Second factor on VPNs considered harmful

Due to the risk of "cyber threats", many universities are switching to second factor authentication to log into their VPNs. Many companies moved to second factor for VPN authentication quite some time ago to protect their perimeter from external access. The idea is that users have to provide two factors to log into the internal network (not necessarily internal services), reducing the risk of users falling victims to phishing attacks where they leak their password.

Now, in comparison to companies which are usually a more closed environment, universities are much more open and much more diverse. First, they often offer a public WiFi that gives local users (in WiFi proximity) access to a somewhat internal network. Second, there are large classes of users with tens of thousands of students that all bring their own devices that don't run under any corporate policy.

Under such a "bring your own device" scenario, trying to protect internal network access seems futile. Nevertheless, many universities are trying to enforce 2nd factor authentication and thereby burning through many hours of user time to bring their second factor (usually a phone) to log into the VPN.

Let's see how we can make the login process a bit easier. In short, let's clone our second factor device and automatically generate authentication codes on demand as the VPN connection is set up.

TOTP: Time-based One Time Password

TOTP is a simple scheme that creates a one-time password that is valid during a short time frame. TOTP uses HOTP (hash-based one time passwords) with a rolling epoch that serves as the HOTP counter. The concatenation of the secret key and the counter are fed into HMAC-SHA1. By default, an epoch is 30 seconds long and is rooted with the start of Unix time. As an aside, using HOTP has the advantage that using (reading) a password synchronously updates the counter on both the verifier and the user ensuring that the password can only be used once. The downside of HOTP is that the counters must stay in sync.

Cloning TOTPs

You likely have used Google Authenticator (or a similar app) to store your OTP keys. As you will have guessed by now, you can also extract these secrets.

  • Fire up Google Authenticator and export your keys.
  • Scan the QR code with another phone (or take a screenshot) and store the data as my_keys.otp
  • Clone extract_opt_keys and check that the script will not leak your secrets to somewhere else
  • Run python3 extract_opt_secret_keys.py my_keys.otp
  • Store your TOTP secret somewhere save (e.g., ~/.totp_university)
  • Install oathtool from your favorite package manager
  • Run cat ~/.totp_university | oathtool -b --totp - to get the current OTP value

Using the last step, you cloned your OTP and have replaced your phone with a command. Well done! Now let's automate the VPN login.

You can connect to your VPN with: openconnect -v -b vpn.uni.edu --authgroup "Super Secret Name of Auth Group" --user=asdf@uni.edu. To automatically connect with TOTP you can expand the command as follows: echo -e 'YourSecredPassword\n'$(cat ~/.totp_university | oathtool --totp -b -) | sudo openconnect -v -b vpn.uni.edu --authgroup "Super Secred Name of Auth Group" --user=asdf@uni.edu --passwd-on-stdin. Now store this command in a shell script and be happy that you neither have to remember your password nor bring your second factor.

links

social