Author: Anna Korobkyna

Protectimus Smart OTP is a free 2FA authenticator app with cloud backup support that is available for both Android and iOS devices. This guide will show you how to use the Protectimus MFA app to enhance the security of your online accounts.

How Does Protectimus Smart 2FA App Work

Protectimus Smart OTP is a two-factor authentication app that provides an additional layer of security to your online accounts. With the Protectimus Smart OTP 2FA authenticator, you can generate one-time passwords (OTPs) on your mobile device that can be used as the second factor in the authentication process on any website that supports MFA.

The Protectimus Smart 2FA authenticator offers many advantages, including:

• Encrypted cloud backup;
• Ability to transfer tokens to a new phone;
• Ability to import tokens from Google Authenticator;
• PIN and biometric authentication protection (Touch ID and Face ID);
• Support for all OATH one-time password generation algorithms (HOTP, TOTP, and OCRA);
• Delivery of two-factor push notifications;
• Data signature function (Confirm What You See) to better control your operations with funds;
• 6 and 8 digit one-time passwords;
• Multiple language support: English, French, German, Spanish, Russian, and Ukrainian;
• Convenient distribution of OTP tokens by folders;
• Customization of tokens with different emojis and descriptions.

1. Getting Started With the Protectimus Smart 2FA Authenticator

1. Download and install the Protectimus Smart OTP two-factor authentication app from the App Store or Google Play.

 

2. You will see a welcome screen. Tap Continue.

   

3. On the next step, you will be asked to Activate Cloud Backup.
   
   We strongly recommend using this feature to ensure that you do not lose your OTP tokens in case you lose or damage your phone, or accidentally delete the 2FA app. To activate cloud backup, select the option and press Continue.
   
   

   Please note! If you already have a cloud backup saved, all the tokens from your backup will be added to the 2FA app after you activate cloud backup at this stage.

4. Now you can add a new token or import your 2FA tokens from Google Authenticator.
   
   For instructions on how to import tokens from Google Authenticator, please refer to the detailed guide here.
   
   For instructions on how to add new tokens, please refer to the detailed guide here.

2. Adding Tokens

1. To add a new token, open the Protectimus Smart OTP two-factor auth app and tap on the plus sign in the upper left corner.

2. You can choose to add the token by scanning a QR code or by entering the secret key manually.
   
   If you choose to Scan QR code, simply point your smartphone’s camera at the code on the security settings page of the website you want to protect with two-factor authentication. The app will automatically scan the QR code and create a token.

3. If you choose to Add token manually, you’ll need to enter the token name (Login), the secret key (Token key), choose the OTP generation algorithm (OTP Type), the one-time passwords length, and lifetime. Then save the changes tapping the Add token button in the right upper corner.
   
   

   Note that if you’re using a two-factor authentication system other than Protectimus, you should uncheck the Protectimus checksum checkbox.

3. Editing and Deleting Tokens

1. To edit or delete a token, long-press on its name and choose the desired action. Alternatively, you can open the Edit Token menu by tapping the pen icon in the upper-right corner and selecting the token you want to modify.

2. Once you’re in the Edit Token menu, you can customize the token by:
   • changing its emoji,
   • setting the issuer,
   • updating its name (Login),
   • adding a description (Additional information),
   • adjusting the OTP length,
   • assigning it to a folder.
   If you need to remove the token entirely, there’s an option to delete it.
   
   Once you’ve made your changes, click Save and close in the upper-right corner to confirm.

4. Grouping Tokens by Folders

1. To keep your tokens organized, you can group them into folders.
   
   To add a token to a folder, simply long-press its name and select Add to folder.

2. You’ll be taken to the folder settings menu, where you can either choose an existing folder or create a new one. If you want to create a new folder, click on the icon in the top right corner.

3. To manage your folders, click on the gear icon in the upper right corner to go to the Settings page.

4. Select Folder Settings.

5. From here, you can edit, delete, and create new folders, as well as edit tokens in any folder.

5. Changing the Order of Tokens

You can customize the order of your tokens to suit your needs. With this feature, you can quickly access your most frequently used tokens.

1. To do so, open the Edit Token menu by tapping the pen icon in the upper-right corner.

2. From there, simply drag the tokens to rearrange them in the desired order. Save the changes by clicking on the checkmark in the upper right corner.

6. Cloud Backup

To safeguard your OTP tokens in case of device loss or accidental deletion of the 2FA app, we strongly recommend using the Cloud Backup feature. Additionally, we strongly advise protecting the backup file with a password for added security.

To manage your backup files, simply navigate to the Backup page where you can activate, update, restore or delete your backups.

By utilizing this feature, you can ensure that your OTP tokens are always available and secure, even in unexpected circumstances.

1. Go to Settings.

2. Tap Backup in cloud.

3. If the backup function is not activated yet, enable it.

4. If the backup function has been activated and you have made any changes, you can Restore the previous version or Update the backup file. Tap the Upload button to upload the latest changes to the cloud.

