Multi-Factor Authentication

Pro Custodibus can be configured to automatically rotate preshared keys at pre-defined intervals via key-rotation policies. If such a policy is configured as an MFA policy, it will rotate the preshared key on the “server” side of the WireGuard connection only.

To enable a user to log into Pro Custodibus and synchronize the newly rotated preshared key with the “client” side of the WireGuard connection, you must add the user as a member of the host (as a regular “User” member type).

In order to use a WireGuard connection from the “client” side of a connection, the user using the client must log into Pro Custodibus. When a non-admin user logs into Pro Custodibus, she will see the list of WireGuard connections on her user devices that Pro Custodibus manages.

The user must then click the “key-on-circle” (Synchronize Key) icon that corresponds to the WireGuard connection that she want to access. This will direct Pro Custodibus to update the user’s device with the current version of the preshared key used by the connection. Once the Pro Custodibus agent running on the user’s device has made that update, the user will be able to use the WireGuard connection.

The connection will be usable until Pro Custodibus rotates the connection’s preshared key again on the “server” side of the connection. The interval between rotations is controlled by the key-rotation policy.

Users can also use the Pro Custodibus agent’s command-line interface to check on MFA state and perform multi-factor authentication for their WireGuard connections.

An administrator can allow a user to temporarily bypass MFA for a WireGuard connection with the following steps:

The user will be able to use the WireGuard connection until the rotation interval elapses for the key-rotation policy governing the connection.

To revoke a temporary bypass, follow the preshared key rotation steps for the “server” side of the connection, without updating the corresponding endpoint.