Jump to content

Two Factor Authentication


Recommended Posts

Are there any plans to incorporate support for Two Factor authentication for both the Admin Tool and the Live User App.

We currently integrate with our Active Directory for Single Sign On, but are looking to add a second level of authentication to protect our instance from compromised credentials etc.

Cheers

Martyn

Link to comment
Share on other sites

Hi Martyn,

This question does come up from time to time but I never quite understand the use case. For me TFA is like in my banking app on my phone.  When I run the app I have to enter my pin-code, then when I want to do anything like make a payment I have to authorise, say via a code sent to me by text, or using my card and a pinsentry device, or on other systems, say an RSA key. 

In the more traditional sense of TFA that often means you need to provide a username, password and some other piece of information that only you know, for example the 3rd and 6th letter of your favourite colour. 

Now I am thinking about this from a Hornbill perspective when you are using ADFS.  If you need TFA would this not be something that you would expect your ADFS server to implement?  How do you see the login workflow functioning with TFA?

Gerry

Link to comment
Share on other sites

We were looking at RSA MFA via ADFS in a place I worked a few years ago. I think the issue with it was it looked like an all or nothing (for what we wanted) and we couldn't justify the cost of the RSA fobs and licences. 

To be honest it looked pretty sweet. Just a 'Please input your RSA pin and token code' page as soon as you hit the adfs server. 

I believe you can get Google Authentication and similar to work with ADFS MFA and I am sure it is highly customisable these days.

Probably a better option than Hornbill TFA (no offence) as you can add / remove / change methods and security levels as you need.

That said, it would be nice to have some additional security in the instance that SSO is enabled but you log in with the "backdoor" as it were. 

Edit: Another plus side for setting up ADFS MFA is that you can add it to any other ADFS connections and have different methods of MFA for different applications etc. 

  • Like 2
Link to comment
Share on other sites

I believe that if you enable TFA on Active Directory this will take place before the credentials are passed through to Hornbill, so you would get the added security you require without having to implement a separate system within Hornbill.

This isn't my area, so I can't really elaborate, but I know we're currently testing TFA for external connections via our Azure AD and that was the response I got from "The Chaps"

  • Like 1
Link to comment
Share on other sites

Yeah the adfs server points you to the authentication service and wont give your browser the token if authentication fails (is how I understand it anyway) 

Just had a quick look and it seems to have come quite a long way since I last had a look at it.

For interest: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs 

Obviously there would need to be a Hornbill system for the scenario I mentioned above:

1 hour ago, Dan Munns said:

it would be nice to have some additional security in the instance that SSO is enabled but you log in with the "backdoor" as it were

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...