5. You will see the allert message. If you are sure that you want to upload current OTP tokens in the cloud, tap Update. Please note that this will erase previous backups.

Please note! To secure you backup file, we recommend adding a password, use the Add backup file password button.

7. App Security (PIN and Biometric Authentication)

For optimal security, it is highly recommended that you safeguard access to the Protectimus Smart OTP two-factor authentication application with either a PIN or biometric authentication.

To enable PIN or biometric authentication with fingerprint or face ID, follow these steps:

1. Go to the Settings menu.

2. Select App security.

3. Create a unique PIN for the application.

4. The app will prompt you to allow biometric authentication for easier access.

5. Once both PIN and biometric protection are enabled, you can manage your PIN, and turn biometric authentication on or off from the App security page.

By taking these simple steps, you can ensure that your Protectimus Smart OTP two-factor authentication application is as secure as possible.

8. Transferring Tokens to a New Phone

Protectimus Smart OTP authenticator offers a convenient Data Transfer feature that enables you to effortlessly move your tokens from one phone to another or doenload and store the backup file in the place you like. With this feature, you can export your data into an encrypted file with password protection for added security.

1. To get started, simply navigate to the Settings menu.

2. Tap on the Data transfer option.

3. If you want to transfer tokens from your current device to another, choose Export tokens. Alternatively, if you want to import saved data onto your device, select Import tokens.

4. If you choose to export tokens, create a strong password and click on Continue to generate the file containing all your data.

5. Remember to save this file so you can import your tokens onto the new device later.

9. Importing from Google Authenticator

You can easily transfer your tokens from Google Authenticator 2FA app to the Protectimus Smart OTP.

To get started, open your Google Authenticator application and:

• tap the menu button located at the top-right corner;
• select Transfer accounts;
• then choose Export accounts;
• select the tokens you wish to transfer to Protectimus Smart OTP;
• tap Next, and you will see a QR code, scan this QR code using the Protectimus Smart OTP app.

In the Protectimus Smart OTP app:

1. Go to Settings.

2. Select Import from Google Authenticator, scan the QR code generated by Google Authenticator and wait for the import process to complete.

10. Data Signature Method (CWYS)

Protectimus Data Signature, also known as CWYS (Confirm What You See), is a powerful tool that safeguards against phishing, data spoofing, man-in-the-middle attacks, and similar hacking techniques.

Based on the OCRA algorithm, Protectimus Data Signature allows users to verify key details of financial transactions before confirming them.

To use this feature, you will need to enter a challenge code into the app to generate a one-time password. You can enter the code manually or scan a QR code.

To set your preferred method for entering a challenge code:

1. Go to Settings.

2. Select the Data Signature method.

3. Choose your desired option, and click Save and go back.

11. Push Tokens

Two-factor authentication app Protectimus Smart OTP offers push notifications as a convenient way to confirm transactions and streamline the login process for end-users, providing additional protection against transaction data replacement.

This feature is available exclusively for services that use Protectimus 2FA solution as their two-factor authentication system backend.

To add, use, or delete push tokens, follow the steps outlined in the next paragraph.

Please note!

1. You cannon receive push notification if your phone is offline.
2. Push tokens cannot be edited, backed up, or transferred to another device.

11.1. How to Add Push Tokens

1. Open the Protectimus Smart OTP MFA app and tap on the plus sign in the upper left corner.

2. Choose to Scan QR code and scan the QR code on the service where you plan to use this push token.

3. To proceed, save the public key to your device by tapping the Continue button.

4. You’re all set! The push token has been created, and you’ll receive a notification confirming its successful creation.

Important! To receive push notifications from the Protectimus Smart OTP 2FA app, you must enable notifications in your app settings. Please ensure that notifications from the Protectimus Smart OTP app are allowed.

11.2. How 2FA Push Notifications Work

This advanced two-factor authentication feature provides additional protection against data spoofing and transaction data replacement.

Note! The device must be online to receive the push notification.

1. When making a transaction or attempting to log in to a two-factor authentication-protected service, a push notification will be sent to your phone.

2. You’ll need to open the app to view and confirm the details of the transaction.

3. Or to view and confirm the location of the login attempt.

11.3. How to Delete Push Tokens

Please note! Please note that push tokens cannot be edited, backed up, or transferred to another device. Deleting the push token is irreversible, and there is no way to restore it. This means that you may lose access to the account associated with the token if it is deleted.

1. To delete a push token, go to Settings.

2. Go to Push tokens.

3. Tap the three dots next to the token you wish to delete, and select Delete token.

4. A confirmation message will appear, and you should only proceed if you are certain that deleting the token will not result in the loss of access to the account protected by it.

