So about two and a half months ago, I configured 2FA for our Meraki VPN service. (Check out the write-up if you want to) Works well and I slept a little better at night knowing that my remote users had secure access to the corporate network.
A common question I get is “How do I connect to the VPN while I am traveling, and only have registered my laptop to the airplane Wi-Fi? Paying for a second device (mobile phone) to access the in-flight Wi-Fi would be costly.”
That is a good question! Unlike me, some people do like to get work done during a long flight. And we all know how not secure in-flight Wi-Fi is. In-Flight Wi-Fi connections are essentially the same public Wi-Fi hotspots that are used on the ground. Even paying for access does not mean your device is safe.
As a rule of thumb, using a VPN connection is always recommended while conducting work activities on your laptop, especially from public Wi-Fi networks and hotspots. Just because you’re in the air, doesn’t mean that your data can’t be stolen.
Also, the reliability of these connections is also not guaranteed. In-flight Wi-Fi from 30,000 feet still must travel through multiple routers and connections before it gets to its destination. To see how In-Flight Wi-Fi works, check out this article from Reader’s Digest.
So what can we do?
Even with your phone in Airplane mode, you can still authenticate with the Duo Mobile app using a Mobile Passcode. This works anywhere, even in places where you don't have an internet connection or can't get cell service.
I then remember that Two-Factor Authentication for Meraki Client VPN supports push, phone call, or passcode authentication for desktop and mobile client connections. Perfect! I may have a solution!
How do we fix it?
On the Duo Mobile App, the user will need to tap the down indicator on the Duo-Protected Account to get a one-time passcode for login.
Then when the user logs in to their VPN connection, the user will append (add to the end of) their password a comma followed by the six-digit passcode generated in their Duo Mobile app. For example:
These passcodes are for one-time use only. If a user cannot connect using the current mobile passcode on the Duo Mobile App, they will have to press the blue circular arrows and regenerate a mobile passcode. Then the user will enter that new passcode after the comma that is appended to their password.
Although I have not tested this out on a flight, I did simulate by putting my phone on "airplane" mode and connecting to my corporate VPN using the passcode that was generated in the Duo Mobile app.
I was able to get the instructions out to my users today. So fingers crossed that it works for them!
Thanks for reading!
SIDE NOTE.... Duo Security just rolled out their new online learning platform. It's free to Duo customers and has a few certification paths. I have gone through most of the material and I have been learning a lot about the various options there are. As a Duo Administrator, I thought it was awesome. Needless to say, I am a big fan of Duo Security.
Did you find this article valuable?
Support Brandon Bowman by becoming a sponsor. Any amount is appreciated!