DrayTek

Implementing Secure Two-Layer Authentications for Teleworkers and mobile VPN users

DrayTek Mobile One-Time Password
DrayTek Mobile One-Time Password

Teleworkers or remote users will typically have a password to log into your office VPN. Although this is quick and easy, if the user saves the password on their PC, writes it down somewhere or are seen typing it, your VPN and therefore your network is immediately compromised.

A single password provides just a single layer of security; only one fixed piece of information to crack, intercept or otherwise get hold of, and that piece requires only the user's memory. Once intercepted, an authorised person can log into your VPN whenever they wish. By introducing a second security factor, of a different type, you introduce a two-layer authentication. By different 'type' we mean that it cannot just be an extra password; it has to be something that uses a method other than the user's memory.'

Your mobile phone as your key

Authentication devices are now commonly used for online banking to provide a second layer of security; instead of just a password held in the user's head, they also require some other real-time method of credential generation. Most commonly that is a small keypad or display unit to be carried around.

With DrayTek Mobile One-Time Passwords (MOTP), instead of carrying around an extra device, you install a program on your mobile phone and that becomes your authentication device. When you initially install the MOTP applet, you create a relationship with your VPNĀ host (router) by entering a unique authentication phrase into the router which the phone generates. You also select a secret PIN. After that, each time want to log into your VPN you enter your PIN into the phone and it generates your one-time password for that session.

In this way, you need both your phone and your PIN to connect the VPN so it is now a two-layer authentication method. Only your own phone will work (unless you pair another phone with the Vigor VPN server. ) Next time you connect, a different login password will be generated by your phone.

The One-Time Password program is Java based and can be installed on most modern cellular phones, including Nokia, Apple iPhone, Palm. The One-Time Password feature can be used for any type of teleworker dial-in VPN - SSL, IPSec, L2TP or PPTP. There is no cost for the phone applet and it can be downloaded directly to the phone if your phone has Internet access.

iPhone setup for moTP

There are no per-user licencing costs for MOTP on the DrayTek routers; the facility is currently available on the Vigor 2960 with support for other models to be added soon.