Jump to content
CLB

Authentication Option: Manual and ANY other Method

Recommended Posts

Hi there,

 

in password lists an for web authentication its possible to specify manual ad authentication and some other factor authentication.

With many users and many other options like (Google, OTP, Mail, SMS, RSA) it is sometimes not nice to handle because we have to agree on one option.

 

It is possible to specify "Manual AD Authentication + Any other Authentication Method" so we ensure that we have a 2-Factor Authentication but it does not matter which second factor option is used?

 

Edit: Sorry this Thread should go to 8.X Support not 7.x.....

 

Kind regards,

Constantin

Share this post


Link to post
Share on other sites

Hi Constantin,

 

With the user of User Account Policies, found under the Administration menu, you can have different authentication options for different sets of users. Can you investigate this, and let us know if this is what you need.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Hi there,

 

i've seen this but this does not fit with our needs. For example I have a team of about 10 users.

2 are using google authenticator

1 is using rsa secure id

4 are using OTP

1 is using email

and so one.....

 

With the policy's I can force a user to use one specific authentication option.

So i would have to manage 4 different user policys and add the users per their need to the right user policy based on their choosen second factor application.

I would like to have the option to specify that the users have to authentication with ANY second factor option, so they can choose their favorite application.

(Ensure that 2-Factor authentication is used, with no enforcement on a specific method)

 

Is this possible? Or it looks like an Feature Request?

 

Kind regards,

Constantin

Share this post


Link to post
Share on other sites

Hi Constantin,

 

Thanks for the clarification, and no that is not possible sorry. I'm not sure if we would consider this as a feature request sorry, unless we had many customers interested in it - an no-one has expressed an interest before.

 

Technically we're not sure how this would event work - would we just randomly present a 2FA option to the user - what is they don't use SecurID, as an example.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Yes you are right, from technical view maybe this could be done with an check like:

Which 2-FA Option is enabled for User XY?

--- RSA

--- OTP

Multiple 2-FA Options detected -> Which one is set as Prefered?

--- RSA

Then display login form/window for this 2FA method.

 

When only one 2FA Method is activated by the user then the prefered step is not needed and it is directly choosen.

 

 

Share this post


Link to post
Share on other sites

Hi,

 

Thanks for the feedback, but we think this approach would be problematic. We auto-populate a lot of the Authentication fields on users Preferences screen, even if they are not using those Authentication options i.e. SecurID Username is populated for all accounts.

Do you know users can chose their own Authentication Method on their Preferences screen? I think this might be a better option for you, as you then would not need to worry about all those User Account Policies.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Yes I've seen this. But If we allow the users to choose their own authentication method via preferences, they could also set this to just "Manual AD" and bypass the second factor. And this would be an security risk. There must be an enforcement to have them choose an second factor option.

 

On the other hand there is the disadvantag for users creating password lists and enforcing the password list to have the authentication method Manual + AD and SecureID for example. But what happens when a user without this method enabled - tries to access the password list? It shows the authentication window, but the user cannot authenticate because he does not support this method.

So for single password lists there should be also the possibility to say: Hey normal AD authentication is not enough, we need a second factor. But Which one - doesnt matter - because this could be different per user.

Is there maybe a workaround for this?

 

Kind Regards,

Constantin

 

 

Share this post


Link to post
Share on other sites

Hello Constantin,

 

As we don't have the sort of feature you need, we recommend not configuring a Password Lists with Authentication options which users cannot use. In the unlikely event somebody did this, Security Administrators can always turn it off/change it via the screen Administration -> Password Lists.

 

For authentication into Passwordstate, all we can suggest for now is multiple User Account Policies - this will enforce it for you.

If possible, and we certainly understand if it's not, but consolidating the number of 2FA methods you use may help as well - we find most of our customers try to do this as it does simplify things, and reduces your support costs.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...