Corporate shared 2FA suggestions?

Forums › IT Pro and developers › Corporate shared 2FA suggestions?

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#248518 29-Mar-2019 09:19

Work has an account that must have 2FA (AWS root user), and while we use IAM and individual accounts, for various reasons multiple people must have access to root account and thus its 2FA token generator. We were using Authy and a "shared" Authy account, but that's now creating issues in that several of the users who need access to this don't have/want separate work and personal cellphones, and there's no easy way in Authy that we can see to move between multiple Authy accounts on a device (e.g Their personal Authy + the work one)

Does anyone have any suggestions for managing this? Are there any alternatives to Authy better suited for business use like this?

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

1 | 2

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2206884 29-Mar-2019 10:05

I think Authy is your best solution. Other than that you should be using separate accounts per person and keep your master / admin accounts to only a select few.

I backup my TOTP codes into a password safe as well so the token can be easily re-generated as required.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2206889 29-Mar-2019 10:12

Authy is linked to a phone number so won't be easy to share.

Best is to have one or two Admin accounts and then create user accounts with a need-to-have access level only.

cisconz

cisconz
1341 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2206891 29-Mar-2019 10:16

We use a single android device that has remote control software on it for shared accounts.

It lives in the office on Wifi and on charge, Has MS Authenticator and Authy

We also use Tasker to take any inbound SMS and forward to a shared mailbox, we can reply back with an email subject of the destination phone number and tasker will take the content of that message and send out too.

This is useful for sending customer passwords via SMS and not giving out individual cellphone numbers.

All voice calls are diverted to the office support line.

Hmmmm

gehenna

8495 posts

Uber Geek

Moderator

Trusted

Lifetime subscriber

#2206898 29-Mar-2019 10:36

Admin accounts shouldn't be shared. Anyone who needs admin access should have their own account to use, with least-required privileges to perform their required tasks. There are so many reasons for this.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2206918 29-Mar-2019 10:52

You shouldn't be using the AWS root account regularly. Create IAM users and give them their own MFA token, or even better federate with on-premise if you have AD, but that's more work. If you can give us the good reason you need root account access maybe I can think some more about how to achieve this.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2206933 29-Mar-2019 11:39

BarTender:

I think Authy is your best solution. Other than that you should be using separate accounts per person and keep your master / admin accounts to only a select few.

freitasm:

Best is to have one or two Admin accounts and then create user accounts with a need-to-have access level only.

gehenna:

Admin accounts shouldn't be shared. Anyone who needs admin access should have their own account to use, with least-required privileges to perform their required tasks. There are so many reasons for this.

timmmay:

You shouldn't be using the AWS root account regularly. Create IAM users and give them their own MFA token, or even better federate with on-premise if you have AD, but that's more work. If you can give us the good reason you need root account access maybe I can think some more about how to achieve this.

We are using individual IAM accounts with 2FA and don't regularly use the root account, but the business doesn't want the root account only accessible by any single individual or device in case of emergency/hit by a bus/device failure/etc.

cisconz:

We use a single android device that has remote control software on it for shared accounts.

It lives in the office on Wifi and on charge, Has MS Authenticator and Authy

We also use Tasker to take any inbound SMS and forward to a shared mailbox, we can reply back with an email subject of the destination phone number and tasker will take the content of that message and send out too.

This is useful for sending customer passwords via SMS and not giving out individual cellphone numbers.

All voice calls are diverted to the office support line.

That's an interesting solution and one I might look into more if noone comes up with anything better.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2206934 29-Mar-2019 11:43

Get a few yubikeys, they're a hardware device and you can have multiple per account. They're about $40 each I think. I can probably find more information later if it's not obvious from a Google search, but we have done this.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Sounddude

I fix stuff!
1928 posts

Uber Geek

Trusted

2degrees

Lifetime subscriber

#2206948 29-Mar-2019 12:14

I believe Lastpass can handle 2FA, so you could have a shared Lastpass account, which also handles the 2FA.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2206959 29-Mar-2019 12:30

timmmay: Get a few yubikeys, they're a hardware device and you can have multiple per account. They're about $40 each I think. I can probably find more information later if it's not obvious from a Google search, but we have done this.

Cheers, will look into this.

Sounddude:

I believe Lastpass can handle 2FA, so you could have a shared Lastpass account, which also handles the 2FA.

pretty sure Lastpass Authenticator is a separate product, not integrated with the password manager.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2206972 29-Mar-2019 13:01

I just checked my documentation, and had it slightly backwards - a single Yubikey can definitely let you into multiple AWS accounts. The workaround from memory was to have multiple users with admin rights with their own Yubikey.

In many places the root account credentials are locked in a safe, but that's not going to be helpful if your building is taken down by an earthquake. IAM users with admin rights are essential. Having AWS business support helps you get entry back into your account. You have to make sure the email address of the root account is updated and monitored and all contact details are accurate so AWS can validate your ownership of the account if they have to give you access.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2207100 29-Mar-2019 14:26

timmmay:

I just checked my documentation, and had it slightly backwards - a single Yubikey can definitely let you into multiple AWS accounts. The workaround from memory was to have multiple users with admin rights with their own Yubikey.

In many places the root account credentials are locked in a safe, but that's not going to be helpful if your building is taken down by an earthquake. IAM users with admin rights are essential. Having AWS business support helps you get entry back into your account. You have to make sure the email address of the root account is updated and monitored and all contact details are accurate so AWS can validate your ownership of the account if they have to give you access.

Cheers, we do have multiple (non root) admins with IAM + 2FA, and an AWS support contract so I'll go back to management and see what they want to do.

dfnt

1511 posts

Uber Geek

Lifetime subscriber

#2207104 29-Mar-2019 14:43

timmmay: Get a few yubikeys, they're a hardware device and you can have multiple per account. They're about $40 each I think. I can probably find more information later if it's not obvious from a Google search, but we have done this.

I was going to suggest this as well

edit: But it seems you can only assign one yubikey per account which is annoying

ANglEAUT

2320 posts

Uber Geek

Trusted

Lifetime subscriber

#2208317 31-Mar-2019 19:39

BarTender: ... I backup my TOTP codes into a password safe as well so the token can be easily re-generated as required.

Not advisable & never tried, but interesting thought experiment:

I know of somebody else who also backs up their QR code so that they can regenerate the token on a new device.
Get every admin into the same room at the same time (Ooohhh, DR management are gonna love this!)
Have each admin scan the same QR code displayed on their screen into their own Authy account

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2208329 31-Mar-2019 20:13

I don't think taking a photo of that square thing actually works if you photograph it later - I think it's time limited. I've done it with AWS in the past and pretty sure it didn't work. Anyone who does that, please try it out and post the result.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2208353 31-Mar-2019 23:08

ANglEAUT:

BarTender: ... I backup my TOTP codes into a password safe as well so the token can be easily re-generated as required.

Not advisable & never tried, but interesting thought experiment:

I know of somebody else who also backs up their QR code so that they can regenerate the token on a new device.
Get every admin into the same room at the same time (Ooohhh, DR management are gonna love this!)
Have each admin scan the same QR code displayed on their screen into their own Authy account

Authy. It's linked to your mobile number and it syncs to a desktop native app too. Content is encrypted. If you lose your mobile, just get another one, a new SIM card with same number, the encryption key and off you go.

1 | 2