Multi-Factor Authentication (MFA/2FA)
Last updated
Last updated
Defguard supports Multi-Factor Authentication for WireGuard with TOTP & Email codes and after that with session keys based on Wireguard Pre-Shared Keys (PSK). For more details about this please refer to the architecture section.
MFA requires:
defguard core >= v0.9.0
defguard proxy >= v0.3.0
desktop client >= 0.2.0
Enabling MFA for a desired VPN Location is done by:
going into defguard to VPN Overview
selecting the VPN Location from the dropdown list, and pressing the Edit Location button in the top right corner of the page
check the "Require MFA for this Location" checkbox under the Location Configuration section
set Peer disconnect threshold we recommend it to be min. 300 (5 min) - see chapter below.
and save changes.
When MFA is enabled on a location defguard periodically (currently every 1 minute) checks statistics if a client is connected and if the period of inactivity (defined in Peer disconnect threshold option) is met, a client is disconnected.
Thus the gateway needs to be configured to send statistics in that period.
We recommend to set:
gateway to send statistics every 30sec
Peer disconnect threshold we recommend it to be min. 300 (5 min)
When MFA configuration is changed, all clients must do an Instance Update.
If a VPN has MFA enabled, before connecting you will be asked to complete the authentication step first:
For now, MFA is only available with the following methods:
Email - requires SMTP to be configured
Please remember to configure TOTP on you user account and/or SMTP settings for MFA on the desktop client to work..
After enabling MFA for a given VPN, users will need to enable MFA for their accounts to be able to connect. This process is described in Setting up 2FA/MFA. For simplicity & security, the desktop client uses the same MFA methods as the defguard server.
An error message will be shown if users attempt to select a MFA method that has not been enabled for their accounts:
If authentication succeeds, the Two-factor authentication modal will be closed and connection to the selected VPN will be attempted. Users will be asked to authenticate on every connection to a VPN with MFA enabled.