Preface
In the current digital age, cybersecurity has become a very important topic. As more people and organizations rely on computer systems to do their jobs and store sensitive information, keeping authentication secure has become critical. Two-factor authentication (2FA) is a powerful security measure that adds another layer of protection beyond the traditional username and password.
Tool introduction
MultiOTP is an open source project that provides a set of PHP classes and tools for implementing two-factor authentication (2FA). MultiOTP supports time-based one-time passwords (TOTP) and count-based one-time passwords (HOTP).
This project allows you to build a local strong authentication server to authenticate users and works with OTP generators on mobile devices such as Microsoft Authenticator or Google Authenticator. MultiOTP increases the security of the login process by generating one-time passwords.
Unlike commercial two-factor authentication tools, MultiOTP is free and can run offline without internet access. This enables you to configure and use MultiOTP in an environment without network connectivity, providing higher security for the system.
MultiOTP can be used in a variety of scenarios, including Windows login and remote desktop access, by enabling two-factor authentication for these scenarios to ensure that only authenticated users can access the system. MultiOTP features flexible configuration options and an easy-to-use interface, allowing you to easily integrate and manage two-factor authentication.
GITHUB address: https://github.com/multiOTP/multiotp
Implementation
Server side
Prerequisite
- There is already a Docker running environment, if you have not built it yourself.
- Windows domain environment
1. Start MultiOTP
docker run --name multiotp \ --restart always \ -v /multiotp/multiotp/data:/etc/multiotp \ -v /multiotp/freeradius/config:/etc/freeradius \ -v /multiotp/log/multiotp:/var/log/multiotp \ -v /multiotp/log/freeradius:/var/log/freeradius \ -p 8080:80 \ -p 8443:443 \ -p 1812:1812/udp \ -p 1813:1813/udp \ -d multiotp/multiotp-open-source
When running the above Docker command, the meaning of each parameter is as follows:
-
--name multiotp
: Specify a name for the container asmultiotp
. -
--restart always
: Set the container to always automatically restart when a failure occurs or the Docker host is restarted. -
-v /multiotp/multiotp/data:/etc/multiotp
: Mount the/multiotp/multiotp/data
directory on the host to/etc in the container The /multiotp
directory is used to persistently store MultiOTP configuration data. -
-v /multiotp/freeradius/config:/etc/freeradius
: Mount the/multiotp/freeradius/config
directory on the host to/etc in the container The /freeradius
directory is used to persistently store FreeRADIUS configuration data. -
-v /multiotp/log/multiotp:/var/log/multiotp
: Mount the/multiotp/log/multiotp
directory on the host toin the container The /var/log/multiotp
directory is used to persistently store MultiOTP logs. -
-v /multiotp/log/freeradius:/var/log/freeradius
: Mount the/multiotp/log/freeradius
directory on the host toin the container The /var/log/freeradius
directory is used to persistently store FreeRADIUS logs. -
-p 8080:80
: Maps port 8080 on the host to port 80 in the container, which is used to access the MultiOTP web interface. -
-p 8443:443
: Map port 8443 on the host to port 443 in the container, which is used to access MultiOTP’s secure web interface (HTTPS). -
-p 1812:1812/udp
: Maps the 1812 UDP port on the host to the 1812 UDP port in the container for FreeRADIUS to receive authentication requests. -
-p 1813:1813/udp
: Maps the 1813 UDP port on the host to the 1813 UDP port in the container, which is used by FreeRADIUS to receive accounting requests. -
-d
: Run the container in detached mode (ie, background mode). -
multiotp/multiotp-open-source
: Specify the name and label of the Docker image to be run. Here is the official Docker image of MultiOTP.
Through the above parameter settings, you can successfully run the MultiOTP container and realize automatic restart of the container and storage of persistent configuration and logs.
2. Enter the multiotp container in interactive mode
docker exec -it multiotp bash
3. Use the following commands to configure MultiOTP LDAP settings to obtain specified users from Active Directory.
multiotp -config default-request-prefix-pin=0 multiotp -config default-request-ldap-pwd=0 multiotp-config ldap-server-type=1 multiotp -config ldap-cn-identifier="sAMAccountName" multiotp -config ldap-group-cn-identifier="sAMAccountName" multiotp -config ldap-group-attribute="memberOf" multiotp-config ldap-ssl=0 multiotp-config ldap-port=389 # Domain controller IP address: multiotp -config ldap-domain-controllers=SH-DC-03.test.com,ldap://192.168.1.4:389 multiotp -config ldap-base-dn="DC=test,DC=com" # Account for multiOTP authentication in AD: multiotp -config ldap-bind-dn="CN=Multiotp,OU=Administrators,DC=test,DC=com" multiotp -config ldap-server-password="Test@1013" # Group of users you want to enable OTP for: multiotp -config ldap-in-group="MultiOTPGroup" multiotp -config ldap-network-timeout=10 multiotp -config ldap-time-limit=30 multiotp-config ldap-activated=1 # Key to access a MultiOTP server: multiotp -config server_secret=dGx9cn5qeFV7fFJ5RGRcGd4^C
4. Synchronize users to MultiOTP
The MultiOTPGroup group has been created previously and 1 user has been added to the group. Now we need to synchronize AD (Active Directory) users with multiOTP.
multiotp -debug -display-log -ldap-users-sync
Configure MultiOTP two-factor authentication for domain users
1. Log in to the MultiOTP web interface (http://IP:8080/) using default credentials (username: admin, password: 1234)
It is recommended that you change the default credentials
2. In the “List of users” section, you can see the previously synchronized domain user list ([AD/LDAP] source). Select and click the “Print” button in front of the user. You will see a list for adding to the authentication The user QR code of the app.
3. Install Microsoft Authenticator (or Google Authenticator) on your phone. Open the app and scan the user’s QR code.
Client
The next step is to install the multiOTP-CredentialProvider on the Windows computer where you want to implement two-factor authentication using multiOTP. multiOTP-CredentialProvider can be installed on any Windows 7/8/8.1/10/11 or Windows Server 2012(R2)/2016/2019/2022 versions.
1. Download multiOTP CredentialProvider from GitHub, it may require a little magic
https://github.com/multiOTP/multiOTPCredentialProvider/releases
The latest version is 5.9.6.1
2. During the installation process, enter the server address and previously configured server_secret
3. Select the options on the next two pages according to your needs.
Final effect
After the installation is complete, just restart the computer. Here is the rendering:
Although the test has been successful, there are still some problems that need to be solved, and other functions need to be configured and improved.