Skip to Main Content
Status Future consideration
Categories Account settings
Created by Daniel Viney
Created on Nov 24, 2021

Standards-compliant open 2FA support

If I search Big Ideas, I can find multiple ideas relating to 2FA - including requests for Yubikey support and Google Authenticator without SSO.

I want to dial it back a notch... today, in 2021, I am unable to turn on 2FA to protect our Aha! credentials (and the significantly sensitive company data behind those credentials on our strategy and plans to execute against that strategy) because we do not have a Duo account and we do not use Google SSO. I don't want to be forced down one of those paths to have a minimum standard of security, instead I want to use the tools and technologies we have already invested in and implemented within the company.

Can you please offer a standards-compliant TOTP-based 2FA option that will allow all your users, but importantly mine, to use the technology they have invested in to enable 2FA... RFC 6238 compliant 2FA will support any open and freely available tool, like Google Authenticator, Authy or technologies businesses may have invested in like Last Pass, 1Password, Trusona etc etc etc

  • Attach files
  • Admin
    Joseph Antrosio
    Nov 30, 2021

    Thank you for the feedback. We will continue to track this idea to gauge interest.

    We recommend the use of SAML 2.0 SSO for our security-minded customers to be in complete control of the password and multi-factor experience and integrate with their chosen identity provider. This gives customers the most control and we support both cloud and on-premises identity providers.

    We also support Duo which offers free plans for small teams and allows per-customer configuration of the security tradeoffs that come with TOTP management. For example, how does a user that has lost their TOTP device clear it and reset it? If this reset process is not implemented securely, it undermines the whole implementation. Customers may have different requirements for reset: one-time codes that have to be saved in advance (and not lost), implementing reset by another admin, or SMS reset (which others may disallow). Duo provides this functionality in a configurable way and customers can configure it to meet their own security standards.