Two-Step Authentication

Client configuration for PINs and two-step authentication

Pritunl provides four methods for two-factor authentication. Additional six digit user pins can be required providing improved security.

Yubico YubiKey

Yubico YubiKeys provide the highest level of security with Pritunl. The YubiKeys act as a USB keyboard, when the users touches the center of the key a 44 character OTP code will be sent followed by the enter key. This allows the key to work on any computer that supports USB keyboards, including Android phones using a USB-C adapter or the new YubiKey 4C with a USB-C connector. The code is then sent to the Yubico servers to be verified. The 44 character code also includes the ID of the key which allows for simple enrollment by the user. When the user first logs in to Pritunl they only need to touch the key once to associate it with the Pritunl user. YubiKeys also only require a one time purchase of the key with no monthly costs.

Duo Hardware Token

Duo hardware tokens provide a level of security similar to YubiKeys. An administrator must manually associate each tokens serial number with a Duo account. The tokens rely on a battery and internal clock to keep the time synchronized which often becomes out of sync if not used often which will prevent the user from authenticating. These tokens also require a per user monthly subscription from Duo in addition to the cost of the token.

Duo, OneLogin and Okta Push

Duo, OneLogin and Okta push allows users to authenticate by confirming a push notification that is sent to the users mobile phone. This is very effective in preventing phishing attacks although a phishing attack would be very difficult as a the user will generally only authenticate with the VPN client. Both require the user to install an app on their phone and have a monthly subscription cost.

Google Authenticator

Google Authenticator uses a time based OTP code that is verified by the Pritunl server. Enrollment is done by the user scanning a QR code from the profile view page. It is intended for small user sets when users are created manually. This should not be used with single sign-on as the OTP secret is shown on the profile view page when a user signs in.

Password Field

The official Pritunl client, OpenVPN for iOS and OpenVPN for Android are the only clients that directly support using both a PIN and two-step authentication. For all other OpenVPN clients the PIN and two-step authentication code must be combined. If the OpenVPN client supports challenge responses the user will be prompted to enter the passwords separately. Both the iOS and Android client support this. Below is a table showing how to format the OpenVPN password field. The username must be filled in on most OpenVPN clients to enter a password but can be set to anything. The users certificate is only associated with one user on the Pritunl server so it is not necessary to verify the username. The OpenVPN username is ignored by the Pritunl server. This is also true for Radius users.

AuthenticationPassword FieldExample
PIN OnlyPIN (123456)123456
Two-Step AuthenticationOTP (123456)123456
Duo PasscodeDuo (123456)123456
YubiKeyYubiKey (cbdefghijklnrtuv)cbdefghijklnrtuv
PIN and Two-Step AuthenticationPIN (111111) + OTP (222222)111111222222
PIN and Duo PasscodePIN (111111) + Duo (222222)111111222222
PIN and YubiKeyPIN (111111) + YubiKey (cbdefghijklnrtuv)111111cbdefghijklnrtuv
RadiusRadius Password (123456)123456
Radius and Two-Step AuthenticationRadius Password (111111) + OTP (222222)111111222222