One-time passwords (OTPs) can be processed on Web Gateway to authenticate users. This includes the use of passwords for authorized overriding when a web session has terminated due to quota expiration.
When a user sends a request for web access, authentication is first performed using one of the other authentication methods that are available on Web Gateway, for example, authentication based on information stored in the internal user database.
If the use of one-time passwords is configured, this authentication method is performed as a second step. Web Gateway informs the user that a one-time password is also needed for web access and upon the user's request for such a password, it forwards the user name to a Skyhigh Security One Time Password (OTP) server and asks the server to provide a password.
If the request is granted, the Skyhigh Security OTP server returns a one-time password, which is, however, not exposed to Web Gateway. In its response, the OTP server also includes what is called "context" information in a header field.
The context information lets the password field and submit button in the page that was presented to the user be activated, so the user can click the button, which submits the one-time password and lets the user access the requested web object.
To implement the use of one-time passwords on Web Gateway, you can import a rule set from the rule set library. After importing the rule set, default settings are provided, which you can configure to adapt them to the needs of your network.
The settings that need to be configured include the IP address or host name of the OTP server and the port on this server that listens to requests from Web Gateway.
A user name and password for Web Gateway to authenticate to the OTP server are also required.
If the communication between Web Gateway and the OTP server should be SSL-secured, you need to import a certificate for use in this communication.
The OTP server must be configured for working with Web Gateway to handle the authentication process.
One-time passwords for authorized overriding
When quota restrictions are imposed on web usage from within your network, a one-time password can be used as the password that is required to override the termination of a web session due to quota expiration.
To implement the use of one-time passwords for authorized overriding, you can import a different rule set from the library, which also allows you to configure the settings for the authentication process.
Using one-time passwords from a Pledge device
One-time passwords for authenticating users or performing an authorized override can be provided by a Skyhigh Security Pledge device.
To enable this method of using one-time passwords for the authentication process, you need to implement suitable rule sets, which you can import from the rule set library. Settings for the authentication process are implemented with the import.
For more information on working with a Skyhigh Security Pledge device, refer to the documentation for this product.