2FA release

In Progress

Comments

16 comments

  • Avatar
    Luke McFadden

    Also very much looking forward to this implementation.

    0
    Comment actions Permalink
  • Avatar
    Sergey Bystrov

    Guys,

    Would it be OK if we have in the own thick client, but not an API? 

    0
    Comment actions Permalink
  • Avatar
    Fredrik Ahlsen

    2FA is really needed now.

    At leaset for cloud login you should have email verification for login form new devices and a panel in the cloud to see a list of verified devices and a log of the last logins. And a option to revoke access for verified devices.

    I would also love to see support for Google Authenticator and an API in the future.

    0
    Comment actions Permalink
  • Avatar
    Sergey Bystrov

    Guys, we are brainstorming implementation details.

    Can you provide users stories? It will help us understand better such things as:

    - if 2FA needed for the system or for cloud account or both 

    - is needed only for new devices or any device.

    etc 

    0
    Comment actions Permalink
  • Avatar
    Luke McFadden

    Sergey Bystrov

    Our main want is 2FA for cloud accounts.  We do LDAP for local users.

    Not sure what you mean in regards to new devices or any device?  You mean 2FA only on first connection to a device?  Or for each device connection?

    0
    Comment actions Permalink
  • Avatar
    Sergey Bystrov

    Guys we are really looking forward to hearing users' stories form you rather than saying simply saying "it's for cloud users".
    Otherwise, I'm afraid we come up with bad design.

     

    Let me give you an examples(out of my head):

    Example1: 

    I’m an integrator. I have access to a lot of cloud systems through my cloud account. I’m concerned about my account credentials being exposed since it’s a key to many systems. I use 2FA to enter the cloud.

    The above story tells me that the user should be able to force 2FA for his cloud account(not a specific system). 

    Example2: 

    There is a big cloud system. The system has a few cloud users(mostly administrators) and some LDAP users with smaller privileges. The administrator wants every privileged users to have 2FA.
    The above story tells me that that admin should be able to force 2FA for cloud users of his system and only for his system. 


    I hope it makes sense. We have some user stories, but we are really looking forward to hearing yours!!

    0
    Comment actions Permalink
  • Avatar
    Luke McFadden

    Sergey Bystrov. Thanks for the details.  

    Example 1:  Yes, as an integrator, I desperately want 2FA to protect my account and other admin accounts.

    Example 2:  Yes, we want 100% enforcement of 2FA for any user with a cloud account at any level.  We are monitoring secure facilities with strict policies as we work with minors, so 2FA is highly needed.  We are unique in that we don't have specific compliances that we are forced to adhere to, but internally we have 2FA for anything related to our clients... EXCEPT NX.

     

    0
    Comment actions Permalink
  • Avatar
    Veronika Nazarova

    Darren Wheatley

    Luke McFadden

    Luke McFadden

    Fredrik Ahlsen

     

    We’re in the process of designing 2FA feature. I would appreciate if you guys share your thoughts on the concept.

    In short, 2FA will be configurable for cloud users only. As a second step of verification any TOTP authenticator app can be used. Administrator is able to make 2FA mandatory for his system. It affects only cloud users in a way they won’t be able to login to the system unless turn on 2FA for their accounts. To restore access to Nx Cloud account in case he's lost access to the authenticator app user can choose between a code sent by email or a backup code.

    Does it comply with security policies in your organisations? Aren’t we missing any user story?

     

    0
    Comment actions Permalink
  • Avatar
    Luke McFadden

    Veronika Nazarova

    Glad that NX is working on this.  This functionality sounds great, but please build in SAML support so we can use our own identity provider.  TOTP is better than nothing, but the industry standard is SAML support now.  This would allow us to use Duo for providing MFA and would fit in with our SSO standards.

    This is convenient from a user/admin perspective, but it also GREATLY increases security as we can have contextual policies we can configure within Duo (or JumpCloud, Okta, MS AAD / M365).  Examples of that would be limited access to a specific device, an authorized network, blocking mobile access, etc...  A lot of added functionality, but all dependent on SAML for MFA.  

    I think TOTP is needed as a minimum, but to scale, SAML is required as well.

    0
    Comment actions Permalink
  • Avatar
    Veronika Nazarova

    Luke McFadden

    Thank you for your response and sorry for my late reply. I see your point and can imagine how painful it is to mange users across multiple systems. However, SAML integration is not something frequently requested. And what’s more, it doesn’t fit into our current cloud user management model, so this feature will require a lot of design and development effort. I cannot promise we will do it, but I’ve added your case to our internal feature requests backlog, so we could at least research on it as soon as we have resources and take it into account when designing related features.

    FDBK-307

    0
    Comment actions Permalink
  • Avatar
    Luke McFadden

    @veronika

    Thanks for the reply. Can you explain more about how the SAML/SSO approach does not fit your cloud user management model?

    From my perspective, ANY 2FA is better than no 2FA. But being able to provision/deprovision users though our IDP is something that nearly every service is moving towards. SAML and the SCIM. SCIM isn’t a requirement for us, but Nx is one of the few programs we use that we won’t be able to control the user accounts through our Identity Management. Which adds some confusion as well as we’ll have to use another app for 2FA rather than the one tied to our Identity Provider.

    This seems to be a compliance issues for large organizations.

    0
    Comment actions Permalink
  • Avatar
    Veronika Nazarova

    Luke McFadden

    >> Can you explain more about how the SAML/SSO approach does not fit your cloud user management model?

    If we support SAML integration, each of our customers would like to configure Nx Cloud integration with their own IDP. It means there should be a more privileged user able to set up such integration and less privileged users that will be created from IDP integration. Currently Nx Cloud itself doesn’t have any user hierarchy. User dependancies and roles exist only within a certain system but not at Nx Cloud level. Also this hierarchy cannot be NxCloud wide, so we’ll have to introduce some kind of segmentation to Nx Cloud in addition to cloud user roles. 

    Moreover we’ll have to add SAML authentication support not only to the Nx Cloud, but to all our clients and servers. Luckily right now we are working on implementing OAuth 2.0 scheme for authentication within our vms components. It will take us a few more month to finish implementation, but as soon as it is ready SAML support in terms of authentication will be way more simple. 

    So as you can see SAML support definitely is not something that can be easily added to Nx Cloud. Now we are working on the next year release and some of its features will bring us closer to SAML support. We haven’t planned yet the release that will go afterwards and that is why I can’t provide you with any clear estimates. 

    0
    Comment actions Permalink
  • Avatar
    Ole Mykjaland

    When can we expect to have some kind of 2FA authetification either on the Nx application or the cloud.

    This should have been there a long time ago as the other companies doing VMS software have done.

    <Edited by Nx; This is the Network Optix Community. Please do not link to other brands.>

    0
    Comment actions Permalink
  • Avatar
    Norman - Nx Support

    Hi Ole Mykjaland,

    If all goes according to plan, we're aiming to add 2FA for the Nx Cloud users in our next release.

    0
    Comment actions Permalink
  • Avatar
    Ole Mykjaland

    Ok, Thx for your prompt reply!

    See that the 2FA have been discussed quite a long time, any scheduled time for the next release? hopefully with 2FA included :o)

    0
    Comment actions Permalink
  • Avatar
    Norman - Nx Support

    Hello Ole Mykjaland,

    Giving any scheduled time has no sense at this moment, since experience learned that there is always a valid reason for a delay. That being said, I hope for spring/summer 2022.

    0
    Comment actions Permalink

Please sign in to leave a comment.