By Alex Hunter

June 9, 2021
Last updated on November 17, 2021

  0

How to Use GAuth for Multi-factor Authentication in Parallels RAS

More and more organizations are introducing multi-factor authentication (MFA) mechanisms to strengthen their user validation processes. This article provides an overview of Google Authenticator (GAuth) as a second-level authentication solution and explains how to enable and configure its use with Parallels® Remote Application Server (RAS).

MFA Overview

Usually, MFA solutions combine two of the following factors:

• Information only the user knows (typically a username and a password).
• An item only the user possesses (such as a one-time passcode).
• A physical distinguisher inherent to the user (often a biometric feature).

MFA mechanisms not only make it unlikely that an intruder can achieve unauthorized access to your systems, but they can also block a large percentage of attacks aiming to compromise accounts.

What is Google Authenticator and How Does It Work?

Google Authenticator is a security application that allows organizations to enable MFA to prompt users for additional information apart from just their usernames and passwords when accessing certain enterprise services.

Google Authenticator is based on a time-based one-time password (TOTP) which is a six-digit passcode that changes every 30 seconds. When it is enabled, in addition to their usernames and passwords, users attempting to authenticate are asked to introduce a one-time passcode, which is shown instantaneously by the Google Authenticator app already installed on their mobile devices.

Configure Parallels RAS to Use Google Authenticator

Learn how to use Google Authenticator with Parallels RAS by watching the video and reading the step-by-step guide below it.

This section explains how to use Google Authenticator as a second-level authentication solution in Parallels RAS. To configure Google Authenticator:

1. Open the Parallels RAS Console, and navigate to Connection > Multi-factor authentication.

2. In the Provider drop-down list, select Google Authenticator.

3. Click on the Settings button. From the Google Authenticator Properties dialog that opens, specify the following options:

Type Name: The default name here is Google Authenticator. The name will appear in the Parallels Client registration dialog by way of the following sentence: Install Google Authenticator app on your iOS or Android device. If you change the name, the corresponding sentence will contain the new name you specify, Install < new-name > app on your iOS or Android device.

User enrollment: This section allows you to limit user enrollment via Google Authenticator if required. The options are:

• Allow: Allows all users to enroll without limitations.
• Allow until: Allows enrollment until a specified date and time.
• Do not allow: This option disables enrollment completely. When you disable enrollment, Google Authenticator can still be used but with added security measures to eliminate the possibility of users with compromised credentials from enrolling in MFA.

Authentication: This section allows you to configure TOTP tolerance. Further information about this setting will be explained later in the article.

User management: The Reset User(s) field is used to reset the token that a user receives when they log in to Parallels RAS for the first time using Google Authenticator. If you reset a user, they’ll have to go through the registration procedure again. You can search for specific users, reset all users or import the list of users from a CSV file.

4. Click on the OK button.

Increase TOTP Time Tolerance

When using TOTP as two-factor authentication, the time between the Parallels RAS Publishing Agents and client devices must be synchronized. This synchronization must be performed with a global Network Time Protocol (NTP) server (e.g., time.google.com).

The TOTP tolerance drop-down box under the Google Authenticator Properties dialog, provides you the capability to select the time difference (in number of seconds) to be observed while performing authentication.

Note that changing the time tolerance should be used with caution, as it could have security implications. For instance, if you increase the duration of time allowed for a security token, there is a subsequent wider window for potential misuse.

User Login with Google Authenticator

Google Authenticator is supported by Parallels Client and runs on all supported platforms, including desktop, mobile and HTML5. To use Google Authenticator, you need to install the Authenticator app on your iOS or Android device by simply visiting the App Store or Google Play and following the installation instructions.

Once you install the Authenticator app, you will be ready to connect to Parallels RAS using two-factor authentication by following the steps below:

1. Open the Parallels Client or HTML5 Client, and log in using your credentials.

2. The multi-factor authentication dialog will open, displaying a barcode (also known as a QR code) and a secret key.

3. Open the Google Authenticator app on your mobile device:

• If this is the first time you are using it, tap Begin, and then tap Scan a barcode.

or

• If you already have another account within Google Authenticator, tap the [+] icon, and choose Scan a barcode.

Scan the barcode displayed in the Parallels Client login dialog. If scanning doesn’t work for any reason, go back in the app, choose Enter provided key, and enter the secret key displayed.

4. Tap Add account in the app. This will create an account and display a one-time password similar to the one shown below.

5. Go back to Parallels Client, click Next, and enter the one-time password in the OTP field.

6. If desired, click the Save password checkbox to avoid entering your login credentials on subsequent logins. You will always need to enter a one-time password obtained from the Google Authenticator app.

7. Click OK to get the list of your published resources

Enhance Your Data Security with Parallels RAS

Parallels RAS includes built-in security features that help organizations secure their corporate assets from data leakage and malicious activity. Some of these features include:

Multifactor authentication

Parallels RAS integrates third-party security solutions, including Azure MFA (RADIUS), Gemalto (formerly SafeNet), Deepnet, and Google Authenticator.

Granular client policies

A complete set of client policies allows companies to push different Parallels Client settings, forcing user devices to function as the organization requires.

Encryption protocols

Parallels RAS Secure Client Gateway supports Secure Sockets Layer (SSL) and Federal Information Processing Standards (FIPS) 140-2 protocol encryption, thus ensuring secure data transmission between end users and the Parallels RAS Farm.

Data segregation

Parallels RAS multi-tenancy functionality allows organizations to create an unlimited number of independent sites within the same Parallels RAS Farm, thus providing data segregation and enhancing security.

Want to try it out for yourself? Download the trial.