Most of us have been using hardware or software token to prove identity and to provide Two-Factor Authentication, either commercial and free. Google Authenticator is the first choice for mobile 2FA, because it's free and it runs on Smartphone (iOS & Android) , BlackBerry Socialphone and even on tablet. Amazon Web Services, DropBox and LastPass began to support Google Authenticator, and of course Linux/Unix SSH host. Since it works on SSH host, why can't it work on F5 BIG-IP TMOS as well? This article describes the steps to enable Google Authenticator on BIG-IP.
Single box setup
Download the Google Authenticator RPM package here. MD5: 689ce0a164ae7fb67727f63a937febcc
Extract RPM package using 7zip
Upload lib & usr directory into /root using SFTP or SCP.
Configure NTP & DNS settings on BIG-IP
Configure directories and move files from RPM package
Do you want me to update your "~/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y
Let's see what's inside .google_authenticator file