In this document, we will describe how an organization can rely on the National Authentication Framework (NAF) for strong authentication for access to its enterprise applications. In particular, we will show how an existing VPN can be configured to make use of the DS3 Authentication Security Module (ASM) to connect to NAF for user-login Two-Factor Authentication (2FA).

What is National Authentication Framework (NAF)?

• The NAF is an national initiative by the Government of Singapore to manage and operate a strong authentication infrastructure for all residents and businesses in Singapore.

• Under the NAF scope, everyone will be issued an authentication token (e.g. in the form of a hardware dongle or mobile phone SMS) to perform 2^nd-factor authentication against the NAF setup.

• Businesses can sign-up to connect to the NAF setup to outsource the 2^nd-factor authentication process to NAF. This relieves businesses of the logistical and cost overheads in issuing and managing the tokens for its employees, partners and customers.

The Business Scenario

• The organization is a school that operates commercial courses for private students. Teachers and students can login from the Internet via the school’s VPN to gain access to the course portals, emails and other online learning and testing facilities.

• Due to the sensitivity of the application and data, the school wants to quickly improve its current UserID-password authentication to 2-factor authentication. However, due to the large turnover of students (most only stay for 3-6 months), it is not cost-effective for the school to issue and manage its own tokens.

The Provided Solution – Using the DS3 ASM

The DS3 ASM can be used as the authentication interface between the VPN and the NAF. The advantage of such a setup is that there are no customized plugins or code that needs to be built or installed in the end-users’ machines or VPN. The VPN simply needs to be configured to direct the RADIUS authentication to the DS3 ASM, and the solution is ready to operate.

The scenario for Two-Factor Authentication to NAF is as follows:

1. During VPN login, user will still be prompted with the same login screen. In the password field, the user has to enter the original password, appended with the OTP (one-time password) generated from the NAF device.
2. The VPN, upon receiving the login credentials, will connect to the DS3 ASM for verification.
3. Assuming that the user’s original password is stored in Windows, the DS3 ASM will send the static portion of the password to the Windows AD for verification
4. The DS3 ASM will also open a connection to the NAF RTAP servers to verify the OTP.
5. If both are verified ok, the DS3 ASM will reply with an ACCESS-ACCEPT response, and the user will be allowed access to the backend protected applications.

For enquiries, please contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it for more details.