In recent years, multi-factor authentication (MFA) has become the standard for organizations needing to provide access to resources via the internet. It’s a standard that Citrix ADC supports with its nfactor feature.

Industries like banking and finance, driven by the need for enhanced security requirements, use two-factor authentication for access to organizational resources, even via the WAN network between branch offices and the data center. Citrix ADC caters to this requirement too, via native-OTP support. Here, the first factor of authentication can be the username/password, and the second is TOTP native to the Citrix ADC.

But for TOTP to work, the end user must own a smartphone to run an app like Google Authenticator to generate the OTP, or the end user needs to install the TOTP software on their desktop/laptop. If an organization uses a lot of third-party contractors, it can be difficult to ensure the availability of TOTP-based applications, which can be a drain on productivity. For these scenarios, we turn to SMS-based OTP in the two-factor authentication flows.

Citrix ADC can handle native SMS OTP integration. It can generate an OTP and pass it to an SMS API server via HTTP API calls to deliver the OTP via SMS to an end user. With this capability, customers don’t need to invest in a third-party SMS OTP server, and they know their third-party workers can access TOTP-based applications.

Authentication Flow with SMS OTP in 2FA

Assuming the two-factor integration is for accessing Citrix Virtual Apps and Desktops infrastructure via the Gateway feature of Citrix ADC, the authentication flow would look like this:

And here’s how the process works:

  1. After accessing the URL for the Citrix Virtual Apps and Desktops infrastructure, the end user gets to the first factor, where they fill in the username and password, which are sent to the Citrix ADC.
  2. The Citrix ADC reaches out to the Active Directory to validate the end user’s credentials and to retrieve the mobile attribute to get the end user’s mobile number.
  3. Active Directory responds back with an authentication success message and shares the end user’s mobile number.
  4. The Citrix ADC generates an OTP on the system itself, using variables and the assignments that are part of an App Expert configuration.
  5. Citrix ADC sends an HTTP API call via the webauth mechanism to the SMS API server, which is usually hosted on the internet as a cloud service.
  6. The SMS API platform sends the message to the end user’s mobile phone.
  7. After receiving the message on their mobile phone, the end user inputs the OTP into the UI where Citrix ADC is requesting an OTP.
  8. The client provides the OTP to the Citrix Gateway on the ADC for validation.
  9. Citrix ADC validates the OTP provided by using nfactor flows.
  10. If authentication succeeds, the Citrix ADC forwards the traffic to Citrix StoreFront and also completes the SSO to the StoreFront server by providing the first factor username/password.

Configuration Elements for SMS OTP in 2FA

Configuring two-factor authentication like this requires the following Citrix ADC components:

  • n-factor on AAA-TM with four factors
  • WebAuth policy and profile to send rest API to SMS API
  • Variables and assignments part of App Expert
  • LDAP profile with authentication and mobile as an attribute
  • Citrix Gateway with SSO on session profile

OTPs give admins a highly secure option for authentication, and Citrix ADC’s native OTP support enhances the admin’s control by keeping the entire configuration on the Citrix ADC appliance. Learn more about Citrix ADC and its native OTP support capabilities.