Mobile Application

This scenario occurs if the user is configured to use only the OTP and/or Push and the RADIUS client is configured to use Mobile Application OTPs and/or Mobile Application Push authentication.

The user logs in with an OTP generated by the Mobile Application or by approval of push notification generated on their Android/iOS mobile device or Android/Apple watch. Note that PIN enforcement is strongly recommended in this configuration to provide a second authentication factor.

note

PIN-protected Mobile Application

If the Mobile Application has PIN protection enabled, it will allow a user to log in using an incorrect PIN code to protect the correct PIN code from brute-force attacks. For example, if an attacker attempts to log into the Mobile Application using an incorrect PIN code, they might be granted access, but no OTP will work. After entering several wrong OTPs, the 2FA of the user account (which the Mobile Application belongs to) will be automatically locked. This represents a minor issue for a general user: If the user happens to log into the Mobile Application using an incorrect PIN code, then changes the PIN code to a new one, all the tokens included in the Mobile Application will become unusable. There is no way to repair such tokens—the only solution is to re-provision tokens to the Mobile Application. Therefore, we advise users to try an OTP before changing their PIN code—if the OTP works, it is safe to change the PIN code.

Supported PPTP Protocols: PAP, MSCHAPv2.

Compound Authentication Enforced

This scenario occurs if the RADIUS client is configured to use Compound Authentication. This authentication method is restricted to users who are configured to use the Mobile Application OTPs.

In this scenario, a user logs into the VPN by entering their Active Directory (AD) password, in addition to an OTP generated by the Mobile Application. For example, given an AD password of 'password' and an OTP of '123456', the user enters 'password123456' into the password field of their VPN client.

note

OTPs and Whitespace

OTPs are displayed in the mobile application with a space between the 3rd and 4th digits in order to improve readability. All authentication methods except MS-CHAPv2 strip whitespace from the provided credentials, so a user may include or exclude whitespace without affecting authentication.