@Bakhari could you let me know which tenant you’re trying this on so I can get my team to look into this? Thanks!
Never mind, I saw stewart-sb in the screenshot 
1 Like
Hi
We have a breakglass account with admin permission. We use this account if any admin user face issue to login into IdentityNow by using their own account. All admin users have the credentials of single breakglass account to use in case of emergency.
How to configure MFA for such account?
1 Like
We do not have the ability to only exclude one account right now, but we see that as valuable and will work to build that in.
In the case of the break-glass account for now you can:
-
Leave it as is. You (hopefully) won’t need to use that break-glass account while we develop this other solution, so it won’t really cause any issues with ToTP with an account with multiple users.
-
If you need to use the break-glass account, you can reach out to support to disable MFA temporarily to allow them to log in.
-
Alternatively, you could setup ToTP on the break-glass account with one person, probably a manager or director, and so they would need to coordinate with that person as well, which is an added layer of protection.
Ideally you would be storing the credentials for the break-glass account in a separate PAM solution. I hope that helps
2 Likes
Hey Tyler! Hope you’re well! Any update on this?
1 Like
@Bakhari I’m still trying to track down an answer for you. Are you still seeing this same issue?
1 Like
Yep. no admin at the company can get logged in now.
1 Like
Recommend reaching out to your CSM and see if they can do a temporary rollback.
1 Like
@Bakhari This is rolled back now for you while we investigate
2 Likes
Will the removal of admin step-up auth for SSO logins coincide with this change, or will it be removed at a later date?
1 Like
@jtharbison-slack This is in preparation for the removal of admin step up auth, which will happen the beginning of January, after the holidays.
1 Like
Thank you for the update. We are highly interested in the timing of step-up auth removal because it is a dependency for another project.
Probably January 2nd or 3rd
We currently use RSA as our multifactor. Security Team doesn’t allow other options like text, email, or third party authenticators, etc.
Is there a way to use RSA as the multifactor for admins?
As long as RSA can scan in a QR code, it should work
When scanning the QR code with RSA says invalid QR Code.
When searching found that RSA does not support third party TOTP (RFC 6238) products
Is that what this is?
When is this getting rolled into the production environment?
Yes, that’s what this is
Kirti
It rolled to the first segment of production on Thursday, the second segment this morning, and the third segment will roll to production tomorrow morning
is there a roll back?
Getting our Security and Risk to ok another authenticator app may not be simple.