12. Time Correction

If you see the message “The one-time code is invalid” when attempting to enter a one-time password, it may be due to a time drift between your token and the two-factor authentication server. To resolve this issue, a time correction may be necessary.

To synchronize your Protectimus Smart OTP app’s internal clock with Protectimus servers:

1. Navigate to Settings.

2. Select the Time correction option.

3. If everything is in order, you will see a message confirming that the time is already correct.

13. Additional Settings

The Protectimus Smart OTP settings page provides additional options for customization, such as selecting your preferred language for the interface, enabling or disabling Screen Capture Access, and choosing between a dark or bright appearance to suit your preferences.

12.1. Application Language

Currently, the Protectimus Smart OTP authenticator is available in English, French, German, Spanish, Russian, and Ukrainian.

12.2. Screen Capture Access

To enhance your security, we advise against enabling screen capture access.



If you have any questions, please, contact Protectimus customer support service.

With Protectimus multi-factor authentication (MFA) solution, you can set up CentOS two-factor authentication (2FA) in a few steps.

1. How CentOS Two-Factor Authentication (2FA) Works

After you enable CentOS 2FA, your users will need to use two authentication passwords to get access to their CentOS accounts:

1. The first is a standard password (something the user keeps in memory);
2. The second is a one-time password valid only for 30 or 60 seconds (the one-time password is generated with the help of a hardware OTP token or a 2FA app on a user’s phone – something that the user owns and has to carry with them).

This way, the CentOS account becomes protected with two different authentication factors. Even if the hacker steals the users’s password using phishing, brute force, social engineering, data spoofing, or any other attack, they can’t access the CentOS account without the one-time password from a user’s 2FA token.

This guide shows how you can set up CentOS two-factor authentication (2FA) using Protectimus RADIUS 2FA component for the integration with Protectimus Cloud 2FA service or Protectimus On-Premise MFA Platform.

2. How to Enable CentOS Two-Factor Authentication (2FA)

You can set up CentOS two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS 2FA Service or On-Premise 2FA Platform and configure basic settings.
2. Install Protectimus PAM module for CentOS 2FA
3. Install and configure Protectimus RADIUS Server module.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install Protectimus PAM module for CentOS 2FA

yum -y install epel-release
yum -y install pam_radius

 

2.3. Install and configure Protectimus RADIUS Server

1. Install protectimus-radius

git clone https://github.com/protectimus/platform-linux.git
cd platform-linux/radius
edit config/radius.yml
docker compose up -d

2. Configure radius.yml file.
   
   Configure Protectimus RADIUS Server settings in the radius.yml file. It must be located in the same directory as the executable.
   
   You will find detailed instructions on available properties that you can add to the radius.yml file here.
   
   The example of radius.yml file configuration:

radius:
  secret: secret
  auth-port: 1812

auth:
  #  Could be :
  #  - LDAP
  #  - PROTECTIMUS_PASSWORD
  #  - PROTECTIMUS_OTP
  #  - PROTECTIMUS_PUSH
  providers:
    - PROTECTIMUS_OTP

protectimus-api:
  login: [email protected]
  api-key: aslkjdljsdlaskmWpXjT5K0xqLXkd3
  url: https://api.protectimus.com/
  resource-name: radius
  resource-id: 723

3. Edit pam_radius config, configure secret
   
   /etc/pam_radius.conf

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1

4. Configure SSH to use challenge response
   
   /etc/ssh/sshd_config

ChallengeResponseAuthentication yes

5. Execute the command systemctl restart sshd

6. Configure PAM for SSH to use RADIUS
   
   Add auth required pam_radius_auth.so after auth substack password-auth into /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
# protectimus pam radius
auth       substack     password-auth
auth       required     pam_radius_auth.so
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare

CentOS multi-factor authentication setup is now complete. If you have other questions, contact our customer support service.

This guide shows how you can set up VMware Horizon View two-factor authentication (2FA) via RADIUS using the Protectimus multi-factor authentication system.

Protectimus two-factor authentication system integrates with VMware Horizon View via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server via a special connector Protectimus RADIUS Server, and the VMware Horizon View performs as a RADIUS client.

The Protectimus RADIUS Server connector transfers authentication requests from the VMware Horizon View to the Protectimus multi-factor authentication (MFA) server and returns the answer permitting or denying access.

Below is an example of integration of the Protectimus 2FA solution with VMware Horizon View.

1. How to Enable Two-Factor Authentication for VMware Horizon View

You can set up multi-factor authentication (2FA) for VMware Horizon View with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for VMware Horizon View.

2. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

 

3. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for VMware Horizon View two-factor authentication using RADIUS are available here.

4. Add Protectimus as RADIUS Server for VMware Horizon View 2FA

1. Log into the VMware Horizon View admin panel.
2. Navigate to Settings and then click Servers.
3. Select the Connection Servers tab.

