Since USG / ZyWall firmware version 4.32 you can use Two-Factor authentication (2FA) to let your VPN clients authenticate. These steps will guide you through the setup of sending the second authentication factor per mail.
- Log in to the unit by entering its IP address and the credentials for an admin account (by default, username is “admin”, password is “1234”)
- Configure your L2TP / IPSec / SSL connection as desired
- Navigate to Configuration > Object User/Group > User to create or edit a user
- Take care to fill in a valid mail address to which the second auth. factor for this user will be sent
- Put this user into the allowed VPN users group in the tab “Group”
- Navigate to Configuration > System > Notification > Mail Server and fill in the credentials for a SMTP server (if you don´t own a mail server, you can use a free Gmail account for example)
- Navigate to Configuration > Object > Auth. Method > Two-factor Authentication to enable this feature for the desired VPN (SSL / L2TP / IPSec)
- Under “User/Group” you can select the users which should authenticate using 2 FA
- Under “Delivery Settings” enable “Email”
- Under “Authorize Link URL Address” you can chose “From Interface” and the respective interface or “User-Defined” to enter an IP address or (DynDNS-) domain name
Now your USG is able to let your clients authenticate more secure using Two-factor authentication!
The user would have to connect to his VPN as usual and after entering his credentials, would receive a mail with a link that would forward him to your USG. There he just only would have to click “Authorize” to activate his token and being allowed to access resources in the VPN.
Please note: Make sure that under “Authorize Link URL Address” you choose an interface / URL / IP that is accessible from the internet! Depending on your configuration you would also have to allow http or https in your WAN-to-Device security policy.