This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
MartinPiroh
Occasional Contributor
Occasional Contributor
‎2020-11-16 04:22 AM

Admins supportint Executives after MFA deployment

Hello,

 

I'm seeking your assitance on following use case. I recently was contacted by Executive Admin. In the past she would work from home and login as our CEO, who she supports, via VPN.  After deploying MFA, she is obviously not able to do so as our CEO has activated his MFA.  What we would like to achieve is to allow the admins to continue supporting their Executives via VPN if needed.

 

How can we achieve this after MFA is deployed? We are thinking of using secondary token that Admins can use.  The question with this is, will it be possible for multiple people to be logged in at the same time? If not, what are the options/suggestions?

 

Thank you,

 

Martin

Labels (1)
Labels
0 Likes
Reply
1 Reply
CraigDore
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2020-11-16 10:17 PM

Hi Martin - from my perspective this is do'able if the organisation avails themselves of one of a few options. Basically provide the EA another authenticator that is _not_ the MFA App. Examples:

  • Cloud-integrated SMS/Voice tokencode where the EA mobile/landline is listed under the Exec's user account
  • Traditional SecurID token (hardware, software or OnDemand if licenced)
  • If the VPN is a SSL-VPN and web browser is used, then a FIDO device can be used as an option as well. RSA resells the popular Yubikey NFC Series 5 for FIDO-based authentication to web resources.

 

On the second question - from the SecurID machinery side of things, there's unlikely to be a restriction in terms of authenticating successfully in this scenario. Now whether the VPN detects two separate logins from the same user account is unknown, you're best off testing this out to determine if that's the case and whether this can be disabled for this user account. That has little to do with RSA. But the short answer is that we'd allow a valid authenticator to be used in the way I've described above.

 

Cheers

Craig

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.