Random ramblings of a security nerd

Second factor on VPNs considered harmful

Due to the risk of "cyber threats", many universities are switching to second factor authentication to log into their VPNs. Many companies moved to second factor for VPN authentication quite some time ago to protect their perimeter from external access. The idea is that users have to provide two factors to log into the internal network (not necessarily internal services), reducing the risk of users falling victims to phishing attacks where they leak their password.

Now, in comparison to companies which are usually a more closed environment, universities are much more open and much more diverse. First, they often offer a public WiFi that gives local users (in WiFi proximity) access to a somewhat internal network. Second, there are large classes of users with tens of thousands of students that all bring their own devices that don't run under any corporate policy.

Under such a "bring your own device" scenario, trying to protect internal network access seems futile. Nevertheless, many universities are trying to enforce 2nd factor authentication and thereby burning through many hours of user time to bring their second factor (usually a phone) to log into the VPN.

Let's see how we can make the login process a bit easier. In short, let's clone our second factor device and automatically generate authentication codes on demand as the VPN connection is set up.

TOTP: Time-based One Time Password

TOTP is a simple scheme that creates a one-time password that is valid during a short time frame. TOTP uses HOTP (hash-based one time passwords) with a rolling epoch that serves as the HOTP counter. The concatenation of the secret key and the counter are fed into HMAC-SHA1. By default, an epoch is 30 seconds long and is rooted with the start of Unix time. As an aside, using HOTP has the advantage that using (reading) a password synchronously updates the counter on both the verifier and the user ensuring that the password can only be used once. The downside of HOTP is that the counters must stay in sync.

Cloning TOTPs

You likely have used Google Authenticator (or a similar app) to store your OTP keys. As you will have guessed by now, you can also extract these secrets.

Fire up Google Authenticator and export your keys.
Scan the QR code with another phone (or take a screenshot) and store the data as my_keys.otp
Clone extract_opt_keys and check that the script will not leak your secrets to somewhere else
Run python3 extract_opt_secret_keys.py my_keys.otp
Store your TOTP secret somewhere save (e.g., ~/.totp_university)
Install oathtool from your favorite package manager
Run cat ~/.totp_university | oathtool -b --totp - to get the current OTP value

Using the last step, you cloned your OTP and have replaced your phone with a command. Well done! Now let's automate the VPN login.

You can connect to your VPN with: openconnect -v -b vpn.uni.edu --authgroup "Super Secret Name of Auth Group" --user=asdf@uni.edu. To automatically connect with TOTP you can expand the command as follows: echo -e 'YourSecredPassword\n'$(cat ~/.totp_university | oathtool --totp -b -) | sudo openconnect -v -b vpn.uni.edu --authgroup "Super Secred Name of Auth Group" --user=asdf@uni.edu --passwd-on-stdin. Now store this command in a shell script and be happy that you neither have to remember your password nor bring your second factor.

Random ramblings of a security nerd

Other articles

Expedia: from software bug to customer service nightmare, a modern Odyssey

How to install a Canon MF633Cdw on a modern Debian

Jumping monkeys or how to reach a technical point of contact at an online or tech company

Gasland: worst documentary of all time?

FreedomPop Overdrive: first thoughts

Other articles

links

social