Open GuillaumeRoss opened 2 years ago
MFA is a key security control for unauthorized access and I would love to see FleetDM support it natively (outside of SSO)
I would love a simple TOTP 2FA. Security keys would be awesome, but anything is better than nothing.
+1 to this as I would also love to see this implemented. We see a lot of orgs compromised due to having SSO deployed all across their org and would definitely like to have an independent MFA option for our services.
Edit: I've been informed by my team that this is a blocker for us to roll our instance out to production.
This would also be interesting for us 👍
Thanks @samleb. What kind of 2FA would you want to use? Yubikey? Authenticator app? Something else?
From customer-rosner
: yubikey/webauthn would be (insert cheff's kiss emoji)
FYI @lukeheath ^
@noahtalerman This issue is not currently labeled for triage. Should it be?
We use the fleet<>Vanta integration, and it flags all local fleet accounts as not having MFA. (we have a backup fleet account for if SSO is down)
@noahtalerman customer-preston and customer-rosner would like to participate in design reviews when we get to this in q4
We use the fleet<>Vanta integration, and it flags all local fleet accounts as not having MFA.
Hey @james-callahan! Thanks for sharing this. By local accounts do you mean accounts that use basic auth? (username and password)
Just making sure that Fleet <> Vanta is working as expected. For example, Fleet users w/ SSO aren't flagged in Vanta. It's only the users w/ basic auth.
Not just fleet users with username+password but also api-only users (including the Vanta user itself!)
On 16 July 2024 4:25:43 am AEST, Noah Talerman @.***> wrote:
We use the fleet<>Vanta integration, and it flags all local fleet accounts as not having MFA.
Hey @james-callahan! Thanks for sharing this. By local accounts do you mean accounts that use basic auth? (username and password)
Just making sure that Fleet <> Vanta is working as expected. For example, Fleet users w/ SSO aren't flagged in Vanta. It's only the users w/ basic auth.
-- Reply to this email directly or view it on GitHub: https://github.com/fleetdm/fleet/issues/5478#issuecomment-2229123116 You are receiving this because you were mentioned.
Message ID: @.***>
Hey @dherder @zayhanlon and @pintomi1989, we filed a separate user story here to carve off a piece of this request.
As per the new process we are leaving the original requests alone while the user story can change/evolve and will move through the drafting => engineering process.
This way, y'all and/or the requestor can easily validate whether what we're designing/building achieves the original ask.
I removed this request from the feature fest board.
@noahtalerman this is a blocker for prospect-seidel. https://us-65885.app.gong.io/call?id=7137028313068298352&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A603%2C%22to%22%3A675%7D%5D
+1 to this request. MFA is a must for break-glass account. Yubikey / Authenticator App / 1 Password integration
why/how
prospect-seidel
: https://us-65885.app.gong.io/call?id=7137028313068298352&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A603%2C%22to%22%3A675%7D%5DOriginal request
Fleet does not provide capabilities for 2FA at the moment. We recommend using SSO with an IdP that enforces 2FA.
SSO within Fleet could be useful in a few different situations, such as:
We also need to determine which type of 2FA we would support if we implemented this:
We are opening this issue for comments. Please follow the issue and comment if you have other use cases.