MFA

From Stratodesk Knowledge Base
Jump to: navigation, search

Stratodesk Introduces MFA to NoTouch Center


With the introduction of NoTouch Center version 4.5.x Stratodesk are bringing MFA support to NoTouch Center to make the solution even more secure than it is already. The main driver behind this are the increased security threats that can be unintentionally introduced by employees, malware or key logging software that might steal passwords etc. We are also seeing a large number of customers looking to deploy NoTouch Center in their own public cloud platforms like Microsoft Azure, Amazon Web Services or Google Cloud and need extra layers of security when it comes to user authentication.


What MFA methods are supported?

NoTouch Center will support SMS via Twilio, email & TOTP via authentication apps from Microsoft, Google which we used in our own tests but others with the ability to scan a QR code should also work and can be set on a per user basis.


TOTP MFA

To enable TOTP MFA for the default ‘admin’ account, firstly select the user in the in the top right-hand side of the screen, and then select ‘Account Settings’ as shown below.

MFA 1.png


From here select ‘Configure TOTP MFA’ but you will also notice that we can also configure a user’s email address and mobile phone number if other authentication methods are used.

MFA 2.png


Next enable ‘TOTP MFA’ and then ‘Get New QR Code’

MFA 3.png


If you’ve previously configured TOTP MFA then you will see the warning below, so select ‘OK’ to continue.

MFA 4.png


Using your favorite authenticator application, select ‘Add Account’ and scan the QR code on the screen.

MFA 5.png


Once the QR code has been scanned, you can click OK to close the screen, and you TOTP application should be showing something similar to the image below showing a random 6-digit token that expires every 30 seconds.

MFA 6.png


The next time you try to log into NoTouch Center enter your username & password as you would do normally and select the login button.

MFA 7.png


If you’ve configured TOTP authentication correctly, you should then be prompted to provide an authentication token that you can get from the app you configured previously and then click login. If you wish to suppress this for a period of time, then of course you can do this although we don’t recommend it.

MFA 8.png


How to Configure MFA for non-Admin Users


If you’ve created additional users in NoTouch Center then MFA is configured in a slightly different way. This time select the user’s icon to go to the user’s screen and select the account or accounts that you want to enable MFA to.

MFA 9.png


On the next screen select the account you wish to configure and add any additional account information for the user like email address & mobile phone number and then scroll to the MFA parameters and enable TOTP authentication and then click ‘save’ & ‘close’

MFA 10.png


For added security, you can also restrict the IP addresses that can access NoTouch Center.

When the user logs in for the first time, they will be prompted to setup their authenticator app by scanning the QR code on the screen and can then enter the appropriate authenticator token.

MFA 11A1.png


Email Based MFA


Stratodesk NoTouch supports email-based MFA which can be configured in two ways, with the first using existing Gmail account credentials.

If the email from which you wish the users to receive MFA messages is a Gmail account, please provide only the username and password. Otherwise, you must configure SMTP settings below. If both Gmail and SMTP are configured, Gmail settings will take precedence. If you are using Gmail, then please refer to the following security guide for Enabling less secure apps to access Gmail and is a requirement for this feature to work https://hotter.io/docs/email-accounts/secure-app-gmail/

To use the feature simply provide your Gmail username & password.

MFA 13.png

You can then test the settings to ensure they are correct, by providing a valid email address, and clicking OK.

MFA 14.png

If the parameters have been configured correctly you will receive a notification confirming that the test email has been sent.

MFA 15.png

Next check the email account you sent the test email to, to confirm that the test email has been received.

MFA 16.png

Next you will need to enable email-based MFA for your users, ensuring you have specified their email address in their account profile and save the settings.

MFA 17.png

The next time the user logs into NoTouch Center, they should receive an email from NoTouch Center with their 6-digit code and will be able to log in.

MFA 18.png

The second option is to use your own SMTP servers, so simply provide the correct credentials based on the requested fields. Your email administrator should have this access easily available. Once configured you should be able to test the connection to verify that they work correctly.

MFA 19.png

The test process is the same as previously described for setting up Gmail based MFA. It’s also worth noting that if both Gmail and SMTP are configured, Gmail settings will take precedence.


Text Based MFA


Stratodesk NoTouch supports text-based MFA using the Twilio API, and you will need an Twilio active subscription to use the service. Once your subscription is active, you’ll need to add the following into NoTouch Center via the configuration settings.

Twilio Account SID Twilio Authentication Token Twilio Phone Number

MFA 20.png

Once you’ve added the parameters, save the settings. You can test these settings by using the ‘Test SMS Connection’ feature.

MFA 21.png


MFA 22.png

If successful, you should receive test message as shown below.

MFA 23.png

Next you will need to enable SMS based MFA for your users, ensuring you have specified their mobile number in their account profile.

MFA 24.png

Once complete save the settings and click close.

The next time the user logs-in they will receive an SMS message with a six-digit one-time passcode.

MFA 25.png

The user should then enter six-digit passcode to be authenticated. There’s also the option to suppress MFA from the trusted device for 20 days.

MFA 26.png