CNS Two-Factor Authentication How-To Guide
Posted by Barry Bahrami on 06 November 2013 02:27 PM

2FA is included free in all CNS subscriptions.  It is also available as a subscription service starting at US$2/month or US$6/year.  Use the coupon code 2FA1MONTH for a free one month trial (signup for the monthly subscription).

Summary

Getting Started

Configuring Additional Client Area Users

Installing the CNS 2FA Client Software in Windows

Entering the License Key (not required for VM's hosted by CNS)

Mapping CNS Account Contacts to Windows Users

Upgrading the CNS 2FA 2.0 Client (SMS only) to 2.5

Logging into a 2FA Protected CNS VPS

Logging into a 2FA Protected CNS Client Area

Uninstalling 2FA

 
 Summary

CNS Two-Factor Authentication (2FA) is a system where two different factors are used to authenticate a system login. Using two factors as opposed to one delivers a higher level of security when authenticating to your machine. The CNS 2FA solution combines something you have - your mobile device (phone or tablet) - with something you know - your VPS Administrator password. This can be compared to using an ATM card to withdrawal funds where you are required to have both the card and the PIN to complete a transaction, though in that example your PIN may never change.

Previous versions of CNS 2FA were only available with CNS VPS subscriptions and required a One-Time PIN code be sent to the subscriber by SMS.  Due to the variety of mobile providers worldwide and the different methods they use to process SMS messages, SMS PIN's could sometimes be delayed by several minutes.

With the release of CNS 2FA v2.5, CNS is introducing software tokens for mobile devices.  The software displays a changing code on the mobile device, which only needs to be added to the end of the password at login.  This avoids the need to wait for an SMS.  For subscribers without a modern iOS, Android, or Windows mobile device- SMS codes are still supported as detailed in the "Logging into a 2FA Protected VM" section below.  Note: The ability to receive the one-time PIN by email is no longer supported because of security risks (email accounts are often hacked before any other services the user may subscribe to).

2FA renders key loggers ineffective because the PIN code changes every 30 seconds- for token generated PINs and 5 minutes- for PINs sent by SMS (can only be used one time).  A stolen password is only 1/2 the information needed to login - the attacker must also have your mobile device in their hand to read the PIN code and enter it.  Brute force hacks are out of the question.

We strongly recommend this free service to all subscribers.  To date, CNS has not seen a single 2FA protected VPS hacked.  CNS is taking security even further by extending the 2FA service to protect CNS Client Area logins.

CNS Two-Factor Authentication (2FA) is compatible with any hosted Windows server, and has been tested on Windows 2003 R2, Windows 2008 R2, and Windows 2012.  It is available free with every CNS VPS subscription, and as an individual subscription service to protect Windows logins.  2FA subscribers should note that the service requires an active Internet connection to reach our authentication servers.  While 2FA is compatible with client OS's, like Windows 7, 8, etc., extra care must be taken to ensure that Internet access is Always available to your machine for 2FA to function properly.

 

Getting Started

In 2FA releases prior to v2.5, authorized users had to be setup individually in each VM subscription and the CNS Client Area was unprotected by 2FA.  This opened a potential security hole because an unauthorized hacker could theoretically login to the CNS Client Area and disable 2FA before subsequently logging into the (formerly) 2FA protected VM.  This is a real threat if the same CNS subscriber account password was also used on other sites by the CNS subscriber.  CNS 2FA v2.5 extends protection to the CNS Client Area, where authorized users in the 2FA protected OS/VM are actually registered as account contacts.  After registering all authorized users, they only need to be mapped to Windows User accounts in the VM/2FA subscription details (in the CNS Client Area).  If no users are mapped in the subscription details then all Windows Users will default to the registered CNS account owner for two-factor authentication.  If you do not want the authorized VM users to have access to your CNS Client Area, simply register them but do not grant any permissions.  This will enable those users to login to the CNS Client Area to register/manage their mobile device, and nothing else.

If you intend to use the software token then you should first install Google Authenticator in your mobile device.  This can be easily installed from the app store for your device. (Play Store, App Store, Etc.)  We also recommend that the barcode scanner is installed (it may be an optional/recommended install).  Installing the barcode scanner will enable you to register the mobile device by simply pointing the camera at a QR code on the screen to read the configuration.  Google Authenticator is available for many platforms, including Android & iOS.

