Admins supportint Executives after MFA deployment
I'm seeking your assitance on following use case. I recently was contacted by Executive Admin. In the past she would work from home and login as our CEO, who she supports, via VPN. After deploying MFA, she is obviously not able to do so as our CEO has activated his MFA. What we would like to achieve is to allow the admins to continue supporting their Executives via VPN if needed.
How can we achieve this after MFA is deployed? We are thinking of using secondary token that Admins can use. The question with this is, will it be possible for multiple people to be logged in at the same time? If not, what are the options/suggestions?
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
- Token Auth
- Token Authentication
- Token Authenticator
- Token Authenticators
Hi Martin - from my perspective this is do'able if the organisation avails themselves of one of a few options. Basically provide the EA another authenticator that is _not_ the MFA App. Examples:
- Cloud-integrated SMS/Voice tokencode where the EA mobile/landline is listed under the Exec's user account
- Traditional SecurID token (hardware, software or OnDemand if licenced)
- If the VPN is a SSL-VPN and web browser is used, then a FIDO device can be used as an option as well. RSA resells the popular Yubikey NFC Series 5 for FIDO-based authentication to web resources.
On the second question - from the SecurID machinery side of things, there's unlikely to be a restriction in terms of authenticating successfully in this scenario. Now whether the VPN detects two separate logins from the same user account is unknown, you're best off testing this out to determine if that's the case and whether this can be disabled for this user account. That has little to do with RSA. But the short answer is that we'd allow a valid authenticator to be used in the way I've described above.