Multi-Factor Authentication

Pro Custodibus enables WireGuard multi-factor authentication (MFA) via Key-Rotation Policies.

Through a key-rotation policy, if the Pro Custodibus agent is installed on both sides of a WireGuard connection, Pro Custodibus can rotate the connection’s preshared key on just the designated “server” side of the connection at a regular interval. In order to use the connection, this requires the user using the “client” side of the connection to authenticate with Pro Custodibus in order to re-synchronize the preshared key on her side of the connection.

This produces multi-factor authentication, as the WireGuard connection is authenticated firstly with the private key stored on the client device (“something you have”); and by requiring the user to log into Pro Custodibus to retrieve the connection’s preshared key, the WireGuard connection is authenticated secondly by the credentials the user uses to log into Pro Custodibus (“something you know”).

See the WireGuard MFA With Pro Custodibus Guide for a detailed explanation of how it works.

Key-Rotation Policies

Pro Custodibus can be configured to automatically rotate preshared keys at pre-defined intervals via key-rotation policies. If such a policy is configured as an MFA policy, it will rotate the preshared key on the “server” side of the WireGuard connection only.

Host Members

To enable a user to log into Pro Custodibus and synchronize the newly rotated preshared key with the “client” side of the WireGuard connection, you must add the user as a member of the host (as a regular “User” member type).

User Authentication Flow

In order to use a WireGuard connection from the “client” side of a connection, the user using the client must log into Pro Custodibus. When a non-admin user logs into Pro Custodibus, she will see the list of WireGuard connections on her user devices that Pro Custodibus manages.

The user must then click the “key-on-circle” (Synchronize Key) icon that corresponds to the WireGuard connection that she want to access. This will direct Pro Custodibus to update the user’s device with the current version of the preshared key used by the connection. Once the Pro Custodibus agent running on the user’s device has made that update, the user will be able to use the WireGuard connection.

The connection will be usable until Pro Custodibus rotates the connection’s preshared key again on the “server” side of the connection. The interval between rotations is controlled by the key-rotation policy.

Command Line Interface

Users can also use the Pro Custodibus agent’s command-line interface to check on MFA state and perform multi-factor authentication for their WireGuard connections.

Temporary Bypass

An administrator can allow a user to temporarily bypass MFA for a WireGuard connection with the following steps:

  1. Click the Hosts link in the app header.

  2. Find the host for the “client” side of the connection in the list, and click the host’s name to view the host’s main status page.

  3. Click the “key-on-shield” (Manage Preshared Keys) icon on the right side of the Host panel.

  4. Find the connection in the list, and click the “key-on-circle” (Synchronize Key) icon.

The user will be able to use the WireGuard connection until the rotation interval elapses for the key-rotation policy governing the connection.

To revoke a temporary bypass, follow the preshared key rotation steps for the “server” side of the connection, without updating the corresponding endpoint.