4. Select the necessary connection server, and after that click the Edit button.

5. Navigate to the Authentication tab.
6. Then go to the Advanced Authentication section and select RADIUS in the 2-factor authentication dropdown.
7. Check the box Enforce 2-factor and Windows user name matching.
8. Find the Authenticator dropdown, and select Create New Authenticator.

9. You will see an Add RADIUS Authenticator form. Navigate to the Client Customization page and enter any name for your new RADIUS server (e. g. Protectimus). Then click Next.
10. On the Primary Authentication Server page, fill in the required information referring to the table and image below.

Hostname/Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Accounting Port	Leave the default value.
Authentication Type	PAP.
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Server Timeout	Set to 60.
Max Attempts	Set to 5.

11. For all other fields, leave the default values. Then click Next.
12. Add a Secondary Authentication Server if you wish (it is optional), and click Finish to complete creating the RADIUS server.
13. We recommend you review the Advanced Authentication section:
    • check if the RADIUS server you have just created (Protectimus) is selected in the Authenticator dropdown;
    • make sure that you have checked the box Enforce 2-factor and Windows user name matching.

Integration of two-factor authentication (2FA/MFA) for your VMware Horizon View 2FA is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (MFA / 2FA) for F5 BIG-IP APM VPN with the help of the Protectimus two-factor authentication system.

Protectimus two-factor authentication system integrates with F5 BIG-IP APM VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform takes the role of a RADIUS server, and the F5 BIG-IP VPN performs of a RADIUS client.

The scheme of work of the Protectimus solution for F5 BIG-IP APM VPN 2FA is presented below.

1. How F5 BIG-IP APM VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for F5 BIG-IP APM VPN allows you to add an extra layer of security to your F5 BIG-IP VPN logins.

When you add 2FA/MFA for F5 VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack an F5 BIG-IP APM VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for F5 BIG-IP APM VPN

You can set up multi-factor authentication (2FA) for F5 BIG-IP VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

 

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for F5 BIG-IP APM VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for F5 BIG-IP APM VPN 2FA

1. Log into the F5 BIG-IP administrator dashboard.
2. Navigate to Access –> Authentication –> RADIUS.

3. Click the Create… button to add a new RADIUS server.
4. Then fill in the form referring to the table and image below, and click Finished to save your settings.

Name	Type any name for your RADIUS server – enter Protectimus_RADIUS_Server or any other name you wish.
Mode	Authentication
Server Connection	Direct
Server Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Service Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret	Confirn the shared secret.
Timeout	Set to 180 seconds.
Retries	Set to 3.
Character Set	Set to UTF-8.
Service Type	Default.

2.4. Modify the F5 BIG-IP APM Access Policy

1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies).

2. Click Edit… to modify your F5 BIG-IP APM access policy.

3. You will see the Access Policy editor. Click + (Plus) on the arrow to the right of the Logon Page.

4. In a new window, select the Authentication tab. The select RADIUS Auth and click the Add Item button.

5. In the AAA Server dropdown, select Protectimus_RADIUS_Server – the server you have created previously. Then click Save to save the changes.

PLEASE NOTE!
If you have a former authentication method (e.g. Active Directory) you can either remove it or keep it.
You can keep your former authentication method and use Protectimus after or before that authentication method.
To remove it, click X, select Connect previous node to Successful branch, and click Delete.

6. Click Close to return to the Access Profiles page. Check your profile and click Apply. The status flag next to your profile should change to green.

Integration of two-factor authentication (2FA/MFA) for your F5 BIG-IP APM VPN 2FA is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable two-factor authentication (2FA / MFA) for Array AG SSL VPN with the help of the Protectimus multi-factor authentication system.

Protectimus multi-factor authentication system integrates with Array AG SSL VPN via RADIUS authentication protocol. In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Array VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for Array VPN 2FA is presented below.

1. How Array VPN Two-Factor Authentication Works

Protectimus Two-Factor Authentication Solution for Array AG SSL VPN allows you to add an extra layer of security to your Array VPN logins.

When you add 2FA/MFA for Array VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a Array VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to hack a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for Array AG SSL VPN

You can set up multi-factor authentication (2FA) for Array VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for Array AG SSL VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Array VPN two-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Array VPN 2FA

1. Login to the Array VPN administration panel.
2. Change the mode to Config.
3. Navigate to the Virtual Site using the dropdown in the upper left corner.
4. Find the Site Configuration menu on the left and click on AAA.
5. Open the General tab and check Enable AAA.

6. Navigate to the Server tab and click RADIUS.
7. Enter the Server Name (e.g. Protectimus RADIUS Server). You can also add a Description. Then click Add.

8. The newly added server will appear on the list of servers. Open Advanced RADIUS Server Configuration by double-clicking the name of your RADIUS server.
9. Click Add RADIUS Server on the Advanced RADIUS Server Configuration page. Fill in the form referring to the table and image below, and click Save.

