2FA - when required by your vendors, do you stipend your staff?
-
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
"It depends" on way more factors than 2FA.
Do they currently have work emails on their personal device?
If yes, why does introducing 2FA suddenly require stipends? If no, then provide them with physical tokens for 2FA instead.No they don't. Tokens are currently not an option.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
We aren't managing the 2FA - the vendor (hospital) is. We can't dictate what they use.
And no one on your team has work emails on personal devices?
-
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
We aren't managing the 2FA - the vendor (hospital) is. We can't dictate what they use.
And no one on your team has work emails on personal devices?
Those that have email on their personal devices are already covered (cost wise), so they are not part of this group.
I have 60 users that day labourers and they do not, nor are ever likely to have email access on their personal devices.
-
The 2FA is data only right? And they can set it to only work on wifi?
It really depends on the team you have, if you have...cheap mean spirited people on the team. Then yes you'll have to pay a stipend but make it like...cost of storing the app on their devices. $2 a year?
A bigger question, what if they don't have smartphones?
-
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
-
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
A bigger question, what if they don't have smartphones?
Most places around here are doing the phone call thing, so if they have a dumb cellphone, that would still work.
Of course calls, like SMS, are totally hackable with SS7 redirects. But again, I'm not controlling these systems.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
-
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
Very true - I know I said Tokens aren't currently an option - so that of course probably kills this.
We are dealing with several different hospitals. Each with their own requirements. One hospital offered us Keyfobs, then turned around and said, "you need 80+ - uh no", and made an IP bypass based solution for us. But we have another now causing us issues, I need to see if they can work with an app.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
Very true - I know I said Tokens aren't currently an option - so that of course probably kills this.
We are dealing with several different hospitals. Each with their own requirements. One hospital offered us Keyfobs, then turned around and said, "you need 80+ - uh no", and made an IP bypass based solution for us. But we have another now causing us issues, I need to see if they can work with an app.
I don't think we can help until we know what the requirements are. Is this TOTP or HOTP? Is it text or email based?
They have to tell you what the requirements are before you can look at different solutions.
-
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
Very true - I know I said Tokens aren't currently an option - so that of course probably kills this.
We are dealing with several different hospitals. Each with their own requirements. One hospital offered us Keyfobs, then turned around and said, "you need 80+ - uh no", and made an IP bypass based solution for us. But we have another now causing us issues, I need to see if they can work with an app.
I don't think we can help until we know what the requirements are. Is this TOTP or HOTP? Is it text or email based?
They have to tell you what the requirements are before you can look at different solutions.
As of this moment - for one of the healthcare systems, the requirement is a phone call. Looks like we can actually revoke this one user's access, so it will probably be an non-issue in a min.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
-
Have you taking a look at Duo? Maybe one of these options might work.
https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/security-tokens -
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.
-
@black3dynamite said in 2FA - when required by your vendors, do you stipend your staff?:
Have you taking a look at Duo? Maybe one of these options might work.
https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/security-tokensThis would have to be supported by the vendor - this is not a choice I get to make.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.
For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.
-
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.
For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.
In that case, why have 2FA then?
Frankly, sure you're a little better off, but if your vault to compromised, literally everything is.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.
For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.
In that case, why have 2FA then?
Frankly, sure you're a little better off, but if your vault to compromised, literally everything is.
It depends I guess, my worries if I am gona do this to users, maybe cause I am custom to deal with very I.T bad people. I worry that the account will be inaccessible all the time cause they lost the 2FA so thus I have to record it somewhere. My users forget their login password all the time, I have to reset it they dont know how to reset it. so it depends. for me I like to keep records somewhere always.
-
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.
For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.
In that case, why have 2FA then?
Frankly, sure you're a little better off, but if your vault to compromised, literally everything is.
It depends I guess, my worries if I am gona do this to users, maybe cause I am custom to deal with very I.T bad people. I worry that the account will be inaccessible all the time cause they lost the 2FA so thus I have to record it somewhere. My users forget their login password all the time, I have to reset it they dont know how to reset it. so it depends. for me I like to keep records somewhere always.
Then keeping a paper copy couldn't be hard for you. home safe/safety deposit box, heck filing cabinet at home.
As for your users, if you're managing the system, you'll have reset options in place to assist resetting 2FA when needed.
While people lose phones all the time, individually, it doesn't happen all that often. Combine that with the need/desire to secure access to systems/data, the risk is normally worth it.
If you have a keyfob, you have zero backup available - you are stuck contacting the vendor to get the old keyfob disabled, and a new one assigned.
-
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
"It depends" on way more factors than 2FA.
Do they currently have work emails on their personal device?
If yes, why does introducing 2FA suddenly require stipends? If no, then provide them with physical tokens for 2FA instead.Maybe they "have to" vs. "they can"?
-
@scottalanmiller said in 2FA - when required by your vendors, do you stipend your staff?:
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
"It depends" on way more factors than 2FA.
Do they currently have work emails on their personal device?
If yes, why does introducing 2FA suddenly require stipends? If no, then provide them with physical tokens for 2FA instead.Maybe they "have to" vs. "they can"?
Actually, in most of their cases, we purposefully prevent it. ActiveSync and Webmail are both deactivated for most of those users.
