down to Auth API and choose Protect

* Choosing a Duo Security Account name that matches your SSProtect Account email address can lead to confusion.

The Duo Security Auth API configuration displays the identity, key, and host information you will enter into SSProtect:

  • Click the SSProtect notification icon, then choose Administer Resources
  • Choose Configure in the Duo Security Login 2FA control group
  • Use Auth API for the SSProtect IKeySKey, and Host configuration

Login2FA.png

Finish setting up Duo Security Login 2FA as follows: 

  • In SSProtect, check Mobile for Login to enable Duo Push for Login 2FA
  • ​In SSProtect, choose Enable which will Save and apply changes
  • In the Duo Security Application page, complete the Auth API configuration
  • In the Duo Security Application page, scroll down to choose Save

This enables Duo Security Login 2FA for Individual Account holders and, for an Organization, for all Organization Users (that are not disabled; see below).

Users: 1st Time Self-Service Configuration - Provisioning

After you complete the previous Administrative procedure, affected Users will be redirected to final configuration during their next subsequent SSProtect Login (as a result of checking Mobile for Login):

ac-2.png

No will return to the Login prompt; Yes will redirect to the Duo Security self-service setup, shown below:

ac-3.png

NOTE: This (and other) Duo Security web pages may change from what's shown here.

SSProtect requires a Duo Push device for Enhanced Login 2FA:

  • Choose Start setup to begin
  • In What type of device are you adding,? choose Mobile Phone - Continue
  • Enter your phone number, acknowledge it's correct (with the checkbox) - Continue
  • Choose the type of mobile phone you're using - Continue
  • Install the Duo Mobile App from your provider's Store, then click I have Duo Mobile installed
  • Follow the instructions to Activate Duo Mobile (shown here for iOS) - Continue

DuoMobileActivated.png

  • Choose Automatically send this device a Duo Push for When I log in - Finish Enrollment

DuoProcess.png

You should then see the Enrollment Successful screen:

DuoSuccess.png

Return to SSProtect (click the icon in the notification tray) and Log In: you should receive a Duo Push notification and, when you acknowledge the notification on your phone, SSProtect Login will proceed.

Administrators: Disabling Enhanced Login 2FA

Privileged Organization Users can disable Enhanced Login 2FA for individual Accounts as follows: 

  • From the SSProtect notification icon, choose Administer Users/ Manage
  • Choose the target User you wish modify, then choose Edit
  • When Org Enh2FA is checked, your Account is configured to use Enhanced Login 2FA
  • Check Ignore Enh2FA to disable this process for the target Account
  • Choose Save

Note that this differs from the Auto Soft fg2FA setting, which manages Task-Specific 2FA referenced at the beginning of this article.

Under the Covers with Enhanced Login 2FA

When you Log In to SSProtect, your password, along with additional identifying information, gets packaged in a protected manner and delivered to KODiAC Cloud Services for authentication and authorization. KODiAC recognizes that your Account is protected by Duo Security 2nd-factor services as a result of the Administrative configuration noted above, and as a result (from the cloud) dispatches an authentication request to Duo Security cloud servers. These requests lookup your individual Duo Security configuration and query for the first configured Duo Push device.

If a Duo Push device is not found, an error is returned and routed through KODiAC to your :Foundation Client where you receive a visual error message followed by Login failure.

On the other hand, when a Duo Push device is found, Duo Security dispatches the Push authentication request that you can respond to using the Duo Security app on your phone (installed while Provisioning services, noted above). Once you acknowledge the request to permit access, KODiAC processes the Duo Security response, establishes your Login Session, and returns results to your :Foundation Client.

In most cases, you'll receive the Push Notification on your phone within a couple seconds, though once in awhile it will take a bit longer. The :Foundation Client is however programmed to increase the internal Login timeout to take this into account.

Considerations

Make note of the following Considerations when using Duo Security Enhanced Login 2FA:

  1. When you directly access SSProtect'd content without an established Login Session, the :Foundation Client prompts you with the Login dialog to acquire credentials and proceed. When using Enhanced Login 2FA, bear in mind that the processing delay may cause the associated application to, "give up" (exceed its load timeout) and fail. For example, you double-click a protected .docx file from File Explorer and forget that you left your phone in the other room. By the time you pick it up and acknowledge the Login prompt, Word may have failed to load. You can of course double-click the .docx file again, but it's worth keeping in mind. This of course won't apply to subsequent operations while your Login Session remains active.
  2. If you need to change/ reset your Duo Security Auth API Application keys, remember to first disable the SSProtect Enhanced Login 2FA configuration. You'll want to do this for the Organization Administrator (unless you're using an Individual Account). Navigate to Administer Resources from the notification icon, choose Configure, then either choose Disable or uncheck Mobile for Login then Save.
  3. Make sure to take full advantage of the features Duo Security provides, especially geo-fencing and user-based policy controls. These facilities significantly increase the overall effectiveness of SSProtect - the two operating together offer a formidable protective profile.

Additional Resources

You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate. 

This article was updated w/ v10.8.5 of the :Foundation Client