If you've got a SonicWall Secure Mobile Access Device (SMA) you should seriously consider activating Multi-Factor Authentication on it.
SonicWall announced on January 22nd that there's a new zero-day vulnerability affecting their SMA 100 Series. The 100 Series includes:
- SMA 200
- SMA 210
- SMA 400
- SMA 410
- SMA 500v (Virtual)
The SMA 100 series are access management gateway solutions for small and medium-sized businesses. They allow an organizations to provide browser-based and VPN-based access to remote employees, something that's incredibly important considering the current pandemic related work from home mandate.
It's not quite clear as to what the vulnerability is, or who's been exploiting it. SonicWall hasn't publicized that information.
How do you enable Multi-Factor Authentication on a 100 Series SMA?
There is a Support/Knowledge Database article on SonicWall's website (read here) but I've copied it below for convenience:
The Time-Based One Time Password is a multi-factor authentication scheme that enabled third party integration to generate secure time-based OTP via third party authentication Apps such as Google authenticator, Microsoft authenticator, Duo, Free-OTP, etc.
In this article, we will see how to configure TOTP in SMA 100 series in a domain level and how to use Google Authenticator App and Microsoft authenticator App to bind and get TOTP. TOTP is introduced in SMA 100 series starting from firmware 184.108.40.206-9sv.
TOTP is an alternative to traditional two-factor authentication methods. TOTP passwords keep on changing and are valid for only short window in time, because of which TOTP is considered more secure OTP solution.
NOTE: In-order to use TOTP, please make sure the firmware on appliance is 9.0 or above.
TIP: For configuration on User Discretion level to have both Email OTP and TOTP Mobile App for user, Click here
Configuration on SMA appliance:
- Navigate to Portals |Domains. Add / Edit an existing domain and enable One-Time Passwords. Select Use Mobile App.
NOTE: OTP cannot be enabled for default LocalDomain. Please create new domain to have OTP / TOTP enabled.
- Click Accept.
- Now, all users who are part of this domain will be enforced to enter TOTP.
How to use Google Authenticator App
- First time, when user logs in they have to bind with Google Authenticator App. Post entering their username & password, they will be prompted with below screen.
- Only for first time login, they have to click bind. Clicking on bind link will display below screen.
- Open Google Authenticator App.
- Begin Setup.
- Scan barcode and scan the barcode shown on the Virtual Office portal. Once barcode is scanned, App binding is done and the App will now show the Code. The code will expire every 30 seconds and new code will be shown.
- Enter the code in the Virtual office portal Code section and click Login. You will now be logged in to the portal.
- Once logged in to portal, user have options to unbind the App and he can bind new one upon next login. They can also generate backup codes which can be used when they do not have access to their binded App to generate TOTP. Each backup code can be used only once and they do not expire. User must store them in a safe place.
- Generate Backup codes will download a txt file containing 8 backup codes.
How to use Microsoft Authenticator App
The only difference between Google Authenticator App and Microsoft Authenticator App is their GUI. The functionality remains same on both. First time, when user logs in they have to bind with Microsoft Authenticator App. Post entering their username & password, they have to click bind for the first time.
- Now, use Microsoft Authenticator App.
- Tap on Add account.
- Select Work or school account here. Allow Camera access for your App and scan the barcode from Virtual Office page. The account will be added and TOTP will be shown as below.
- Enter the TOTP and you will be logged in to the portal.
Retrieved on January 27th, 2021
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.