Require Helpdesk and Administrators to provide multiple factors of authentication to access NoTouch Center with TOTP support
Stratodesk Introduces MFA to NoTouch Center
With the introduction of NoTouch Center version 4.5.x Stratodesk are bringing MFA support to NoTouch Center to make the solution even more secure than it is already. The main driver behind this are the increased security threats that can be unintentionally introduced by employees, malware or key logging software that might steal passwords etc. We are also seeing a large number of customers looking to deploy NoTouch Center in their own public cloud platforms like Microsoft Azure, Amazon Web Services or Google Cloud and need extra layers of security when it comes to user authentication.
What MFA methods are supported?
NoTouch Center will support SMS via Twilio, email & TOTP via authentication apps from Microsoft, Google which we used in our own tests but others with the ability to scan a QR code should also work and can be set on a per user basis.
Time-based One-Time Password (TOTP) MFA
To enable TOTP MFA for the default ‘admin’ account, firstly select the user in the in the top right-hand side of the screen, and then select ‘Account Settings’ as shown below.
From here select ‘Configure TOTP MFA’ but you will also notice that we can also configure a user’s email address and mobile phone number if other authentication methods are used.
Next enable ‘TOTP MFA’ and then ‘Get New QR Code’
If you’ve previously configured TOTP MFA then you will see the warning below, so select ‘OK’ to continue.
Using your favorite authenticator application, select ‘Add Account’ and scan the QR code on the screen.
Once the QR code has been scanned, you can click OK to close the screen, and you TOTP application should be showing something similar to the image below showing a random 6-digit token that expires every 30 seconds.
The next time you try to log into NoTouch Center enter your username & password as you would do normally and select the login button.
If you’ve configured TOTP authentication correctly, you should then be prompted to provide an authentication token that you can get from the app you configured previously and then click login. If you wish to suppress this for a period of time, then of course you can do this although we don’t recommend it.
How to Configure MFA for non-Admin Users
If you’ve created additional users in NoTouch Center then MFA is configured in a slightly different way. This time select the user’s icon to go to the user’s screen and select the account or accounts that you want to enable MFA to.
On the next screen select the account you wish to configure and add any additional account information for the user like email address & mobile phone number and then scroll to the MFA parameters and enable TOTP authentication and then click ‘save’ & ‘close’
For added security, you can also restrict the IP addresses that can access NoTouch Center.
When the user logs in for the first time, they will be prompted to setup their authenticator app by scanning the QR code on the screen and can then enter the appropriate authenticator token.
Email Based MFA
Stratodesk NoTouch supports email-based MFA which can be configured in two ways, with the first using existing Gmail account credentials.
If the email from which you wish the users to receive MFA messages is a Gmail account, please provide only the username and password. Otherwise, you must configure SMTP settings below. If both Gmail and SMTP are configured, Gmail settings will take precedence. If you are using Gmail, then please refer to the following security guide for Enabling less secure apps to access Gmail and is a requirement for this feature to work https://hotter.io/docs/email-accounts/secure-app-gmail/
To use the feature simply provide your Gmail username & password.
You can then test the settings to ensure they are correct, by providing a valid email address, and clicking OK.
If the parameters have been configured correctly you will receive a notification confirming that the test email has been sent.
Next check the email account you sent the test email to, to confirm that the test email has been received.
Next you will need to enable email-based MFA for your users, ensuring you have specified their email address in their account profile and save the settings.
The next time the user logs into NoTouch Center, they should receive an email from NoTouch Center with their 6-digit code and will be able to log in.
The second option is to use your own SMTP servers, so simply provide the correct credentials based on the requested fields. Your email administrator should have this access easily available. Once configured you should be able to test the connection to verify that they work correctly.
The test process is the same as previously described for setting up Gmail based MFA. It’s also worth noting that if both Gmail and SMTP are configured, Gmail settings will take precedence.
Text Based MFA
Stratodesk NoTouch supports text-based MFA using the Twilio API, and you will need an Twilio active subscription to use the service. Once your subscription is active, you’ll need to add the following into NoTouch Center via the configuration settings.
Twilio Account SID Twilio Authentication Token Twilio Phone Number
Once you’ve added the parameters, save the settings. You can test these settings by using the ‘Test SMS Connection’ feature.
If successful, you should receive test message as shown below.
Next you will need to enable SMS based MFA for your users, ensuring you have specified their mobile number in their account profile.
Once complete save the settings and click close.
The next time the user logs-in they will receive an SMS message with a six-digit one-time passcode.
The user should then enter six-digit passcode to be authenticated. There’s also the option to suppress MFA from the trusted device for 20 days.