Forum / Remote Desktop Manager - Feature Request

2 Factor Granularity

  • Create an Issue
  • Cancel

Today, when 2 Factor is checked, it's required at login. This is great, but I'd like the option to check 2factor at the Object level for High-Security Objects.

Since RDM is our main connection tool, for the 80% of the entries or so that use the prompt for the user's credentials at session, there's not much to protect. (Name, IP, etc isn't a security issue). However, when the session is linked to credentials, that may be a different story, or when you're attempting to access a specific session (Accounting for ex), you may want to always ensure 2-Factor login.

User Story is something like this: As an Devolutions Server Admin, I'd like to enroll users who need it into two-factor auth, but have the flexibility to require two-factor authentication at the Group or Object level rather than just at login so that I can be sure at the time of execution that the user is who they were at login. There should be a timeout variable since last two-factor such that If a user connects to 2 protected sessions back to back they don't have to use two-factor for both. With this feature implemented, two-factor during authentication would be possible, but not required and still enable protection of objects.

Clock3 yrs

Sorry, this should have been posted in Devolutions Server, not RDM. (although it could go in both places)

Clock3 yrs

Hi,
Just to be sure I understand we would require the 2FA validation from the user for some specific entry. This means that the application will need to call the server to do the validation and it will not be available in offline mode?

David Hervieux

signaturesignature

Clock3 yrs

Hi David,

Your understanding is correct, and I'd be willing to accept the offline limitation you mention; however, if you have a secure way of storing/caching data locally (client-side encryption) then you could also offer a feature to cache the user's 2factor secret (assuming OTP-based) during their login for x Days offline and execution 2F validation client-side.

Additionally, don't forget the elevated authentication timeout variable. If I execute a session with 2F attached at say 2pm, and then try to execute another session with 2F attached at 2:15 and the Elevated timeout value is 30 mins, I wouldn't have to use 2F for objects until 2:31pm.

Clock3 yrs