Multiple Device Logins/Sessions Using Same Passcode/Tokencode?
I had a power user ask an interesting question today. When some of our supported Systems and Network Engineers need fast access to multiple devices at the same time, as I understand, they have to wait for the Tokencode to roll over between multiple device logins.
In other words, they cannot use the same passcode for multiple sessions; it must be PIN+UniqueTokencode?
I can obviously see how this would be a security feature to limit access in event of compromise, but curious, is this configurable for the RSA SecurID service provider? This is something we would put forth to our change management for a policy decision.
A couple of uses case examples:
- For the organizations we support, emergency support for their customers can require Network Engineers to log into multiple network devices quickly. Having to wait for the Tokencode to rollover, at 60 seconds, this slows them by up to 7 to 10 minutes to actionable access state in a provided example.
- Another example is for Environment Compliance Check activity. Logging into a group of network devices becomes tedious for power users attempting to login to, say, 5 to 10 devices at one time in order to review configurations.
I've had a look through the AM console and I'm not seeing any options to control this in policy, and have searched the site and community, but not seeing any notes or discussion on this topic. Seems like something others would have run into as well?
Interesting idea, thanks @GabrielPython1
This would work for those periodic compliance situations, though I don't think we could get approval from our cyber leads, since fixed passcodes effectively disables MFA and creates a gap.
Mentioned it to the NET ENG and he said they'd ideally need something more permanent and readily available. On our end, we'd need something without the requirement for close RSA administrative involvement.
I think ideally, we would be looking for something that would not require that much administrative involvement, or at the least, maybe a secondary authentication policy we could enact?
I didn't see anything in the policies that would let us configure multiple authentications under a single passcode session. Ultimately, this is the functionality we'd be looking to accomplish, even if it were a separate user account and token for specific use. Or perhaps a special group we would create for advanced access privs.
Seems like it would all hinge on being able to control the number of authentications allowed on a passcode?