A user asked about using Multi-Factor Authentication(MFA) for Scoutbees with ControlUp, discussing external and internal scouts, static tokens, and options such as TOTP. Phone call verification and SMS-based MFA are both supported, as well as TOTP and static codes. Documentation was described as "clear as mud".
Read the entire ‘Using MFA with ControlUp and Scoutbees’ thread below:
I love scoutbees as a product, and it is becoming a critical component of our service offering.
The config and settings to get the 100% benefit from can be extensive, but that is due to the restrictions/design of Citrix (where we use it most)
The use of the internal scout and the external scouts gives such a strong early warning that it has saved my bacon on a few occasions by preventing customer.
P1s.
But the external scout is a hard sell with the customers’ security team. They don’t like the thought of providing a static token for 2FA.
I know there are other options on this, but documentation is well to be a bit rude "clear as mud" 😜
What’s the best way around having to use the static toke for "FA in external scouts
We ended up creating a service account and excluding it from MFA so it could be used to run EUC scouts.
yep security would not go for it even with 16 digit password randomized every 2 weeks
It doesn’t have to be a static MFA. If you can do phone call based MFA, we can do that as well. Unless I’m wrong @member
yeah but the documentation on it is not clear and when i went through support on it before still could not understand the process and requirements to explain to customers
ah gotcha. I can’t help you there. I only tangentially know about the functionality. Maybe @member can help clear up the docs?
Knowing basically nothing about ScoutBees, besides the basics…can the MFA be scripted in any manner at all to like pull a TOTP from a "service"? Our password storage solution has TOTP built-in and can be accessed via PowerShell.
Just something I was curious about. I don’t have Scoutbees because I never got it to work in my brief time testing it and it had the MFA issue for external use I couldn’t justify the extra cost. Maybe in the future.
When we were using DUO for MFA we used phone verification. Worked fine. Basically you get the phone number to use from CU and configure your service account to use that number in your MFA settings. We don’t use Duo any longer, so can’t say it still works, but it definitely used to.
@member even without the external scouts its well worth it
@member thats what i need 😋 just need to understand how it works from a CU prespective so i can take to the customer security@member Yes, I will take it with @member
@member we can do both phone call verification (@member explanation is on the spot) and SMS based MFA – you are getting a dedicated phone number from us and set it as the service account verification number. On login, the MFA (azure mfa, duo, etc) will send the code to that number and test will read use that code for the login process (there are various security checks involved in the process, but I will keep it aside for now). This way allow us support login for dual-factor, dual-steps gateways.
For dual-factor, single-step we’re working with TOTP (same as google authenticator) and static codes.
@member any chance you have some time to take me through the security stuff. i wan to bring this to a customer but need to understand it well to get it approved by there security
@member i want to bring this tow a customer or two as soon as i can but want to get it working internal first what the process for me to get this setup on a controlup side
Continue reading and comment on the thread ‘Using Multi-Factor Authentication (MFA) with ControlUp and Scoutbees’. Not a member? Join Here!
Categories: All Archives, ControlUp Scoutbees, ControlUp Scripts & Triggers