Multi-Factor Authentication (MFA) helps to improve security by adding an extra verification step during user login. In uOS (Unified Operating System), MFA can be used with outbound user databases, where authentication is handled by external or cloud-based identity systems.
This article gives a clear overview of:
supported outbound user databases in uOS,
applications and access methods (VPN, SSL VPN, Captive Portal),
available MFA methods,
user enrollment options,
current feature availability and limitations.
This information is useful for administrators who want to plan or configure MFA on Zyxel devices running uOS.
MFA Architecture in uOS (Outbound Authentication)
In outbound authentication scenarios, the Zyxel firewall sends user authentication requests to an external service or identity provider. uOS does not always manage the second factor directly. In many cases, MFA is handled by the external system.
Supported outbound user databases include:
Zyxel CloudAuth
Microsoft Entra ID / Google Identity
Nebula Entra ID
External Active Directory
Local users on the device
Depending on the scenario, MFA can be provided by:
built-in methods (for example, Google Authenticator or email OTP),
third-party MFA services (for example, Microsoft Entra MFA or Duo Security).
Supported MFA Scenarios in uOS
The table below shows which MFA methods are supported in uOS, based on the user database and application type.
MFA options in uOS with outbound user databases
| Directory / IdP | Application / Protocol | Auth Client | MFA Method | Enrollment | Availability in uOS | Remarks |
|---|---|---|---|---|---|---|
| CloudAuth | IPSec VPN | SecuExtender | Google Authenticator | User via CloudAuth | Planned (July 2026) | FLEX / ATP supported |
| CloudAuth | IPSec VPN | SecuExtender | Passkey | User via CloudAuth | Planned (July 2026) | – |
| CloudAuth | SSL VPN | Browser | Google Authenticator | User via CloudAuth | Planned (July 2026) | uOS only |
| CloudAuth | Captive Portal | Browser | Passkey | User via CloudAuth | Planned (July 2026) | – |
| Entra ID / Google | SSL VPN | OpenVPN client | MFA by IdP | Via IdP | Yes (uOS 1.37) | OIDC required |
| Entra ID / Google | Captive Portal | Browser | MFA by IdP | Via IdP | Yes (uOS 1.37) | OIDC required |
| Entra ID / Google | IPSec VPN | SecuExtender | MFA by IdP | Via IdP | Not Planed | – |
| External AD | IPSec VPN | SecuExtender | Email / SMS OTP | Server-side | Yes | FLEX / ATP only |
| External AD | IPSec VPN | SecuExtender | Duo MFA | Via Duo | Yes | – |
| External AD | SSL VPN | Browser / PAP | Duo MFA | Via Duo | Yes | – |
| Nebula Entra ID | SSL VPN | OpenVPN client | Entra ID MFA | Via Entra ID | Not Planed | – |
| Local (device) | IPSec VPN | SecuExtender | Google Authenticator | Admin enroll | Yes | uOS & ZLD |
| Local (device) | SSL VPN | SecuExtender | Google Authenticator | Admin enroll | Yes | uOS only |
Notes and Limitations
MFA by IdP means that MFA is fully handled by the external identity provider.
Some MFA options are available only in uOS and are not supported on older platforms.
CloudAuth MFA and Passkey support for uOS are planned features and not available yet.
Duo Security integration requires additional configuration. Separate guides are available.
MFA support depends on the application type and the client used (browser, SecuExtender, OpenVPN).
Comments
0 commentsPlease sign in to leave a comment.