How to Use GAuth for Multi-factor Authentication in Parallels RAS

More and more organizations are introducing multi-factor authentication (MFA) mechanisms to strengthen their user validation processes. This article provides an overview of Google Authenticator (GAuth) as a second-level authentication solution and explains how to enable and configure its use with Parallels® Remote Application Server (RAS).

Learn about Google Authenticator and How It Works

Usually, MFA solutions combine two of the following factors: information only the user knows (typically a username and a password), an item only the user possesses (such as a one-time passcode) or a physical distinguisher inherent to the user (often a biometric feature). MFA mechanisms not only make it unlikely that an intruder can achieve unauthorized access to your systems, but they can also block a large percentage of attacks aiming to compromise accounts.

Google Authenticator is a security application that allows organizations to enable MFA to prompt users for additional information apart from just their usernames and passwords when accessing certain enterprise services.

Google Authenticator is based on a time-based one-time password (TOTP) which is a six-digit passcode that changes every 30 seconds. When it is enabled, in addition to their usernames and passwords, users attempting to authenticate are asked to introduce a one-time passcode, which is shown instantaneously by the Google Authenticator app already installed on their mobile devices.

Configure Parallels RAS to Use Google Authenticator

Learn how to use Google Authenticator with Parallels RAS by watching the video and reading the step-by-step guide below it.

This section explains how to use Google Authenticator as a second-level authentication solution in Parallels RAS. To configure Google Authenticator:

  1. Open the Parallels RAS Console, and navigate to Connection > Multi-factor authentication.
  1. In the Provider drop-down list, select Google Authenticator.

Configure Parallels RAS to Use Google Authenticator

  1. Click on the Settings button. From the Google Authenticator Properties dialog that opens, specify the following options:

Google Authenticator

Type Name: The default name here is Google Authenticator. The name will appear in the Parallels Client registration dialog by way of the following sentence: Install Google Authenticator app on your iOS or Android device. If you change the name, the corresponding sentence will contain the new name you specify, Install < new-name > app on your iOS or Android device.

User enrollment: This section allows you to limit user enrollment via Google Authenticator if required. The options are:

Authentication: This section allows you to configure TOTP tolerance. Further information about this setting will be explained later in the article.

User management: The Reset User(s) field is used to reset the token that a user receives when they log in to Parallels RAS for the first time using Google Authenticator. If you reset a user, they’ll have to go through the registration procedure again. You can search for specific users, reset all users or import the list of users from a CSV file.

  1. Click on the OK button.

Increase TOTP Time Tolerance

When using TOTP as two-factor authentication, the time between the Parallels RAS Publishing Agents and client devices must be synchronized. This synchronization must be performed with a global Network Time Protocol (NTP) server (e.g., time.google.com).

The TOTP tolerance drop-down box under the Google Authenticator Properties dialog, provides you the capability to select the time difference (in number of seconds) to be observed while performing authentication.

Increase TOTP Time Tolerance

Note that changing the time tolerance should be used with caution, as it could have security implications. For instance, if you increase the duration of time allowed for a security token, there is a subsequent wider window for potential misuse.

User Login with Google Authenticator

Google Authenticator is supported by Parallels Client and runs on all supported platforms, including desktop, mobile and HTML5. To use Google Authenticator, you need to install the Authenticator app on your iOS or Android device by simply visiting the App Store or Google Play and following the installation instructions.

Once you install the Authenticator app, you will be ready to connect to Parallels RAS using two-factor authentication by following the steps below:

  1. Open the Parallels Client or HTML5 Client, and log in using your credentials.
  1. The multi-factor authentication dialog will open, displaying a barcode (also known as a QR code) and a secret key.

Google Authenticator

  1. Open the Google Authenticator app on your mobile device:

or

Scan the barcode displayed in the Parallels Client login dialog. If scanning doesn’t work for any reason, go back in the app, choose Enter provided key, and enter the secret key displayed.

  1. Tap Add account in the app. This will create an account and display a one-time password similar to the one shown below.

Google Authenticator

  1. Go back to Parallels Client, click Next, and enter the one-time password in the OTP field.

OTP

  1. If desired, click the Save password checkbox to avoid entering your login credentials on subsequent logins. You will always need to enter a one-time password obtained from the Google Authenticator app.
  1. Click OK to get the list of your published resources

Enhance Your Data Security with Parallels RAS

Parallels RAS includes built-in security features that help organizations secure their corporate assets from data leakage and malicious activity. Some of these features include:

If you have any questions or require further information, please don’t hesitate to contact us.