How To TIP - Steps to turn on Timed One Time Password (TOTP) Two Factor Authentication (2FA) using Google Authenticator

[bmullan]

To add Multi-factor authentication with Google Authenticator / TOTP to CIAB is fairly simple.

User's will need to install the Google Authenticator App into their Android or iPhone though to make use of it. So some coordination with Users will be required.

The Documentation for TOTP using Google Authenticator on the Apache Guacamole website is found here. This includes pictures of what you should see once you have activated it.
**

NOTE: all of the following is done in the ciab-guac LXD container!
**
First, the CIAB Admin needs to Log into Guacamole as the admin and make sure each User account you have created has the Box checked to Permit the User to Change their own password.

The Users in the MySQL DB module need to be allowed to update their own passwords (basically update their own account), as that's what determines whether or not the user can store information about themselves thus enabling TOTP.

Next, the CIAB Admin simply downloads the Guacamole-Auth-TOTP extension from the Apache Guacamole website's download page.

De-archive the guacamole-auth-totp-1.0.0.jar file and move it to the ciab-guac LXD container's
/etc/guacamole/extensions directory then check the owner/group permissions to make sure they match other extensions in that directory.

Once this is done and Tomcat restarted, on their next login the CIAB Remote Desktop Users will be required to use their Google Authenticator App to get the current 6 Digit TOTP Code (it changes every 15-20 seconds) to enter along with their Login ID and Password in order to gain access to their Guacamole account & CIAB desktop "connections".

Google Authenticator is available for Android and iPhone.

---

Yes its simple to turn on or off TOTP.

Its simply whether or not the TOTP file "guacamole-auth-totp-1.0.0.jar" is present or NOT in "/etc/guacamole/extensions" in the ciab-guac LXD container.