1

We are thinking about enabling 2FA with Google Authenficator for all our services.

But the only concern for me now is that users will have to have a dedicated Authenticator's account for every service, let's say:

  • Github
  • AWS
  • Gmail
  • Jenkins

Maybe there is a better approach?

Something like using a self-hosted TOTP service? Although this, I guess, will require SSO to be enabled between all accounts as well, but SSO is out of the scope of current tasks.

schroeder
  • 123,438
  • 55
  • 284
  • 319
setevoy
  • 111
  • 3
  • Some SSO providers support 2FA, so it might be worth looking at options like AWS SSO (I think that requires a RADIUS server for 2FA though) and G Suite SSO, since you're already using those to some extent. – Matthew Apr 16 '19 at 08:37
  • 2
    They do not need many dedicated Authenticator accounts, they need many accounts. One for each of those services. As long as that is true, then the MFA process will be separate for each account. I'm not sure why you are focused on MFA. Your solution is to reduce the number of accounts. – schroeder Apr 16 '19 at 09:02
  • @schroeder > reduce the number of accounts - by an SSO service, I guess? This is in our plans, but for later. I'm thinking about Okta, will see. – setevoy Apr 16 '19 at 11:39

1 Answers1

1

Although there are lots of open standards for authentication, and separating the authentication service from the application service, there are surprisingly few application providers willing to let you use your authentication service. i.e. its simply not possible to to impose your MFA solution on external providers.

That doesn't mean that you can't enforce MFA access on these services though. You just need to provide some proxy capability which can inject credentials into a session and put the MFA login on that proxy service; the users of the service never get to see the token (password, ssh key, certificate, passphrase...). This is catered for by most privileged access management solutions. I work with CyberArk which is very good at this - but also very expensive. There are other options available, but the cost of implementing any of them is likely to be orders of magnitude greater than rolling out your own google auth service.

symcbean
  • 18,278
  • 39
  • 73