Server IP	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Server Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Secret Password	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Timeout	Set to 180 seconds.
Redundancy Order	Set to 1 if this is your first RADIUS server.
Retries	Set to 3.
Accounting Port	Set to 1813.

10. Go to the Method tab and click Add Method.
11. Enter the Method Name (e.g. Protectimus) and Method Description (e.g. Protectimus RADIUS Server). Then select the AAA server in Authentication. The AAA server is the server you created earlier (Protectimus RADIUS Server).
12. Click Save. The method you just created will appear in the table on the Method tab.

13. Find the AAA Method for Mobile VPN Clients dropdown and select the method you created (Protectimus).

14. Go to the top right corner of the Array VPN administration panel and click Save Configuration.

Integration of two-factor authentication (2FA/MFA) for your Array AG SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (2FA / MFA) for WatchGuard Mobile VPN with the help of the Protectimus two-factor authentication solution.

Protectimus multi-factor authentication system integrates with WatchGuard Mobile VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the WatchGuard Mobile VPN takes the role of a RADIUS client.

The scheme of work of the Protectimus solution for WatchGuard Mobile VPN two-factor authentication is presented below.

1. How WatchGuard Mobile VPN 2FA Works

Protectimus Two-Factor Authentication Solution for WatchGuard Mobile VPN allows you to add an extra layer of security to your WatchGuard VPN logins.

Protectimus WatchGuard Mobile VPN 2FA Solution enables 2-factor authentication during WatchGuard connections via IPSec and SSL.

When you add 2FA/MFA for WatchGuard Mobile VPN, your users will use two different authentication factors to get access to their accounts.

1. The first factor is login and password (something the user knows);
2. The second factor is a one-time password generated with the help of a hardware OTP token or an app on the smartphone (something the user owns).

To hack a WatchGuard Mobile VPN protected with two-factor authentication, a hacker needs to get a standard password and a one-time password at once. And they only have 30 seconds to intercept a one-time password. It is almost impossible, which makes two-factor authentication so effective against brute force, data spoofing, keyloggers, phishing, man-in-the-middle attacks, social engineering, and similar hacking attacks.

2. How to Enable 2FA for WatchGuard Mobile VPN

You can set up multi-factor authentication (2FA) for WatchGuard Mobile VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA.
4. Configure WatchGuard Mobile VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for WatchGuard Mobile VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for WatchGuard Mobile VPN MFA

1. Log in to the WatchGuard Firebox Admin Panel (Fireware Web UI).
2. Navigate to Authentication –> Servers –> RADIUS.

3. Click Add.

4. Fill in the required fields in the Primary Server Settings tab. Please refer to the following table and image.

Domain Name	Come up with a name for your RADIUS domain, e.g. Protectimus RADIUS Server. Note that You cannot change the Domain Name after you save the settings.
Enable RADIUS Server	Check the box.
IP Address	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Confirm Secret	Reenter the shared secret
Timeout	Set to 60 seconds.
Retries	Set to 3.
Dead Time	Set to 10 minutes.
Group Attribute	Set to 11.

5. Click Save to save your settings.

2.4. Configure WatchGuard Mobile VPN with SSL or IPSec

1. In the WatchGuard Firebox Admin Panel left pane, click VPN –> Mobile VPN.
2. Then navigate to the SSL or IPSec section, whichever method suits you best, and follow the instructions below.

2.4.1. Configure WatchGuard Mobile VPN with SSL

PLEASE NOTE! To enable 2FA for SSL Mobile VPN, you need to manually add all your users to WatchGuard VPN and then allow them to use SSL VPN.

1. Go to Authentication –> Users and Groups. Then click ADD to add a new user.

2. In Add User or Group, enter the name of the user and select the Authentication Server. Refer to the following table and image.

Type	User
Name	Enter the username.
Description	Optional, you can enter a description of the user if you want.
Authentication Server	Select the server you have created before (Protectimus RADIUS Server).

3. Other options are optional. Click OK and then click Save in the main list of all groups and users to confirm the new user.

PLEASE NOTE! You need to do the above three steps for every user you want to allow to use Mobile VPN with SSL.

4. After you add all your users, click VPN –> Mobile VPN. Then, go to the SSL section and click CONFIGURE.

5. Select the Authentication tab.
6. In AUTHENTICATION SERVERS, select the server you have created before (Protectimus RADIUS Server) and click ADD.
7. Then, select it on the list of authentication servers and click MOVE UP to make it default.

8. In Users and Groups, select the groups and users you want to allow to use SSL VPN.
9. Click SAVE to confirm and save your settings.

2.4.2. Configure WatchGuard Mobile VPN with IPSec

1. Navigate to VPN –> Mobile VPN. Then, go to the IPSec section and click CONFIGURE.

2. In the Groups section, select your profile and click EDIT.

3. Select the General tab.
4. In the Authentication Server dropdown, the server you have created before (Protectimus RADIUS Server). It has the Domain Name you set when configuring Protectimus as RADIUS Server.

