Two Factor Authentication (2FA) for VPN with Mobile One-Time Passwords (MOTP)


Implementing Secure Two-Layer Authentication for Teleworkers and mobile VPN users

Teleworkers or remote users will typically have a password to log into your office VPN. Although this is quick and easy, if the user saves the password on their PC, writes it down somewhere or are seen typing it, your VPN and therefore your network is immediately compromised.

A single password provides just a single layer of security; only one fixed piece of information to crack, intercept or otherwise get hold of, and that piece requires only the user's memory. Once intercepted, an unauthorised person can log into your VPN whenever they wish. By introducing a second security factor, of a different type, you introduce a two-layer authentication. By different 'type' we mean that it cannot just be an extra password; it has to be something that uses a method other than the user's memory.'

Your mobile phone as your key

Smartphones have become commonplace, with each person typically having their own phone to manage calls, e-mails, Internet and everything else.

Smartphones are individual devices, typically used by only one person with options for biometric security, such as fingerprint readers. Because of this, they are now commonly used for online banking as authentication devices to provide a second layer of security; instead of just a password held in the user's head. This also allows for improved methods of credential generation and user validation, either Two-Factor Authentication via SMS, or a linked device used to authenticate transactions.

With DrayTek Mobile One-Time Passwords (mOTP), similarly to banking apps, instead of authenticating VPN connections with just a username and password; You install an mOTP app on your mobile phone and that becomes your authentication device.

mOTP is an open authentication standard and can be used with any Android phone or tablet, as well as Apple iPhone, iPad and iPod Touch, with a suitable mOTP app such as these: DroidOTP for Android or imOTP for Apple devices

When you initially install an MOTP app, you create a relationship with your VPN host (router) by entering a unique mOTP authentication secret into the router, which the phone generates. You also select a secret 4-digit PIN code.

After that, you do not need to know the mOTP secret value, just the Username and 4-digit PIN code. To connect the VPN, enter your VPN username and one-time VPN password, generated by entering your PIN into the mOTP app.

In this way, you need both your phone and your PIN to connect the VPN so it is now a two-layer authentication method. Only your own phone will work, unless the VPN tunnel is reconfigured & paired with another device on the router.

Next time you connect, a different login password will be generated by your phone, which expires within a couple of minutes, after which that password cannot be used to connect the VPN. A new and unique password is generated every time.

The mobile One-Time Password feature can be used for most types of teleworker dial-in VPN that use a username and password, with all DrayTek VPN routers.

mOTP requires the VPN to be authenticated by the router (locally), instead of with an LDAP or RADIUS server (remotely).
See the table below for the types of VPN tunnel that can be used with mOTP two factor authentication:

mOTP Capable VPN Types
VPN Types DrayTek SSL VPN IPsec IKEv2 EAP IPsec Xauth L2TP over IPsec OpenVPN PPTP
mOTP Capable  

Setting up an mOTP VPN Tunnel

See these guides for detailed information on configuring an mOTP authenticated VPN tunnel:

Teleworker VPN - SSL with mOTP 2FA - Smart VPN Client & Smartphone - Using a Smartphone with an mOTP app as the authentication device

Teleworker VPN - SSL with mOTP 2FA - DrayTek Smart VPN Client - Using a laptop with the DrayTek SmartVPN client as the authentication device