2FA - when required by your vendors, do you stipend your staff?
-
A few of our local hospitals that we have remote access into their EHR have started using 2 factor authentication.
Fortunately, up to this point, we have been able to have the IPs of our facilities put in as a bypass to not need 2FA, but those days are coming to a close.
So, considering your staff has to have a way to get 2FA (phone call, mobile app), do you reimburse for part of the cost of an employees cell phone bill? (mind you phone calls will amount to less than 100 mins a month and the mobile app would be no reoccuring charge).
Phone calls to a phone within the building aren't possible because the users are to mobile, and mobile phones for on-prem use are not handed out.
If there is another option, please speak up.
-
How often are employees connecting? There are some nice account management tools like Beyond Trust where you can give accounts and temporary passwords for a set amount of time. The Beyond Trust server is used as a middle man and takes screenshots at a set interval. If the vendor or employee requires more time you can just extend their time without an issue.
-
"It depends" on way more factors than 2FA.
Do they currently have work emails on their personal device?
If yes, why does introducing 2FA suddenly require stipends? If no, then provide them with physical tokens for 2FA instead. -
You can see here that this is the ultimate account managment tool
-
We aren't managing the 2FA - the vendor (hospital) is. We can't dictate what they use.
-
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
"It depends" on way more factors than 2FA.
Do they currently have work emails on their personal device?
If yes, why does introducing 2FA suddenly require stipends? If no, then provide them with physical tokens for 2FA instead.No they don't. Tokens are currently not an option.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
We aren't managing the 2FA - the vendor (hospital) is. We can't dictate what they use.
And no one on your team has work emails on personal devices?
-
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
We aren't managing the 2FA - the vendor (hospital) is. We can't dictate what they use.
And no one on your team has work emails on personal devices?
Those that have email on their personal devices are already covered (cost wise), so they are not part of this group.
I have 60 users that day labourers and they do not, nor are ever likely to have email access on their personal devices.
-
The 2FA is data only right? And they can set it to only work on wifi?
It really depends on the team you have, if you have...cheap mean spirited people on the team. Then yes you'll have to pay a stipend but make it like...cost of storing the app on their devices. $2 a year?
A bigger question, what if they don't have smartphones?
-
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
-
@breffni-potter said in 2FA - when required by your vendors, do you stipend your staff?:
A bigger question, what if they don't have smartphones?
Most places around here are doing the phone call thing, so if they have a dumb cellphone, that would still work.
Of course calls, like SMS, are totally hackable with SS7 redirects. But again, I'm not controlling these systems.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
-
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
Very true - I know I said Tokens aren't currently an option - so that of course probably kills this.
We are dealing with several different hospitals. Each with their own requirements. One hospital offered us Keyfobs, then turned around and said, "you need 80+ - uh no", and made an IP bypass based solution for us. But we have another now causing us issues, I need to see if they can work with an app.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
Very true - I know I said Tokens aren't currently an option - so that of course probably kills this.
We are dealing with several different hospitals. Each with their own requirements. One hospital offered us Keyfobs, then turned around and said, "you need 80+ - uh no", and made an IP bypass based solution for us. But we have another now causing us issues, I need to see if they can work with an app.
I don't think we can help until we know what the requirements are. Is this TOTP or HOTP? Is it text or email based?
They have to tell you what the requirements are before you can look at different solutions.
-
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@stacksofplates said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Wait why can't they use physical tokens if they can use this? A Yubikey generates an OTP like Google Auth or RSA but you don't have to type it in.
Very true - I know I said Tokens aren't currently an option - so that of course probably kills this.
We are dealing with several different hospitals. Each with their own requirements. One hospital offered us Keyfobs, then turned around and said, "you need 80+ - uh no", and made an IP bypass based solution for us. But we have another now causing us issues, I need to see if they can work with an app.
I don't think we can help until we know what the requirements are. Is this TOTP or HOTP? Is it text or email based?
They have to tell you what the requirements are before you can look at different solutions.
As of this moment - for one of the healthcare systems, the requirement is a phone call. Looks like we can actually revoke this one user's access, so it will probably be an non-issue in a min.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
-
Have you taking a look at Duo? Maybe one of these options might work.
https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/security-tokens -
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.
-
@black3dynamite said in 2FA - when required by your vendors, do you stipend your staff?:
Have you taking a look at Duo? Maybe one of these options might work.
https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/security-tokensThis would have to be supported by the vendor - this is not a choice I get to make.
-
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
@msff-amman-itofficer said in 2FA - when required by your vendors, do you stipend your staff?:
@dashrender said in 2FA - when required by your vendors, do you stipend your staff?:
The best option would be a PC based token.
I just found https://winauth.com/
Now the question is, does it break something you have, something you own, something you are?
I say no - you know your password, and you have your laptop. Why would a laptop be any different than you having your phone?
Been using Winauth for some time now, and it is very good option. But if it can be also installed on mobile that is extra security, cause if the machine gets formatted or the app gets uninstalled then you no longer can login. or you also need record the secret key that generated the time based codes, perhaps in Keepass and backup that.
Hint: there is plugin that allows keepass to access DB files stored in linux servers via SSH.
I heard a conversation about this, the idea of keeping your secret 2FA keys in Keypass/Lastpass, etc. This is bad, because it puts your two separate authenticating pieces completely together.
i.e. if your password vault is ever breached, then they have also breached your tokens - they just use those keys to load up into one of the authenticator apps and away they go.So while I do like the idea of keeping a record of the secret keys, you can't store them anywhere as conveniently as in password manager. Realistically, they should be printed and kept offline only.
For me the concept of losing an account is scary, meaning I dont want to lose my gmail account cause I lost piece of paper, thus I treat it as password.
