2FA on Kudu service

[klaas-pggm]

Issue description

I think it's great that the Umbraco identity platform has 2 factor authentication. The Kudu service though, is still available from any location using username and password. This makes the Umbraco service offering still vulnerable for compromised password scenarios. From a security perspective, it would be desirable that the Kudu service could be IP filtered so we can restict access to our network.

Is this by any chance feasible?

[sajumb]

Hi! Thanks for highlighting this. We are currently considering the option to enable MFA on the Kudo service as well. It is certainly possible to enable it, but due to dependencies between Kudo and the Umbraco Cloud underlying services for deployment, upgrades, etc. it will be important that we find the right solution so that these services will still be functional for all parties.

Thank you for your understanding. We will return when there is new information on the matter.

[sajumb]

We have evaluated various security initiatives and decided to add an IP filtering feature to support the existing security model. We will start development in a few weeks. You are very much welcome to send me your contact info in order to be included during the design and implementation process and/or in general to be kept in the loop. Have a great day!

[c9mb]

FWIW - IP Filtering can be an awkward technology to use as an alternative to 2FA. Personally, I develop at multiple locations, including some connected by HFC that provide a dynamic IP address. The basic authentication dialog also presents its own issues, including not being able to use password managers.

[klaas-pggm]

We have evaluated various security initiatives and decided to add an IP filtering feature to support the existing security model. We will start development in a few weeks. You are very much welcome to send me your contact info in order to be included during the design and implementation process and/or in general to be kept in the loop. Have a great day!

Ok, that's great! IP filtering will work for us since our company uses 1 proxy with 2 public IP addresses. Looking forward to the feature.

[klaas-pggm]

I was about to open another ticket for the same problem because I have not heard back from this thread. Is there now a solution to have extra protection on the Kudu endpoints? As far as I can see it is still publicly open and I don not see a way to either filter IP or to enable another type of 2FA. Could you please give me an update?

[sajumb]

Hi @klaas-pggm, We have looked into the various options and decided that IP filtering will be the best solution. We have not yet started the development. We will add an update in this issue thread when it has.

[c9mb]

@sajumb - Whilst I appreciate that IP Filtering provides a solution, I'm not sure that I'd consider it an optimal one. There are issues with this approach when you can't nominate an IP address for access - such as a need for access from a mobile location, or my own case of working from an HFC connection service that does not allocate permanent addresses - whereas 2FA is a reliable and flexible security challenge.

[sajumb]

Hi @c9mb, We have thoroughly evaluated the possibility of integrating MFA for Kudu access in Azure. However, our assessment concluded that IP filtering, which is directly supported by Microsoft, offers a more consistent and reliable method for securing Kudu access. This is primarily because MFA, while advantageous for enhancing security, currently receives limited and somewhat ambiguous support in the specific context of Kudu access within Azure environments.

For scenarios involving mobile access or when dealing with dynamic IP addresses, such as those provided by certain connection services, we expect using the "Add my IP" feature would be somehow useful. This feature allows for the temporary addition of an IP address to the whitelist, providing a flexible solution for accessing Kudu from varying locations. It should be used with consideration in case the given IP is shared with others. The vast majority of Kudu accesses will be using a known IP that only seldom will change.

[klaas-pggm]

This solution sounds perfectly usable for me. We do not use Kudu that often and when we do the "Add my IP" feature is fine for those occasions. We just have to remind ourselves to clean up the whitelisted IP's.

[klaas-pggm]

Could I get an update on this issue? Apparently this is not in place yet. Our security department is getting impatient

[sajumb]

Thank you for reaching out regarding the security enhancements for Kudu access within Umbraco Cloud. As of now, there are no new updates regarding the implementation of additional security measures for Kudu access.