OATH Event, Time and Challenge -based
MFA-VPN Server (The VPN server with OTP and FIDO-U2F)
RCDevs MFA-VPN is an Enterprise-grade VPN appliance designed for companies needing remote access to corporate networks and resources. It is built on top of the very robust OpenVPN server technology and provides an extremely secure remote access gateway for your Active Directory or LDAP users, with pre-included multi-factor features like mobile Push login or Universal Second Factor (U2F). MFA-VPN relies on your WebADM/OpenOTP Identity Management platform and also supports any MFA login methods provided by the OpenOTP server.
The RCDevs MFA-VPN client is provided for both Windows and MacOSX. Enabling VPN access for users has never been so easy: simply create an access group in Active Directory and a dedicated Client access policy, and you’re done.
MFA-VPN is the first remote access appliance to support the FIDO-U2F standard! As such, MFA-VPN can optionally authenticate users with Yubikey FIDO or Feitian USB devices. By combining the OpenOTP flexible OTP methods and FIDO-U2F, MFA-VPN is also the world’s most advanced VPN server in terms of strong authentication features.
RCDevs recommends Sparklabs’ Viscosity for the VPN client. The latest version of Viscosity for Windows and MacOS has been enhanced by RCDevs and Sparklabs in order to support smooth One-Tap Push OTP and U2F. Please contact RCDevs for a bundled offer.
OpenOTP MFA-VPN provides Two-Factor authentication with most OpenOTP One-Time Password methods:
TWO OPENVPN INTEGRATION OPTIONS
You may already use OpenVPN in your infrastructure or you need a new VPN server. RCDevs aims at responding the best to your requirements and also provides two deployment options for MFA-VPN.
- Option 1: You need a new VPN server.
The MFA-VPN product is an Enterprise VPN server including the OpenVPN technology and RCDevs’ own MFA components. It is provided via Linux installation packages or a Virtual appliance.
- Option 2: You already use an OpenVPN server.
RCDevs OpenVPN Bridge is a companion software service for OpenVPN which provides the MFA components needed to interact with the OpenOTP back-end.
The World’s first FIDO Enterprise VPN Server
MFA-VPN is a very unique VPN server as it supports both OTP and U2F multi-factor technologies. FIDO-U2F is gaining in popularity because it provides a much richer user experience by relying on devices which do not require OTP code display like on OATH token devices. Instead, the user device stars blinking when establishing the VPN connection and the user just needs to press the device. Currently RCDevs supports USB U2F devices from Yubico and Feitian. MFA-VPN will support Bluetooth devices in future versions.
Mobile Push with Simple Approve/Deny
MFA-VPN supports the OpenOTP’s Simple Push feature where the user’s mobile phone is activated on-the-fly when the user starts the VPN connection. The VPN login transactions is displayed on the mobile phone and the user just needs to press ‘Approve’ to authenticate the remote connection. RCDevs mobile Push can be combined with other OpenOTP authentication methods like SMS or Hardware Token for fallback mechanisms.
Graphical Access Policies with WebADM
Defining your remote access policies has never been so simple: create access groups and client policies in RCDevs WebADM and your VPN server will implement user access with an unbeatable level of flexibility. WebADM client policies support group, domain, time and even geolocation-based access control. The WebADM audit provides full user activity reports with geolocation information.
MAIN KEY FEATURES
LDAP integrations support most OpenOTP features
- 100% compatible with LDAP client applications
- Robust implementation buit with OpenLDAP
- Distinguishes systems accounts and user accounts (OTP)
- LDAP+OTP is supported with password concatenation
- Transparently proxies LDAP requests to the LDAP back-end
- Authentication policies per client application or group of users
- Bridges all the OpenOTP functionalities (Tokens, Yubikey, SMSOTP, MailOTP…)
- Standalone service with no additional OpenOTP configuration required
- High performances with hundreds of requests per second
- Cluster support with multiple bridges for HA