Is there any way currently (or are there any plans to) offer two factor authentication for HMOL logins?
As the HMOL login potentially allows access to some very sensitive information, it would be nice to have the option of two factor authentication (e.g. SMS message, OTP token, email etc.) beyond a single username/password.
I think the SMS is probably going to be a very useful option, as you say.
In terms of OTP, I have no particular preference. I have very limited exposure to OTP vendors beyond the standard RSA token. I'm sure there must be some OTP apps etc. available for phones which would be a great option as an alternative to having to have a hardware token.
I think the 2 factor authentication is a key feature for larger organisations and partners (like myself) who want to offer managed services around HMOL. I think that when considering providing management of customer networks via a partner account, then 2 factor authentication is a must-have to safeguard customer and partner organisation access, given the security and liability issues which need to be considered.
Personally I love the idea of 2 step authentication, but once configured I would actually prefer an app or a physical authenticator. This because it hasn't been the first time my country's SMS system went down the tubes. I'd consider it a bit of a risk to do SMS without a fallback.
The last thing end-users want is a key-chain full of different vendor OTP fobs, or the 'virtual' equivalent of this (e.g. different OTP apps for each different system that they use).
The problem has been fixed by a very neat RFC-referenced. open system. I don't think vendor-specific solutions are the way to go...
In a similar vein we'd like to see support for federated sign-in using something like SAML. This removes the need for admin staff to remember a second set of credentials and also removes the password risk from the equation (so long as your internal systems security meets your requirements).
Are there any plans with SAML? Mike already mention SAML for federated sing-in. But with that it's also possible to integrate two factor authentication with SMS. As our SMS Token solution here can already be integrated with SAML into cloud-services like Office365, Google Apps, Salesforce
Not having it on the user-facing product also makes me question whether Aerohive is using this and other best-practices in securing its administrative and back-end infrastructure that powers the service itself. If not, it's a dangerous road to be traveling for Aerohive.