As a result of an external Security Audit I would like to file the following Feature Request:
Two-Factor-Authentication for Administrative Access to NGFW
To further improve the security of the administration interface of the NGFW it would be desirable to be able to add an OTP (one-time-password) as an additional factor for authentication.
I know that by now this is possible for VPN connections (but only for them) using RSA or similar products.
For us it would be much better to have one of the two following methods supported:
Variant A: Standard TOTP implementation (preferred)
RFC 6238 defines a standard mechanism for TOTP (Time-based One-time Passwords), as far as I know there are several reference implementations for Linux (for example as a PAM) available.
On the client side there are many Android an iOS soft token generators which are capable of generating such TOTPs.
The benefit would be that there are almost no infrastructure costs for that approach and that a well defined, standardized, known secure and open algorithm for TOTP generation and verification could be used.
Variant B: SMS OTP (if A is not possible)
In that case the NGFW would send an SMS message after the user has provided username and password via an attached GSM Modem or via a Webservice to the user which is trying to authenticate against the NGFW.
Please note that competitors like Fortinet already offer very simple and affordable OTP-2FA additions for their products (Fortinet for example includes a certain number of soft tokens free of charge with each appliance, for Android and iOS).
The supported RSA product is not an option for smaller setup since the price is very high and implementation requires a significant amount of time and knowledge.