* Some subscribers may not be able to install Google Authenticator. Apps like Authy (available for Android & iOS) can be used to receive your codes for CNS 2FA and other popular services as well.  OTP Authenticator is based off of the Google Authenticator source and behaves almost identically: https://kuix.de/android/otp-authenticator/ (you may need to enable installing apps not from the play store to perform the install)

The first step is to login to your CNS Client Area and click "My Details" at the top of the screen.
 Then click "Change Security Question" and complete the form.  This is important in case you lose your mobile device and require CNS Support assistance to regain access - it may help you get logged back in faster.  
Next, click "Two-factor Authentication". 

You will be directed to a page prompting for your SMS phone number.  In this box, enter the country code + mobile number.  For example, the country code for the US is +1.   If the phone number of this device is (619) 555-1214 then the number to be entered will be 16195551214, etc..

After entering your mobile device phone number, click the button to Enable Two-Factor Authentication.

 

 

Within a few seconds, you should receive a confirmation SMS notifying you that 2FA has been setup on your account - DO NOT LEAVE THE PAGE YET

 

The next page will look similar to the graphic at the right.

Open Google Authenticator on your mobile device and click the menu item to setup an account.  You will be offered two ways to do that, either scanning the barcode or entering a provided key.  By far, the easiest way to register the device is to scan the barcode.  If a manual key needs to be entered, it is displayed below the QR code, as shown in the graphic to the right.

If you did not receive the SMS confirmation then try clicking the button to disable 2FA and start the process over again with a corrected phone number.  SMS delivery should be operational worldwide, however depending on your mobile provider the time required to receive the message could be several minutes.

If you are unable to receive the SMS and experience trouble registering your mobile device in Google Authenticator, click "Disable Two-factor Authentication" before leaving the page.

Please open a support ticket if you require additional assistance.

 
 

 

Configuring Additional CNS Client Area Users

To add CNS Client Area account contacts, click "My Details" in the yellow navigation area.  Then click, "Contacts/Sub-Accounts".  Select the "Add New Contact" drop-down item and be sure to check "Tick to configure as a sub-account with client area access".

Grant the necessary permissions, if desired, and save.  The new account contact should then login to the CNS Client Area under their newly created account and register a mobile device, as detailed in the section "Getting Started" (above).

Please see the section "Mapping CNS Account Contacts to Windows Users" (below) for information about linking Windows logins with registered 2FA users.

 

Installing the CNS 2FA Client Software in Windows

NOTE: If you are upgrading a CNS VPS already protected with the previous 2FA v2.0 software (SMS only), you must first complete the section "Upgrading from the CNS 2FA 2.0 Client" before instalilng the software.

The CNS 2FA Client Software is required to be installed in the 2FA protected machine.  If you ordered a new CNS VPS on/after November 13, 2013 and selected to install 2FA at that time then the software is already installed for you.  Otherwise, simply download the client software (available at the bottom of this KB article) and install it into the Windows OS that is intended to be protected by 2FA.  Note:  All CNS software downloads are always digitally signed for your protection.  It is good practice - for any software you may download - to save it and then right-click on the file and select "properties".  You should see a digital signature tab with the certificate details.  If you do not see a digital signature tab, or if the digital signature reflects as invalid, then consider the software to be suspect, as it may be infected with malicious software.

If the OS being protected by 2FA is a CNS VPS then skip to the section titled "Mapping CNS Account Contacts to Windows Users".  If the OS being protected is not hosted by CNS, you must next enter a license key into the client software.

 

Entering the License Key

This step is not required if the VPS being protected by 2FA is hosted by CNS because CNS Two-Factor Authentication is included free with every CNS VPS subscription.  A license key is only required for CNS 2FA software subscriptions in order to secure servers not hosted by CNS.  A separate license is required for each Windows OS to be protected by 2FA.  There is no limit to the number of authorized users.

The license key can be obtained from the CNS Client Area by clicking "My Products & Services" then the "View Details" button next to the CNS 2FA software subscription.  The license key begins with "CNS-2FA".

In the Windows OS being protected by 2FA, click Start-> Programs-> CNS Two-factor Authentication-> Licensing, and enter the license key.

NOTE:  If you later decide to uninstall 2FA from this computer and move it to another computer, you should return to the CNS Client Area and click "Reissue License".  The license key will remain the same.  This simply "unglues" the license from the existing machine so the next machine that authenticates the license can claim it.

