2-factor code via SMS iRule

Question

We have a need for 2-factor auth on some of our external services, and are looking at alternatives to the current SecurID setup. Would it be possible to have an iiRule to generate a random code, send out via SMS provider, and wait for the user to receive the code on his mobile phone, enter as part of the APM login and compare the codes for accept/deny. Thanks for any feedback!

Jon Ole

hoolio · Answer

Hi Jon, 
&nbsp;  
&nbsp; There isn't any native support for triggering an SMS from LTM.  However, this might make an interesting feature request for APM.  What kind of API or protocol do you imagine wanting to use to trigger an SMS? 
&nbsp;  
&nbsp; Aaron

jon_ole_nome_46 · Answer

We are currently using Clickatell for SMS distribution, and the SMS is sent by sending a http request to the provider that includes our login/password and phone number and message (code), I believe many mobile operators support this type of functionallity.

hoolio · Answer

You could potentially do that now using HTTP::retry: 
&nbsp;  
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=63&amp;articleType=ArticleView&amp;articleId=105 
&nbsp;  
&nbsp; I am not sure how easy it would be to combine the logic from Deb's article with APM, but it might be possible.  If you give it a try and get stuck try replying back here to get help.  It would also make an interesting request for enhancement.  You could make the request officially by opening a case with F5 Support. 
&nbsp;  
&nbsp; Aaron

jon_ole_nome_46 · Answer

Thank you, Aaron! The HTTP::retry looks very promising. The wiki for HTTP::retry (http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP__retry.html) had exactly the example I have been looking for.  If that works as advertised we only need a random number generator within the irule to complete the job.Btw. we have opened an RFE with F5, and were told that they were working on getting this functionality into future versions of  the APM. For a short-term solution we were asked to use the forums at DevCentral,  and they were right :-)&nbsp;&nbsp;&nbsp;Here is a short description of how Checkpoint has integrated the same thing into their Connectra product: http://updates.checkpoint.com/files...katell.pdf&nbsp;

hoolio · Answer

Hi Jon, 
&nbsp;  
&nbsp; Actually Per Boe an F5 FSE and Jason Rahm from DC, just posted a solution on using APM to implement an SMS based one time password solution: 
&nbsp;  
&nbsp; One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager 
&nbsp; http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086432/One-Time-Passwords-via-an-SMS-Gateway-with-BIG-IP-Access-Policy-Manager.aspx 
&nbsp;  
&nbsp; Aaron

Forum Discussion

2-factor code via SMS iRule

6 Replies

Recent Discussions

Changes to DO and AS3 GitHub - no longer monitored

How to Verify config before loading to F5

Logical Disk Full to Migrate rSeries

HSL - Local TimeZone - in syslog server

VIP control across data centers - how to ensure only 1 VIP is up at a time?

Related Content

Re: iRules Editor with Visual Studio Code

Live Coding with iRules - Heatmaps!

error code 503 redirect irule

SecureAuth 2-Factor STS iApp

Sharpening Your Tools: Advent of Code with iRules

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS