Is there a way to offer two factor authentication for HMOL logins?

  • 10
  • Idea
  • Updated 4 years ago
  • (Edited)
Hi,

Is there any way currently (or are there any plans to) offer two factor authentication for HMOL logins?

As the HMOL login potentially allows access to some very sensitive information, it would be nice to have the option of two factor authentication (e.g. SMS message, OTP token, email etc.) beyond a single username/password.

Thanks

Nigel.
Photo of Nigel Bowden

Nigel Bowden

  • 14 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 10
Photo of Bradley Chambers

Bradley Chambers, Champ

  • 302 Posts
  • 53 Reply Likes
I like this idea! I use 2 factor on our Google Apps admin accounts
Photo of Emilio Maldonado

Emilio Maldonado

  • 37 Posts
  • 11 Reply Likes
Hi Nigel,
We are considering 2-factor authentication in our roadmap. SMS is a very typical way to do it. Any particular OTP service you currently use/prefer?

-Emilio
Photo of Nigel Bowden

Nigel Bowden

  • 14 Posts
  • 0 Reply Likes
Emilio,

I think the SMS is probably going to be a very useful option, as you say.

In terms of OTP, I have no particular preference. I have very limited exposure to OTP vendors beyond the standard RSA token. I'm sure there must be some OTP apps etc. available for phones which would be a great option as an alternative to having to have a hardware token.

I think the 2 factor authentication is a key feature for larger organisations and partners (like myself) who want to offer managed services around HMOL. I think that when considering providing management of customer networks via a partner account, then 2 factor authentication is a must-have to safeguard customer and partner organisation access, given the security and liability issues which need to be considered.

Thanks

Nigel.
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Hi guys,

Personally I love the idea of 2 step authentication, but once configured I would actually prefer an app or a physical authenticator. This because it hasn't been the first time my country's SMS system went down the tubes. I'd consider it a bit of a risk to do SMS without a fallback.

- Stefan
Photo of Bradley Chambers

Bradley Chambers, Champ

  • 302 Posts
  • 53 Reply Likes
Good point Stefan.
Photo of Dave Brown

Dave Brown

  • 15 Posts
  • 1 Reply Like
I would have to pass on SMS, simply because I'm more than 50 miles(and two ridgelines) away from the nearest cell tower...IE, no cell coverage here.
Photo of Mike

Mike

  • 1 Post
  • 0 Reply Likes
In a similar vein we'd like to see support for federated sign-in using something like SAML. This removes the need for admin staff to remember a second set of credentials and also removes the password risk from the equation (so long as your internal systems security meets your requirements).

thanks
Photo of Thomas Collier

Thomas Collier

  • 10 Posts
  • 0 Reply Likes
I have seen software using two factor authentication using an unique API key that is bound to the application login. Then an iOS or other App that uses that API key to create a token.

So you have to login using a PIN nr that the client knows and the random RSA-like code.
Photo of Jason Braddy

Jason Braddy

  • 1 Post
  • 0 Reply Likes
I would love to see integration with Duo Security 2FA, as it supports mobile apps, SMS, and offline lists of one-time codes (as well as hardware tokens if that's how you roll). They have a pretty well-documented API for integrations so it probably wouldn't be that horrible to add.
Photo of Emilio Maldonado

Emilio Maldonado

  • 37 Posts
  • 11 Reply Likes
Jason,
Thanks for sharing the reference. Duo Security has a pretty good range of products for this matter. We'll have to figure out how to perform a potential integration and let users decide the method of their choosing.

Emilio
Photo of Nigel Bowden

Nigel Bowden

  • 14 Posts
  • 0 Reply Likes
I think that Google Authenticator is a better option from an end-user point of view as it's free and it supports many other platforms.

The last thing end-users want is a key-chain full of different vendor OTP fobs, or the 'virtual' equivalent of this (e.g. different OTP apps for each different system that they use).

The problem has been fixed by a very neat RFC-referenced. open system. I don't think vendor-specific solutions are the way to go...

Nigel.
Photo of David Coleman

David Coleman, Official Rep

  • 209 Posts
  • 164 Reply Likes
Nigel:

Funny you should mention Google Authenticator. I had a partner in class last week from Tennessee that has that very requirement. Two-factor authentication into HiveManager using Google Authenticator.

DC
Photo of Steven Liefferinckx

Steven Liefferinckx

  • 17 Posts
  • 0 Reply Likes
Hi,

Do you have any idea when this 2-fact auth will be implemented?

Thanks,
Steven.
Photo of Jornt Weyts

Jornt Weyts

  • 26 Posts
  • 3 Reply Likes
And how about integration with mydigipass.com from Vasco as a 2factor authenticator. You could get a hard- or software token... whatever flavor you want.
Photo of Stefan Sonderegger

Stefan Sonderegger

  • 3 Posts
  • 2 Reply Likes

**
Mike:
In a similar vein we'd like to see support for federated sign-in using something like SAML. This removes the need for admin staff to remember a second set of credentials and also removes the password risk from the equation (so long as your internal systems security meets your requirements).
**

Are there any plans with SAML? Mike already mention SAML for federated sing-in. But with that it's also possible to integrate two factor authentication with SMS. As our SMS Token solution here can already be integrated with SAML into cloud-services like Office365, Google Apps, Salesforce

Photo of Praveen Raghuraman

Praveen Raghuraman

  • 55 Posts
  • 9 Reply Likes
Thank you for the input on 2-factor auth. This is on our roadmap and we will have more updates coming on this.
Photo of Taylor Higley

Taylor Higley

  • 4 Posts
  • 1 Reply Like
Support for Duo Security would be wonderful (https://www.duosecurity.com/api).
Photo of Taylor Higley

Taylor Higley

  • 4 Posts
  • 1 Reply Like
With all the issues around compromised passwords and the nature of the Hive Manager and device service (business critical in most cases), this should be a top priority.  Just last year, Verizon research into data breaches indicated 80% of data breaches would have been stopped or forced to change tactics if a "suitable replacement" (such as multifactor authentication) to passwords had been used. (http://www.darkreading.com/attacks-breaches/the-eight-most-common-causes-of-data-breaches/d/d-id/113...?).  I cannot emphasize how important this feature is to protecting customers and avoiding a tremendously embarrassing incident.

Not having it on the user-facing product also makes me question whether Aerohive is using this and other best-practices in securing its administrative and back-end infrastructure that powers the service itself.  If not, it's a dangerous road to be traveling for Aerohive.