Setup 2FA using individual user accounts
Scenario
Under this scenario, you may have a salesperson, or multiple salespeople that may need to login on different workstations (different sales stations), but are using a common shared account, for example:
salescounter@gotomyerp.cloud
The method described below will allow each salesperson to have the 2FA code available on their device, and accessible only under their account.
Pros:
- This method allows more flexibility, as the 2FA code for that salescounter@gotomyerp.cloud is available under each user's 2FA app.
- It is secure, as long as the Security Best Practices are followed.
Cons:
- The setup is slightly more laborious as each user will need to setup their own account, and create the 2FA entry for the salescounter@gotomyerp.cloud
- Some proactive management of this setup is required, especially on employee departure, to prevent from unauthorized access to the account.
Security Best Practices:
- This setup will allow each user to setup the salescounter@gotomyerp.cloud on their 2FA app. While you may be tempted to create a common account for all the salespeople to login to the Ente Auth app, please refrain from proceeding, as this is a bad security practice, and any 2FA codes added in addition to the gotomyerp account would end up being available to all employees who have that account. Please do create individual accounts!
- When an employee leaves, as a security best practice, it it highly advisable to remove the authentication method, that is setup, and re-share the new secret key for the existing employee to re-add on their app. This will guarantee that unauthorized users do not have access to these codes anymore.
Setup 2FA using a single computer
Scenario
Under this scenario, you may have one computer, for example a Sales Counter, that is shared by multiple employees, and they have rotating shifts. This setup, will allow the employee to get access to the 2FA code stored on the Sales Counter computer only.
Pros:
- A very easy and secure setup
- The 2FA code resides only on the one computer, so there is little to no risk of an employee having access to it outside this context.
Cons:
- The 2FA setup using this method is not backed up. In the event that the computer is inaccessible, you may be locked out of the account, and would need to contact support for resetting it.
- Alternatively, additional 2FA methods may be added under the account security as backup login mechanism.
- It is tied down the workstation where it is installed. If that user happens to need to login to another workstation, they would need access to this same workstation to get the 2FA code from.
Security Best Practices:
- While possible, we highly recommend that this setup is created without an account. This reduces the risk of a bad actor with access to the shared account from gaining access to that code from another device.
- It is highly recommended that the "App Lock" feature is enabled in the Ente Auth app. You may choose to protect it with a custom PIN, the computer PIN, or the computer account password. All are acceptable, depending on your preference and security stance for that account.