Jump to content
support

SAML Authentication with a second two factor authentication option

Recommended Posts

We've had a customer request the ability to have a second two factor authentication option  to be available to be used when SAML2 is the primary option.  Currently SAML2 only works on it's own and an example of this feature would be you could choose SAML2 with Google Authenticator.

 

If you think this is a feature you would like to see in Passwordstate, please cast your vote!

 

Regards,

Support.

Share this post


Link to post
Share on other sites

Hello,

 

i would like to see a second 2 factor option in general. Sometimes our users forget their phones at home and can´t use passwordstate. I would be nice to enable a second 2 factor option like mail or sms for this case.

 

Kind regards and thank you for a great product

Share this post


Link to post
Share on other sites

Hello Bepo,

 

Maybe you could use a User Account Policy for this, and when users forget their phone, add them to the User Account Policy which is using a different authentication method.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Hi Bepo

 

You could allow us of the GAuth plugin with Chrome. It should only used on the basis it was for "exceptional" user access when their phone was lost or where a user cannot get mobile coverage for example. It's not the best approach to MFA as it introduces some potential areas of additional exposure and could be argued that it isn't true MFA not being independent of the desktop/browser. So I would add some additional controls such as client-side cert and only allowing access to the Passwordstate service via an established VPN - but that VPN service would also probably need a non-phone-based MFA (e.g. Direct Access or use a Yubikey/RSA token) as that's the problem you are trying to workaround.

Share this post


Link to post
Share on other sites

Hello,

 

thank you for your help. Account policys require an admin action. This is a bad way if you want to have a minimum ticket queue.

Microsoft, Google etc. allowing to choose a second factor. You can choose to receive e.g. an e-mail, if your phone is lost.

 

Bildergebnis für microsoft 2 faktor

Share this post


Link to post
Share on other sites

Hi All,

 

As of build 8627, you can now select an additional authentication option, after SAML authentication is complete - see screenshot below.

 

saml.png

 

Regards

Click Studios

Share this post


Link to post
Share on other sites

×