Google Authenticator Support

PortalGuard can leverage the Google Authenticator as one of its OTP validation options. The Google Authenticator is a stand-alone Time-based OTP generator for iOS, Android and Blackberry. It is a very popular OTP option due to the following benefits:

1) There is no “per use” cost unlike 3rd party SMS or voice calls

2) Users do not need a cell phone signal to generate OTPs (just a charged phone)

3) The user does not need to wait for anything to arrive – the OTPs are constantly generated when the app is running

Here are its requirements and limitations:

  • The app must be downloaded from the appropriate app store by your users
  • The Google Authenticator can only be enrolled by end-users from the PortalGuard Account Management page. It cannot be enrolled during a login to PortalGuard.
  • It cannot be batch imported by administrators
  • Only a single phone can be enrolled at a time per user

Server Setup

1) Install Microsoft .NET version 3.5 on the PortalGuard server (link). PortalGuard’s base functionality can run on .NET version 2.0, but 3.5 is required to dynamically generate QR codes.

2) Launch the PortalGuard Configuration Editor and click the Edit Bootstrap button.

3) On the Policies tab, click the Generate CA button in the “PortalGuard Certificate Authority” section. If this button is disabled/greyed out, then it simply means you have already generated the CA and can skip to step 5 below.

4) Click OK to close the “Successfully generated Root CA” dialog, then click the “Save” button to commit the change and update the bootstrap settings.

5) Still in the Configuration Editor, open the “Security Policies” tab and double click on the policy for which you would like to enable the mobile authenticator.

6) Under the Auth Methods -> Mobile tab, ensure the “Allow Mobile Authenticator Generated TOTPs” box is checked. You should change the default “Description Template” to match your company or school and can optionally allow end-users to modify the description.

NOTE: The mobile authenticator app can generate OTPs for multiple websites. The description allows the user to identify the proper entry.

7) In the Actions tab, choose the sub-tab for which you would like to allow use of the mobile authenticator. For example, to allow its use for password resets, choose the PW Reset sub-tab and check the “Mobile Authenticator” box in the “Accepted OTP Methods” section.

8) Save the changes to the PortalGuard security policy.

End-User Setup

1) The user must login to the PortalGuard Account Management page. This should always be accessible at:

http[s]://YOUR.PORTALGUARD.SERVER/default.aspx

2) After logging in, they must click the Multi-Factor Settings & Devices tab.

3) Under the Mobile Authenticator section, they must click the “Enable mobile authenticator” link.

NOTE: There may be other sections above it based on enabled features in PortalGuard.

4) They should choose their phone type from the drop-down menu that appears. If they are using a Windows Phone, they can choose “Android”. If you allowed them to modify the description, an editable field will appear below the drop-down. Click Continue when finished with this dialog.

5) A QR code should display – this contains encoded information that is too cumbersome for users to enter manually. The user should launch Google Authenticator, choose the option to setup an account, and choose to scan a barcode. This should allow them to take a picture of the QR code with their phone’s camera.

6) Once the code has been properly processed by the app, it should immediately being generating OTPs. To confirm the shared secret has been received by the phone, the user must enter an OTP into their browser. The “One-Time Password” field is located under the QR code.

7) The user should receive a confirmation message that the process has been successfully completed. The Account Management page should now show details such as when the feature was enabled and the description for the entry on their phone.

Disabling the Mobile Authenticator

If the user’s phone is lost, your Help Desk can easily clear the mobile app data on the PortalGuard server using the PortalGuard Help Desk Manager (choose the “Mobile Authenticator Data” field as shown below). This will immediately treat OTPs generated by the lost phone as invalid.

The end-user can also click the “Disable mobile authenticator” link in the Account Management page at any time to clear PortalGuard’s copy of the data as well. If the user has their phone, they can delete the entry from within the mobile app by long-pressing the entry and choosing the option to remove the account.

Troubleshooting

Problem1: Users only see a “broken image” or “image placeholder” when attempting to register from the Account Management page:

Solution 1: On the PortalGuard server, install Microsoft’s .NET Framework 3.5 or later and then run “iisreset” from an administrative command prompt. This version of .NET is required by PortalGuard to generate QR codes.

Problem 2: Users see error 1122 when attempting to register from the Account Management page:

Solution 2: Open the bootstrap configuration in PG_Config.exe and ensure you have generated the CA Certificate. If you have already done this, run “iisreset” on the PortalGuard server.