Two-factor authentication for admins logging into Fleet w/o SSO

[GuillaumeRoss]

why/how

• @allenhouchins: This is a valid concern that could come from anyone (not just security). Fleet is a root kit on all devices so it's important to have some form of verification for the "break glass" account. Doesn't necessarily have to be an authenticator app. It could be email verification.
• prospect-seidel: https://us-65885.app.gong.io/call?id=7137028313068298352&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A603%2C%22to%22%3A675%7D%5D

---

Original request

Fleet does not provide capabilities for 2FA at the moment. We recommend using SSO with an IdP that enforces 2FA.

SSO within Fleet could be useful in a few different situations, such as:

1. You are unable to use SSO, and want your Fleet instance to be safer.
2. You are using SSO, but still want to have a second factor when logging in to Fleet for extra security. This can be useful when SSO is used with "day to day" accounts, to prevent a stolen session from the IdP to be used with tools like Fleet.

We also need to determine which type of 2FA we would support if we implemented this:

1. Hardware security keys (with ability to enforce)
2. Google authenticator style TOTP
3. NO SMS or voice

We are opening this issue for comments. Please follow the issue and comment if you have other use cases.

[defensivedepth]

MFA is a key security control for unauthorized access and I would love to see FleetDM support it natively (outside of SSO)

[12nick12]

I would love a simple TOTP 2FA. Security keys would be awesome, but anything is better than nothing.

[BillysCoolJob]

+1 to this as I would also love to see this implemented. We see a lot of orgs compromised due to having SSO deployed all across their org and would definitely like to have an independent MFA option for our services.

Edit: I've been informed by my team that this is a blocker for us to roll our instance out to production.

[samleb]

This would also be interesting for us 👍

[noahtalerman]

Thanks @samleb. What kind of 2FA would you want to use? Yubikey? Authenticator app? Something else?

[noahtalerman]

From customer-rosner: yubikey/webauthn would be (insert cheff's kiss emoji)

[noahtalerman]

FYI @lukeheath ^

[lukeheath]

@noahtalerman This issue is not currently labeled for triage. Should it be?

[james-callahan]

We use the fleet<>Vanta integration, and it flags all local fleet accounts as not having MFA. (we have a backup fleet account for if SSO is down)

[zayhanlon]

@noahtalerman customer-preston and customer-rosner would like to participate in design reviews when we get to this in q4

[noahtalerman]

We use the fleet<>Vanta integration, and it flags all local fleet accounts as not having MFA.

Hey @james-callahan! Thanks for sharing this. By local accounts do you mean accounts that use basic auth? (username and password)

Just making sure that Fleet <> Vanta is working as expected. For example, Fleet users w/ SSO aren't flagged in Vanta. It's only the users w/ basic auth.

[james-callahan]

Not just fleet users with username+password but also api-only users (including the Vanta user itself!)

On 16 July 2024 4:25:43 am AEST, Noah Talerman @.***> wrote:

We use the fleet<>Vanta integration, and it flags all local fleet accounts as not having MFA.

Hey @james-callahan! Thanks for sharing this. By local accounts do you mean accounts that use basic auth? (username and password)

Just making sure that Fleet <> Vanta is working as expected. For example, Fleet users w/ SSO aren't flagged in Vanta. It's only the users w/ basic auth.

-- Reply to this email directly or view it on GitHub: https://github.com/fleetdm/fleet/issues/5478#issuecomment-2229123116 You are receiving this because you were mentioned.

Message ID: @.***>

[noahtalerman]

Hey @dherder @zayhanlon and @pintomi1989, we filed a separate user story here to carve off a piece of this request.

As per the new process we are leaving the original requests alone while the user story can change/evolve and will move through the drafting => engineering process.

This way, y'all and/or the requestor can easily validate whether what we're designing/building achieves the original ask.

I removed this request from the feature fest board.

[dherder]

@noahtalerman this is a blocker for prospect-seidel. https://us-65885.app.gong.io/call?id=7137028313068298352&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A603%2C%22to%22%3A675%7D%5D

[camilodiazsal]

+1 to this request. MFA is a must for break-glass account. Yubikey / Authenticator App / 1 Password integration