5. Click SAVE to confirm and save your settings.

Integration of two-factor authentication (2FA/MFA) for your WatchGuard Mobile VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to enable multi-factor authentication (2FA / MFA) for users logging in to Pulse Connect Secure SSL VPN with the help of the Protectimus two-factor authentication solution for Pulse Connect Secure SSL VPN.

Protectimus’s two-factor authentication system integrates with Pulse Connect Secure SSL VPN via RADIUS authentication protocol.

In this scenario, the Protectimus Cloud 2FA Service or On-Premise 2FA Platform performs as a RADIUS server, and the Pulse Connect Secure SSL VPN takes the role of a RADIUS client.

You will find the scheme of work of the Protectimus solution for Pulse Connect Secure SSL VPN two-factor authentication below.

1. How 2FA for Pulse Connect Secure SSL VPN Works

Two-factor authentication (2FA / MFA) protects the Pulse Connect Secure SSL VPN user accounts from phishing, brute force, keyloggers, man-in-the-middle attacks, data spoofing, social engineering, and other similar hacking tricks.

When you enable 2FA/MFA for Pulse Connect Secure SSL VPN, Pulse Secure VPN users will use two different authentication factors to get access to their accounts.

1. The first factor is username and password (something they know);
2. The second factor is a one-time password generated with the help of a hardware OTP token or a 2FA app (something they own).

To hack a Pulse Connect Secure SSL VPN user account protected with two-factor authentication, a hacker needs both passwords at once. Moreover, a hacker has only 30 seconds to crack and use a time-based one-time password. It is almost impossible to fulfill these conditions, which makes two-factor authentication so effective.

2. How to Enable 2FA for Pulse Connect Secure SSL VPN

You can set up two-factor authentication (2FA) for Pulse Connect Secure SSL VPN with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Pulse Connect Secure SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Pulse Connect Secure SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for Pulse Connect Secure SSL VPN

1. Log into the Pulse Secure administration panel.
2. Navigate to Authentication –> Auth. Servers.

3. Select RADIUS Server in the dropdown, and click New Server….

4. Fill in the required fields in the Settings tab. Please refer to the following table and image.

Name	Come up with a name for your RADIUS server, e.g. Protectimus Server.
RADIUS Server	Enter the IP of server where the Protectimus RADIUS Server component is installed.
Authentication Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Shared Secret	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Timeout	Set to 180 seconds.
Retries	Set to 3.

5. Keep default values of all other fields and click Save Changes.
6. Navigate to Users –> User Realms –> New User Realm….

7. Come up with a Name for your new realm, e.g. Protectimus Server.
8. Select the previously created authentication server (Protectimus Server) in the Authentication dropdown.
9. Click Save Changes.

10. Navigate to Authentication Policy –> Password.
11. Select Allow all users (passwords of any length) and click Save Changes.

12. Go to the Role Mapping tab and click New Rule….

13. Come up with the name for a new rule, e.g. Protectimus Rule.
14. Set Rule:If username… to is *.
15. Assign a Users role. Select Users on the Available Roles list and click Add –>.
16. Click Save Changes.

17. Navigate to Authentication –> Signing In –> Sign-in Policies.

18. Click the */ URL in the User URLs table.
19. Select User picks from a list of authentication realms and select the Protectimus Server realm you have created before. To do this, just select Protectimus Server on the Available realms list and click Add –>.
20. Click Save Changes.

Integration of multi-factor authentication for Pulse Connect Secure SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide shows how to set up two-factor authentication for Aruba switches. This requires Aruba ClearPass to be integrated with Protectimus’ Multi-Factor Authentication (MFA) solution. You can use the Protectimus Cloud MFA Service or the Protectimus On-Prem MFA platform, which should be installed in the client’s environment or private cloud.

The Protectimus Two-Factor Authentication Server communicates with Aruba network equipment using the RADIUS authentication protocol. The Protectimus RADIUS Server component acts as a RADIUS server:

1. It accepts an incoming RADIUS authentication request.
2. Then, it accesses the user store (Active Directory, etc.) to confirm the user’s login and password.
3. The next step is to check the one-time password. To do this, Protectimus RADIUS Server contacts the Protectimus two-factor authentication server.
4. If both authentication factors are correct, Protectimus RADIUS Server allows the user to connect to the Aruba switch.

The diagram below shows how the Protectimus two-factor authentication solution for Aruba network equipment works.

1. How Aruba Switches Two-Factor Authentication (2FA) Works

Two-factor authentication (2FA / MFA) protects user accounts from attacks such as brute force, phishing, keyloggers, man-in-the-middle, social engineering, data spoofing, etc.

After you set up two-factor authentication for Aruba switches to connect to Aruba networking equipment, users will use two different authentication factors.

