Is there any way currently (or are there any plans to) offer two factor authentication for HMOL logins?
As the HMOL login potentially allows access to some very sensitive information, it would be nice to have the option of two factor authentication (e.g. SMS message, OTP token, email etc.) beyond a single username/password.
We are considering 2-factor authentication in our roadmap. SMS is a very typical way to do it. Any particular OTP service you currently use/prefer?
I think the SMS is probably going to be a very useful option, as you say.
In terms of OTP, I have no particular preference. I have very limited exposure to OTP vendors beyond the standard RSA token. I'm sure there must be some OTP apps etc. available for phones which would be a great option as an alternative to having to have a hardware token.
I think the 2 factor authentication is a key feature for larger organisations and partners (like myself) who want to offer managed services around HMOL. I think that when considering providing management of customer networks via a partner account, then 2 factor authentication is a must-have to safeguard customer and partner organisation access, given the security and liability issues which need to be considered.
Personally I love the idea of 2 step authentication, but once configured I would actually prefer an app or a physical authenticator. This because it hasn't been the first time my country's SMS system went down the tubes. I'd consider it a bit of a risk to do SMS without a fallback.
So you have to login using a PIN nr that the client knows and the random RSA-like code.
Thanks for sharing the reference. Duo Security has a pretty good range of products for this matter. We'll have to figure out how to perform a potential integration and let users decide the method of their choosing.
The last thing end-users want is a key-chain full of different vendor OTP fobs, or the 'virtual' equivalent of this (e.g. different OTP apps for each different system that they use).
The problem has been fixed by a very neat RFC-referenced. open system. I don't think vendor-specific solutions are the way to go...
Funny you should mention Google Authenticator. I had a partner in class last week from Tennessee that has that very requirement. Two-factor authentication into HiveManager using Google Authenticator.
Do you have any idea when this 2-fact auth will be implemented?
In a similar vein we'd like to see support for federated sign-in using something like SAML. This removes the need for admin staff to remember a second set of credentials and also removes the password risk from the equation (so long as your internal systems security meets your requirements).
Are there any plans with SAML? Mike already mention SAML for federated sing-in. But with that it's also possible to integrate two factor authentication with SMS. As our SMS Token solution here can already be integrated with SAML into cloud-services like Office365, Google Apps, Salesforce
Not having it on the user-facing product also makes me question whether Aerohive is using this and other best-practices in securing its administrative and back-end infrastructure that powers the service itself. If not, it's a dangerous road to be traveling for Aerohive.