MFA for login to <tenant>.octopus.com

Is it possible to require those logging in to Octopus cloud to use MFA?

Right now, logins are by username/password only, and I’m not finding any easy way to e.g require a phone OTP or text message during the login.

Hey Ali,

Thanks for reaching out.

The only way for you to require MFA would be to delete the users’ existing username/password accounts and have your users create their octopus.com accounts via one of the external services listed that have MFA functionality. Do you by chance use one of those services you can utilize? We currently use Google, Microsoft(AAD), and GitHub for external identities.

There is currently no built-in MFA to go along with Username/Password but I can pass along the feedback.

Please let me know what you think.

Best,
Jeremy

1 Like

@jeremy.miller How would that flow work? Is it basically them choosing ‘Login as google’ during the signup process - then on login, they have to choose ‘Login as Google’ again?

Hey Ali,

Correct.

It would be best to just do it with 1 user to start with as a test to make sure it’s working just how you like it.

  1. Delete the current Octopus User in your organization through the control center at www.octopus.com (login, in the upper right click your profile then hit control center)
  2. Ensure the user is gone from your cloud instance
  3. Send that user a new invite (have them not be logged in to their other octopus account at www.octopus.com because as you said they’ll need to sign up with Login as Google)
  4. Have them click the invite and sign up using your preferred MFA auth (Login as Google, Microsoft, etc)
  5. At this point logging in to Octopus will now have the same MFA protections that your external auth has.

Please let me know if that helps and if it works for you.

Best,
Jeremy

Thanks, that’s not ideal though as it sounds like MFA won’t be enforced. They can still signup without Google, and there’s no guarantee they have MFA on their gmail.

Also, it excludes people who don’t have Gmail.

Hey Ali,

I agree, it’s not perfect. I have cascaded the feedback that it would be nice for our cloud solution to have a built-in first-party MFA, but it’s not currently on our roadmap so if it gets picked up you will still need to find something you are comfortable with in the meantime.

I’m sorry that I don’t have better news for you but hopefully an official MFA will come in the future.

Please let me know if you have any other questions or concerns.

Best,
Jeremy

So currently, is there no way to enforce MFA on all members?

Unfortunately our cloud solution lacks a method of enforcing it, it would require some amount of cooperation from your colleagues to make sure theyre only using MFA enabled logins. I am definitely making sure this gets in front of our engineers, though, as I agree, this seems like an issue.

That being said, our On-Premise solution does allow for this but it also requires you to have some sort of MFA solution like AAD or Okta setup. In that scenario, you would disable all forms of login other than AAD/Okta, and have everyone sign in through that.

You can’t do the equivalent via cloud because OctopusID is used by our system to perform maintenance and support on your instance, it can not be disabled.

I’m sorry I don’t have better news for you. I hope that helps clear things up.

Please let me know if you have any other questions or concerns.

Best,
Jeremy

Understood. It does make it a little difficult to use Octopus for production runbooks, etc, as someone losing access to their account could mean an attacker has access to run arbitrary code on production machines.

Are there any guidelines / workarounds to prevent that scenario?

In cloud, no. Unless you can ensure your colleagues are creating their accounts with AAD/Okta/Google accounts that have MFA enabled. I do agree this is an issue and I have put this in front of the correct people to take a look at. Unfortunately, it will take time to implement if/when we do. If you need to enforce MFA, I believe On-Premise will be your only option. You could potentially look into hosting an On-Premise version in the cloud on AWS/Azure or something to that effect.

Please let me know if you have any other questions.

Best,
Jeremy

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.