1. The first factor is login and password (what the user knows);
2. The second factor is a one-time password generated using a hardware OTP token or a smartphone (which belongs to the user).

To hack a user account, an attacker must get access to two passwords at once, which is almost impossible. At the same time, the attacker has only 30 seconds to crack and use one of these passwords.

2. How to Enable MFA for Aruba Switch

You can set up Aruba Switch two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Add Protectimus as RADIUS Server for your Aruba Switch.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Aruba switches 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Aruba Switch

There are two options to configure multi-factor authentication for Aruba switch via RADIUS:

• WebUI configuration. Available for the older versions of Aruba ClearPass.
• CLI configuration. Newer versions of Aruba switches can be configured only through the configuration console.

Follow only the steps of the method you choose.

How to configure MFA for Aruba switch via WebUI

1. In the Aruba Networks ClearPass WebUI Console, go to Configuration –> Security –> Authentication –> Servers.
2. Select RADIUS Server to display the RADIUS Server List.
3. Provide a Name for the new server, e.g. Protectimus, and click Add.
4. Select the name to configure the parameters, such as IP Address; and then check Mode to activate the server.
5. Click Apply.
6. Select Server Group to display the Server Group List.
7. Provide a Name for the new server group, e.g. corp_radius, and click Add.
8. Select the name to configure the parameters.
9. Under Servers, select New to add a server to the group.
10. Select the server (i.e. Protectimus) from the dropdown menu and click Add Server.
11. Click Apply.
12. Go to Configuration –> Management –> Administration.
13. Under Management Authentication Servers, select a management role, e.g. root, for the Default Role.
14. Check Mode to activate.
15. For the Server Group, select the newly created group, i.e. corp_radius.
16. Click Apply.

How to configure MFA for Aruba switch via CLI

How to Add New RADIUS Server

aaa authentication-server radius Protectimus
  host <ipaddr>
  enable

How to Add New Server Group

aaa server-group corp_radius
  auth-server Protectimus

How to Define Role for Server Group

aaa authentication mgmt
  default-role root
  enable
  server-group corp_radius

Integration of two-factor authentication (2FA/MFA) for your Aruba ClearPass is now complete. If you have other questions, contact Protectimus customer support service.

This Barracuda SSL VPN 2FA guide shows how to enable two-factor authentication (2FA / MFA) for Barracuda SSL VPN using the Protectimus Cloud 2FA Service or On-Premise 2FA Platform.

Protectimus integrates with Barracuda SSL VPN via RADIUS authentication protocol to add two-factor authentication (2FA) to Barracuda SSL VPN logins.

In this scenario, the Protectimus two-factor authentication solution for Barracuda VPN 2FA performs as a RADIUS server, and the Barracuda SSL VPN takes the role of a RADIUS client. You will find the scheme of work of the Protectimus solution for Barracuda SSL VPN two-factor authentication below.

1. How Barracuda SSL VPN Two-Factor Authentication (2FA) Works

Setting up two-factor authentication for Barracuda SSL VPN means that your users will have to enter two different factors of authentication when they get access to their accounts.

1. The first 2FA factor is a username and password (something the user knows);
2. The second 2FA factor is a time-based one-time password generated with the help of an OTP token or an app on a phone (something the user owns). A one-time passwords remains valid only for 30 seconds.

It is too hard to get unauthorized access to the Barracuda SSL VPN account protected with multi-factor authentication. A hacker has to get two passwords of different natures and use them simultaneously. Moreover, he has only 30 seconds to hack and use a one-time passcode, which complicates the task умут further and makes it almost impossible.

Tho-factor authentication (2FA / MFA) is an effective protection measure against such cybersecurity threats like phishing, keylogging, social emgeneering, brute force, MITM attacks, data spoofing, etc.

2. How to Enable Barracuda SSL VPN 2FA

You can set up Barracuda SSL VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure Barracuda SSL VPN authentication policies.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for Barracuda SSL VPN 2-factor authentication using RADIUS are available here.

2.3. Add Protectimus as RADIUS Server for your Barracuda SSL VPN

1. Log in to Barracuda VPN interface.
2. Navigate to Users –> External Authentication.

3. Select RADIUS and configure the following RADIUS settings to add a RADIUS Server. After that, click Save to save the changes.

Server Address	IP of server where the Protectimus RADIUS Server component is installed.
Server Port	Indicate 1812 (or whichever port you configured in the Protectimus radius.yml file when configuring Protectimus RADIUS Server).
Server Key	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server.
Group Attribute	Keep the default value.
Group Attribute Delimiter	Keep the default value.
NAS ID	If your RADIUS server requires NAS credentials to be set, enter the NAS identifier.
NAS IP Address	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Address.
NAS IP Port	If your RADIUS server requires NAS credentials to be set, enter the NAS IP Port.
Group Information From	Set to blank/empty.

