One of my goals before the end of the year is to protect my online accounts with multi-factor authentication. I’ve been protecting many of my identities with TOTP. TOTP is a great way to add multi-factor authentication to our identity. It adds the “something I have” to the “something I know”.
However, I’m now running into a major user experience issue with TOTP.
I’ve got too many tokens!!!
When I try and authenticate to one of these providers, I have to load the authenticator app and find the right code before typing it in. This is easy when I only had 1 or 2 codes; but, as I started using TOTP for many of my accounts to improve authentication security, things quickly got out of hand.
This is why Push authentication is better. It removes the burden from the user for entering the code.
First, push authentication is similar to TOTP and OTP. All three use the same underlying technology with a pre-shared key applied to the current time to generate a time-limited token, but there is a slight difference.
- OTP: Sends code via SMS or email
- TOTP: User enters code from local device
- Push: Systems sends notification to device that the user approves
From a conceptual architecture perspective for Citrix Virtual Apps and Desktops, we have something like the following:
- The user connects to Citrix Gateway and authenticates with their Active Directory credentials.
- Active Directory stores the user’s mobile device information and TOTP key
- Gateway sends this information to the Gateway Service, running within the Citrix Cloud.
- Gateway Service uses the notification micro-service to send the push notification to the mobile device.
- The user gets a notification on the mobile devices and selects Allow/Deny. That information is sent directly to the on-prem Gateway, which completes authentication.
One question I get with this type of deployment is the cost to use Gateway Service and the notification micro-service. The answer is no cost. An admin just needs to create a cloud.com account (free).
If we wanted to extend Push authentication to Citrix Workspace, we can use the same architecture.
Except we configure Citrix Workspace to use an on-prem Gateway as our identity provider.
To setup push authentication, we need to use advanced authentication policies within the Citrix Gateway. This involves creating an authentication flow (nFactor) where one branch allows users to managed their token/device and another branch to authenticate with Push.
To see push in action for a Citrix environment, take a look at the following video:
Daniel (Follow on Twitter @djfeller)