Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersCorporate shared 2FA suggestions?
Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

#248518 29-Mar-2019 09:19
Send private message

Work has an account that must have 2FA (AWS root user), and while we use IAM and individual accounts, for various reasons multiple people must have access to root account and thus its 2FA token generator. We were using Authy and a "shared" Authy account, but that's now creating issues in that several of the users who need access to this don't have/want separate work and personal cellphones, and there's no easy way in Authy that we can see to move between multiple Authy accounts on a device (e.g Their personal Authy + the work one)

 

Does anyone have any suggestions for managing this? Are there any alternatives to Authy better suited for business use like this?




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #2206884 29-Mar-2019 10:05
Send private message

I think Authy is your best solution. Other than that you should be using separate accounts per person and keep your master / admin accounts to only a select few.

 

I backup my TOTP codes into a password safe as well so the token can be easily re-generated as required.



freitasm
BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2206889 29-Mar-2019 10:12
Send private message

Authy is linked to a phone number so won't be easy to share.

 

Best is to have one or two Admin accounts and then create user accounts with a need-to-have access level only.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

cisconz
cisconz
1348 posts

Uber Geek
+1 received by user: 179

ID Verified
Trusted
Lifetime subscriber

  #2206891 29-Mar-2019 10:16
Send private message

We use a single android device that has remote control software on it for shared accounts.

 

It lives in the office on Wifi and on charge, Has MS Authenticator and Authy

 

We also use Tasker to take any inbound SMS and forward to a shared mailbox, we can reply back with an email subject of the destination phone number and tasker will take the content of that message and send out too.

 

This is useful for sending customer passwords via SMS and not giving out individual cellphone numbers.

 

All voice calls are diverted to the office support line.




Hmmmm



gehenna
8667 posts

Uber Geek
+1 received by user: 3883

Moderator
Trusted
Lifetime subscriber

  #2206898 29-Mar-2019 10:36
Send private message

Admin accounts shouldn't be shared.  Anyone who needs admin access should have their own account to use, with least-required privileges to perform their required tasks.  There are so many reasons for this.  

timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #2206918 29-Mar-2019 10:52
Send private message

You shouldn't be using the AWS root account regularly. Create IAM users and give them their own MFA token, or even better federate with on-premise if you have AD, but that's more work. If you can give us the good reason you need root account access maybe I can think some more about how to achieve this.

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

  #2206933 29-Mar-2019 11:39
Send private message

BarTender:

 

I think Authy is your best solution. Other than that you should be using separate accounts per person and keep your master / admin accounts to only a select few.

 

 

freitasm:

 

Best is to have one or two Admin accounts and then create user accounts with a need-to-have access level only.

 

 

gehenna:

 

Admin accounts shouldn't be shared.  Anyone who needs admin access should have their own account to use, with least-required privileges to perform their required tasks.  There are so many reasons for this.  

 

 

timmmay:

 

You shouldn't be using the AWS root account regularly. Create IAM users and give them their own MFA token, or even better federate with on-premise if you have AD, but that's more work. If you can give us the good reason you need root account access maybe I can think some more about how to achieve this.

 

 

We are using individual IAM accounts with 2FA and don't regularly use the root account, but the business doesn't want the root account only accessible by any single individual or device in case of emergency/hit by a bus/device failure/etc.

 


cisconz:

 

We use a single android device that has remote control software on it for shared accounts.

 

It lives in the office on Wifi and on charge, Has MS Authenticator and Authy

 

We also use Tasker to take any inbound SMS and forward to a shared mailbox, we can reply back with an email subject of the destination phone number and tasker will take the content of that message and send out too.

 

This is useful for sending customer passwords via SMS and not giving out individual cellphone numbers.

 

All voice calls are diverted to the office support line.

 

 


That's an interesting solution and one I might look into more if noone comes up with anything better.




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

 
 
 
 

Shop now on Samsung phones, tablets, TVs and more (affiliate link).
timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #2206934 29-Mar-2019 11:43
Send private message

Get a few yubikeys, they're a hardware device and you can have multiple per account. They're about $40 each I think. I can probably find more information later if it's not obvious from a Google search, but we have done this.

