Friday, October 21, 2022

To TOTP, or NOT To TOTP, Traveler/Verse users, THAT is THE Question

 

Whether 'tis nobler in the mind (of users) to suffer The slings and arrows of outrageous fortune security guidelines, Or to take arms against a sea of (illogical) troubles, And, by opposing, end their tyranny upon us?

Shakespeare will have to live with my edits.

Enjoy the video because it is THE definitive way to say the quote :-)

Now that Collabpshere has finished, it was a great event once again managed by Richard Moy with a supporting cast of dozens of people, I had a follow-up item from my session.

I will post the slides once I find a new home now that Slideshare has gone paywall.

The question continues to arise about using TOTP for Verse(Traveler) users.

If you attended my session, you heard me discuss the pro (not sure if there is anything beyond my insurance/compliance or security people require it) and the many cons. 

If anyone has more PRO reasons, let me know, but for now, this is the slide I used.


Remember that current phones usually require a code, slide design, finger, face, or eye scan just to let you into your phone.

Then the Verse app has a login and password for itself.

Do you still need an MFA after 2 levels? 

Also, if the whole purpose of the MFA is to secure the mail application, what purpose does it serve by being on your phone, if your phone is lost or stolen? Let's say the robber has the initial code(stop using your birthday or kid's birthday or anniversary). Then having the fa there is totally useless. 

So, why do you want to enforce this?

Right, because your insurance company told you.

Oddly enough, they did not tell you to disable SSO(Single Sign On), which negates any aspect of MFA a computer might have to start with. Nor do they expect you to have an MDM solution, which is really what you need for this purpose. 

Traveler/Verse has some aspects of MDM, like remote wipe, but does not verify your device has the appropriate number of digits in your passcode.

So, again, why do you need to do this?

Have you asked for the technical guidance document from your insurance company?

You should let me know if any of them ever produce one. And if they have one, does it make any sense?

TOTP is URL-based, not Server or Domain-based.

You can let Verse users use the usual traveler.company.com URL without TOTP while maintaining TOTP enabled for webmail.company.com see my slide below.



Yes, you can change the TOTP time-out setting (https://help.hcltechsw.com/traveler/12.0.0/auth_timeout_totp.html), which I did on my personal server, so I only log in with TOTP if my phone has been off for more than 18 hours. This happens every weekend, I shut it off an hour before sunset and turn it back on after sunset on Saturday.

The choice is yours, as the Admin, but you will have more help desk tickets every Monday morning and possibly every time a user flies, and they will think they are locked out.

So, in the immortal words of the Bard of Avon,

 "Out of this nettle - danger - we pluck this flower - safety."

'Henry IV, Part 1' (1597) act 2, sc. 3, l. [11]


No comments:

Post a Comment