4. Navigate to VPN –> SSL VPN.

5. Go to the Authentication section. Select RADIUS in User Authentication. Click Save.

Integration of two-factor authentication (2FA/MFA) for your Barracuda SSL VPN is now complete. If you have other questions, contact Protectimus customer support service.

This guide describes how to enable Protectimus Two-Factor Authentication (2FA) for users connecting to MikroTik VPN.

The Protectimus two-factor authentication system can be integrated with MikroTik VPN via RADIUS authentication protocol. For this purpose, you need to install an on-premise Protectimus RADIUS Server component and configure the MikroTik VPN to refer to the Protectimus RADIUS Server for user authentication.

See how Protectimus two-factor authentication solution works for MikroTik VPN in the scheme below.

1. How MikroTik VPN Two-Factor Authentication (2FA) Works

After integrating MikroTik VPN with the Protectimus MFA system, your users will need to pass two stages of authentication to connect to MikroTik VPN:

1. Enter their username and password.
2. Enter the one-time passcode, which is only valid for 30 seconds.

To generate one-time passcodes, the following types of two-factor authentication tokens will be available to your users:

• Classic and programmable hardware OTP tokens that look like keyfobs and plastic cards;
• 2-factor authentication app Protectimus SMART OTP on iOS and Android;
• Any other 2-factor authentication apps that support TOTP auth standard, including Google Authenticator;
• Delivery of one-time passwords using chatbots in Telegram, Messenger, or Viber;
• SMS authentication;
• Delivery of one-time passwords via email.

It is a challenging task for the intruder to hack two authentication factors that differ in their nature (something the user knows and owns) and use them simultaneously within 30 seconds (the time when the one-time password remains active). That is why two-factor authentication is one of the best security measures for MikroTik VPN.

2. How to Enable MikroTik VPN 2FA

You can set up MikroTik VPN two-factor authentication (2FA) with Protectimus using the RADIUS protocol:

1. Get registered with Protectimus SAAS Service or install the On-Premise 2FA Platform and configure basic settings.
2. Install and configure Protectimus RADIUS Server.
3. Configure MikroTik VPN Client.
4. Configure Windows VPN.

2.1. Get Registered and Configure Basic Protectimus Settings

1. Register with the Protectimus Cloud Service and activate API or install the Protectimus On-Premise Platform (if you install Protectimus Platform on Windows, check the RProxy box during the installation).
2. Add Resource.
3. Add Users.
4. Add Tokens or activate Users’ Self Service Portal.
5. Assign Tokens to Users.
6. Assign Tokens with Users to the Resource.

2.2. Install and Configure Protectimus RADIUS Server

Detailed instructions for installing and configuring the Protectimus RADIUS Server for MikroTik VPN 2-factor authentication using RADIUS are available here.

2.3. Configure MikroTik VPN Client

1. Open Webfig.
2. Navigate to the menu on the left, and select the RADIUS tab.
3. Click Add New to configure your Protectimus RADIUS Server as a RADIUS server.
4. Check ppp and ipsec in the Service section.
5. Check login in the Service section.
6. Indicate the IP of the server where the Protectimus RADIUS Server is installed.
7. Set Protocol to udp.
8. Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property).
9. Change the default timeout to 30000 ms or higher.
10. Click OK to save your settings.

11. Navigate to the menu on the left, and select the PPP tab.
12. Select the Interface tab and then click PPTP Server, SSTP Server, L2TP Server, or OVPN Server depending on which one you are using.
13. Check pap and uncheck every other checkbox in Authentication. Click OK.
14. Select the Secrets tab, and click the PPP Authentication & Accounting button.

15. Check Use Radius, and click OK to finish the configuration and enable Protectimus two-factor authentica in your VPN.

2.4. Configure Windows VPN

1. On your Windows operating system, go to Settings –> Network & Internet –> VPN and select Add a VPN connection.
2. Fill in the form and click Save. Refer to the following image and table.

VPN Provider	Windows (in-built)
Connection name	MikroTik
Server name or address	Enter the IP address of your server
VPN type	Select your VPN Type. We chose L2TP/IPsec with pre-shared key, but you have to select the one you use in MikroTik.
Pre-shared key	Indicate the shared secret you created in the Protectimus radius.yml file (radius.secret property) when configuring Protectimus RADIUS Server
Type of sign-in info	User name and password
User name (optional)	Your user name
Password (optional)	Your password

3. Go to Control Panel → Network and Sharing Center and select Change adapter options.
4. Right-click your newly-created MikroTik connection and select Properties.
5. Select the Security tab.
6. Select Allow these protocols and then check the Unencrypted password (PAP) checkbox.
7. Then click OK to save the changes.

Integration of two-factor authentication (2FA/MFA) for your MikroTik VPN is now complete. If you have other questions, contact Protectimus customer support service.