Connecting to VPN with FIDO Security keys using TOTPRadius FIDO-VPN Interface

product updates totpradius


Multi-factor authentication for VPN systems, such as Meraki Client VPN or Fortinet VPN will be possible using FIDO Security keys, both FIDO2 and U2F.

While classic OTP (and namely TOTP) still remains industry standard for two-factor authentication and is supported out of the box by the majority of VPN servers and clients, there is not a lot of products that can leverage the FIDO keys for securing VPN access. The majority of the current solutions that are being marketed as supporting FIDO and FIDO2 keys are using the OTP functionality of the security keys (most USB FIDO keys, in addition to U2F and/or WebAuthN features, also have an additional module that can generate OTP, i.e. HOTP by pressing a button, or TOTP via a companion app). This may look like a solution but is still a TOTP. While OTP solutions are still secure, utilizing FIDO keys' main features to protect VPN access may improve security even further.
[as per our research, only one solution seems to exist to have true support of FIDO authentication, which is a commercial VPN client, Viscosity, costs $14 and is limited to OpenVPN protocol only]

Our FIDO-VPN solution

To address this gap, TOKEN2 is currently finalizing a feature as a part of its TOTPRadius solution, to provide VPN access with FIDO security keys protection option, in addition to classic TOTP authentication. The solution will work with both FIDO2 and FIDO keys (WebAuthN implementation with fallback to U2F for older keys) and will work via modern web-browsers supporting FIDO keys authentication. No special VPN client installation is required, although we will be releasing VPN helper apps to simplify the user experience and make the process as fast as possible; one click will be enough to establish a VPN link. FIDO-VPN will support systems relying on standard VPN protocols (LT2TP and L2TP/IPSec), such as Meraki Client VPN and Fortinet VPN solutions. We are currently finalizing the solution and it will be a part of TOTPRadius, starting from version 0.2.5.

Migrating from the older version to the new release should be smooth as there will be a possibility to export both user and configuration data from the old appliance and import to a newly deployed appliance.

The video below demonstrates how the process looks like from the end user's perspective