MFA to initiate a remote connection
Got a question on behalf of a consultant company we use, and I've struggled to find a solution with them
Our consultant company uses RDM to connect to our systemand several of their other clients.
Our insurance now requires MFA for any remote connections no exceptions. This means that the 3 generic accounts we created for the consultant corp needs a different solution. At first we issued accounts with DUO mfa and its works fine for the handful of regular consultants we have. The issue is one off users or when issues get escalated to their corp SMEs. Having to create an account for every one off user at each ticket request just really is not workable long term; especially when timezones are 7 hrs apart. We trust the consultant company enough that any of their employees, we trust to gain access to our system.
What are some other options to satisfy the mfa requirement but without the tedious management of individual external accounts?
In my head I can imagine a generic account tied to a rotating key, that can be viewed on the client by any of their users.
All Comments (1)
Hi Ryan,
We recently added a function to require MFA on session as part of our access request workflow with privileged accounts.
https://docs.devolutions.net/server/web-interface/administration/modules/privileged-access/checkout-policies
This will allow to enforce the requirement for session MFA within RDM.
At the same time, you can create contractor user accounts and set an expiration on these accounts that will be used by the consultants - https://devolutions.net/blog/spotlight-on-manage-external-users-with-the-contractor-user-type/
The idea is that you can still use a few accounts used by them but on a temporary basis (you can set an expiration date).
This way, MFA is always enforced on sessions (you can use a code sent by email) and you won't have a ton of accounts to manage.
Does that sound like something that could work for you?
Best regards,
Mark Beausejour