 

Mapping CNS Account Contacts to Windows Users

"Mapping" is a term used to link Windows users in a 2FA protected Windows OS to a registered user in the CNS Client Area.  If the registered CNS Account owner is the only authorized user in a 2FA protected VM then this section can be safely ignored.  By default, all Windows users are mapped to the CNS Subscriber Account owner's 2FA token. 

In order to map additional users, it is first necessary to register them as additional account contacts in the CNS Client Area, so they can register and manage their mobile device. In cases where account contacts should not have access to a 2FA secured server, all that is required is to do nothing - do not map those contacts to Windows users. 

In order to map users, you must first register your users as CNS Client Area contacts (see "Configuring Additional CNS Client Area Users", above). 

To access the mapping table, click "My Products & Services"-> "View Details" next to the VM or 2FA subscription.  You may need to scroll down to find the mapping table, which will look something like the table on the right.

Select the registered CNS Client Area contact in the drop-down box and then enter the associated Windows user name, such as Administrator.  The Windows user name is the user name the user logs into the 2FA protected OS as.  Then click "ADD MAPPING".  Changes are registered instantly.

 

Upgrading from the CNS 2FA 2.0 Client

 

If you are upgrading a VM hosted by CNS with the older CNS 2FA v2.0 client (SMS only) then it is necessary to first uninstall the software from the VM before proceeding to install the new CNS 2FA v2.5 client.

2008/2012:  In the VPS, select Start-> Control Panel-> Programs and Features

Select "CNS Two-factor Authentication Client" and then click on "Uninstall".  Confirm to remove pGina 2 and all plugins, and then click "Uninstall".  DO NOT REBOOT (YET)

Proceed to install the CNS 2FA v2.5 Client Software.  A reboot is required after installing the new CNS 2FA v2.5 client software.

 

2003:  In the VPS, select Start-> Control Panel-> Add/Remove Programs

Select "CNS Two-factor Authentication Client" and then click on "Uninstall".  Confirm to remove pGina 2 and all plugins, and then click "Uninstall".  DO NOT REBOOT (YET)

Proceed to install the CNS 2FA v2.5 Client Software.  A reboot is required after installing the new CNS 2FA v2.5 client software.

  

Logging into a 2FA Protected VM

Logging into a 2FA protected VM requires a changing code is entered after the password and while the 2FA remote desktop screen is displayed.  When a RDP session is first established, the user may receive a normal RDP popup on their remote PC which is prompting for the Windows user name and password.  This first step only requires the regular Windows user name and password, without the 2FA code.

After successfully completing this step, a Windows login will be displayed *in a remote desktop window*.  Here, all that is required is to login with the Windows user name (typically Administrator) and the password, immediately followed by the changing code displayed on the software token.

For example, if the Windows user logging in is "Administrator", the password is "password", and the changing code on the software token is "123456" then the following should be entered:

 

User:  Administrator

Password:  password123456

 

If you do not have the software token installed, or require a one-time SMS code, enter only "sms" in the password field.  A one-time SMS code will be sent to you which is valid for five minutes only.  Complete the process again and use the code received by SMS as your token code.

 

Logging into the a 2FA protected CNS Client Area

To login to the CNS Client Area with 2FA activated, simply login with your regular user name (email address) and password.  A second screen will appear for the 2FA code displayed on your mobile device.  There is also a link on that second page to send a one-time SMS code, which will only be valid for 5 minutes after it is requested.

 

Uninstalling 2FA

Uninstalling the software client from the OS will remove 2FA protection from the windows OS.  It will not remove 2FA protection from the CNS Client Area.  To do that, you should return to the CNS Client Area and click "My Details" and then "Two-Factor Authentication".  Then, click the button to disable 2FA.

To uninstall the 2FA software from the Windows OS, go into Add/Remove Programs and uninstall the software titled "CNS Two-factor Authentication".  A reboot should not be required.

To deactivate 2FA from your CNS account, return to the "My Details" page in the CNS Client Area and click the two-factor authentication link.  You will find a button to deactivate it.

 



Attachments 
 
 cns2fa_setup_v2.5.3.1.8.0.exe (1.56 MB)
(6 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
© 2016 Commercial Network Services. All rights reserved.
No content may be reproduced or redistributed without express written permission on CNS letterhead.
Only Commercial Network Services subscribers are authorized to use our content during their subscription period.
Permission to use our content may be revoked at any time, and at the sole discretion of Commercial Network Services.
Some content on this site is © by their respective owners.