https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274047#M104374 <P>Hello Simon,</P><P>Thanks for responding. Yes, i have created a username and password + dynamicID authentication method under mobile access &gt; authentication on the specific gateway. I am trying to enforce this, and not make it an option. WIll this change not make staff need a 2nd OTP from their email? as they already authenticate via a RADIUS Server + OTP.</P> Tue, 24 Mar 2026 07:39:50 GMT chuka01 2026-03-24T07:39:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274045#M104372 <P>We have a customer who uses a gateway (it is in a cluster, but is the only cluster member) for remote access VPN, for both staff and vendors. Staff login with their domain credentials and their authentication method is a RADIUS server with 2FA enabled. Vendors authenticate with their checkpoint account password into a server where they have to input another set of domain credentials.</P><P>Now this customer wants to enable 2FA for those vendor accounts, and I suggested dynamicID with the OTP sent to the vendor's emails. I am thinking that enabling dynamicID on the gateway will also require their staff accounts for another 2FA code, which makes the workflow more inconvenient for staff. Can anyone help with a safe and secure way to enable 2FA just for vendor accounts? Thank you.</P> Tue, 24 Mar 2026 07:07:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274045#M104372 chuka01 2026-03-24T07:07:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274046#M104373 <P>Hello</P><P>did you evaluate to configure the multiple login option and create a specific authentication mode for thi vendors? When configured, they could change the authentication settings into their VPN client to use this new authentication mode.</P><P>Here are the steps from the admin guide:&nbsp;<A href="https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_MobileAccess_AdminGuide/Content/Topics-MABG/Multiple-Login-Options.htm" target="_blank">https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_MobileAccess_AdminGuide/Content/Topics-MABG/Multiple-Login-Options.htm</A></P><P>(it R82 version, and specific for the Mobile Access, but it's the same also on previous versions, and multiple login option can be configured also under the VPN clients section).</P> Tue, 24 Mar 2026 07:31:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274046#M104373 simonemantovani 2026-03-24T07:31:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274047#M104374 <P>Hello Simon,</P><P>Thanks for responding. Yes, i have created a username and password + dynamicID authentication method under mobile access &gt; authentication on the specific gateway. I am trying to enforce this, and not make it an option. WIll this change not make staff need a 2nd OTP from their email? as they already authenticate via a RADIUS Server + OTP.</P> Tue, 24 Mar 2026 07:39:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274047#M104374 chuka01 2026-03-24T07:39:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274109#M104411 <P>If you don't want it to apply to staff, you will need to add DynamicID as part of Multiple Login Options instead.</P> Tue, 24 Mar 2026 23:32:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Enabling-2FA-on-Remote-Access-VPN-Gateway-for-Vendors/m-p/274109#M104411 PhoneBoy 2026-03-24T23:32:37Z