PhoneFactor offers an easy to implement and inexpensive solution for IT groups that want to implement two-factor mobile phone based authentication without the overhead of physical tokens and licensing.

PhoneFactor is free for up to 25 users and reasonably priced after that. The beauty of PhoneFactor is that it utilizes something users already have - a mobile phone - as a token rather than a proprietary device.

PhoneFactor Agent, the software behind the service, acts as a RADIUS server for authentication to network resources such as a VPN. When a user attempts authentication, he will still first be prompted for a user name and password. After he enters those details, the service will place a call to his phone and require the user to answer the call and press the “#” button. Once this is completed, the user is successfully authenticated.

In this tutorial we will install the Agent on Windows Server 2008 R2, integrate with Active Directory, link a few user accounts, and set up a RADIUS server.

Getting started ^

You can download the PhoneFactor Agent after registering here. You will need a mobile phone to register since PhoneFactor utilizes their own system on their customer portal. Run the installer and launch the PhoneFactor Agent. You will be greeted by the Authentication Configuration Wizard, where you can:

  • Enable replication between agents: Allows you to replicate data between multiple installations. Since we are only installing it on one server, do not check.
  • Select Applications: You can apply PhoneFactor to a variety of applications, including Citrix, Outlook Web Access, and Remote Desktop. For our purposes, we will only choose VPN.
  • VPN with Radius: Specify your VPN server IP address as well as a strong shared secret between the VPN server and PhoneFactor. Leave the default port options as-is.
  • VPN Target: Since we want to authenticate against a Windows domain, we will choose Windows domain. However you can also use another RADIUS server (some firewalls have built-in RADIUS servers, so you can redirect back to the firewall).

Mobile phone two-factor authenciation - Phonefactor Agent Configuration

Phonefactor Agent Configuration

Click Finish and let PhoneFactor do its magic. Once the setup is complete, you can begin using the Agent.

Locking down PhoneFactor ^

By default, PhoneFactor will allow any user who successfully authenticates against AD to sign in - if no user is defined (and no phone number is linked), it will just authenticate the user. In most cases, you would not want this to happen. Navigate to Company Setup and choose “Fail Authentication” when user is disabled.

Mobile phone two-factor authenication - Fail authentication

Fail authentication

We will also want to specify a default search domain for AD users. Choose the “Username Resolution” tab and specify a default search domain for the option “Use Windows security identifiers (SIDs) for matching usernames.”

Mobile phone two-factor authentication - security identifiers (SID)

Security identifiers (SIDs)

Finally, if your Active Directory user account setup is non-standard, you should navigate to Directory Integration and confirm in the “Filters” and “Attributes” tabs that the data fields you wish to use are the ones that PhoneFactor will use. Most administrators will not need to do this.

Mobile phone two-factor authenication - Directory Integration

Directory Integration

Adding users ^

Now we can begin adding users to our PhoneFactor implementation. Because of our previous setup, only users who have been added to PhoneFactor with a phone number defined will be able to authenticate successfully against AD. After all, not all users will require remote access. Navigate to the Users section and click “Import from Active Directory.”

This powerful interface allows you to select users by OU or filter terms. You can import all users at once - which is not advisable - or specify which ones to import in a granular fashion. The users you have selected will appear in the window on the right. You will notice that by default, “Only New Users with Phone Numbers” are enabled. This is the behavior you want, since users without a phone number will authenticate using only their AD credentials. Once you are ready, click “Import.”

Mobile phone two-factor authentication - Import users

Import users

In many cases, you will not have defined phone numbers yet for your users in Active Directory. This is OK; you will just need to do so now for each authorized user. Double-click the user, then define a phone number and enable the user.

Mobile phone two-factor authentication - Phone number - Enable user

Phone number - Enable user

Finally, you will see your newly-enabled user in the users listing. Once you have defined all of your users, you will need to configure your VPN server to authenticate using RADIUS.

Mobile phone two-factor authenication - User listing

User listing

VPN Server Configuration with PhoneFactor RADIUS ^

Since there are so many VPN servers out there, we will focus on a few general tips for setting this up. You will typically need to provide:

  • PhoneFactor Agent IP
  • PhoneFactor Agent Ports: Typically, 1645,1812 for authentication and 1646,1813 for accounting. Make sure the firewall on your Agent server does not block this traffic
  • Shared Secret: This is the secret you had defined in the wizard and it should be strong since it will serve as a barrier between your VPN server and the RADIUS server.
  • Timeout: Make sure you set a fairly high timeout value; by default, most VPN servers do not give you a lot of time to authenticate because the RADIUS server is local to the network and does not take long to perform the lookup. However, since PhoneFactor takes about 3-5 seconds to place the call, and the user can take anywhere from 2-20 seconds to actually respond, I would recommend a timeout of at least 30 seconds.

That’s it! Though PhoneFactor offers more powerful features (especially in paid versions), you are already set up and ready to authenticate. For small businesses with fewer than 25 users, PhoneFactor is a free and easy to implement two-factor authentication solution. Give it a try today!

PhoneFactor ^

1 Comment
  1. Martin9700 11 years ago

    Been using PhoneFactor for about a year on my Terminal Server (no RADIUS) and love it. Very easy to manage and works great. Now has iPhone app too to save call costs–not a huge deal, but when someone travels international that can be a $1 per authentication.

Leave a reply to Martin9700 Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account