Sounddude
I fix stuff!
1935 posts

Uber Geek
+1 received by user: 640

Trusted
2degrees
Lifetime subscriber

  #2206948 29-Mar-2019 12:14
Send private message

I believe Lastpass can handle 2FA, so you could have a shared Lastpass account, which also handles the 2FA.

 

 

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

  #2206959 29-Mar-2019 12:30
Send private message

timmmay: Get a few yubikeys, they're a hardware device and you can have multiple per account. They're about $40 each I think. I can probably find more information later if it's not obvious from a Google search, but we have done this.

 

Cheers, will look into this.

 

Sounddude:

 

I believe Lastpass can handle 2FA, so you could have a shared Lastpass account, which also handles the 2FA.

 

 

pretty sure Lastpass Authenticator is a separate product, not integrated with the password manager.




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #2206972 29-Mar-2019 13:01
Send private message

I just checked my documentation, and had it slightly backwards - a single Yubikey can definitely let you into multiple AWS accounts. The workaround from memory was to have multiple users with admin rights with their own Yubikey.

 

In many places the root account credentials are locked in a safe, but that's not going to be helpful if your building is taken down by an earthquake. IAM users with admin rights are essential. Having AWS business support helps you get entry back into your account. You have to make sure the email address of the root account is updated and monitored and all contact details are accurate so AWS can validate your ownership of the account if they have to give you access.

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified
Trusted
Lifetime subscriber

  #2207100 29-Mar-2019 14:26
Send private message

timmmay:

 

I just checked my documentation, and had it slightly backwards - a single Yubikey can definitely let you into multiple AWS accounts. The workaround from memory was to have multiple users with admin rights with their own Yubikey.

 

In many places the root account credentials are locked in a safe, but that's not going to be helpful if your building is taken down by an earthquake. IAM users with admin rights are essential. Having AWS business support helps you get entry back into your account. You have to make sure the email address of the root account is updated and monitored and all contact details are accurate so AWS can validate your ownership of the account if they have to give you access.

 

 

Cheers, we do have multiple (non root) admins with IAM + 2FA, and an AWS support contract so I'll go back to management and see what they want to do.




I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
dfnt
1553 posts

Uber Geek
+1 received by user: 1036

Trusted
Lifetime subscriber

  #2207104 29-Mar-2019 14:43
Send private message

timmmay: Get a few yubikeys, they're a hardware device and you can have multiple per account. They're about $40 each I think. I can probably find more information later if it's not obvious from a Google search, but we have done this.

 

I was going to suggest this as well

 

edit: But it seems you can only assign one yubikey per account which is annoying

ANglEAUT
altered-ego
2436 posts

Uber Geek
+1 received by user: 842

Trusted
Lifetime subscriber

  #2208317 31-Mar-2019 19:39
Send private message

BarTender: ... I backup my TOTP codes into a password safe as well so the token can be easily re-generated as required.

 

Not advisable & never tried, but interesting thought experiment:

 

  • I know of somebody else who also backs up their QR code so that they can regenerate the token on a new device.
  • Get every admin into the same room at the same time (Ooohhh, DR management are gonna love this!)
  • Have each admin scan the same QR code displayed on their screen into their own Authy account
  •  




Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

timmmay
20858 posts

Uber Geek
+1 received by user: 5350

Trusted
Lifetime subscriber

  #2208329 31-Mar-2019 20:13
Send private message

I don't think taking a photo of that square thing actually works if you photograph it later - I think it's time limited. I've done it with AWS in the past and pretty sure it didn't work. Anyone who does that, please try it out and post the result.

freitasm
BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #2208353 31-Mar-2019 23:08
Send private message

ANglEAUT:

 

BarTender: ... I backup my TOTP codes into a password safe as well so the token can be easily re-generated as required.

 

Not advisable & never tried, but interesting thought experiment:

 

  • I know of somebody else who also backs up their QR code so that they can regenerate the token on a new device.
  • Get every admin into the same room at the same time (Ooohhh, DR management are gonna love this!)
  • Have each admin scan the same QR code displayed on their screen into their own Authy account

 

Authy. It's linked to your mobile number and it syncs to a desktop native app too. Content is encrypted. If you lose your mobile, just get another one, a new SIM card with same number, the encryption key and off you go. 




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright