Break Glass Account with 2FA enabled

Question

Hello,With the recent enablement of 2FA for all Commvault Cloud environments, I have a question about break glass accounts.  Our company uses Okta and that is set up, so all our domain accounts are not affected by the 2FA enablement.  However, since our break glass account is not on the domain, it is tied to 2FA.  I have it set up to give me a PIN using Microsoft Authenticator.My question is, if I am out of the office or there is a DR situation, how are my teammates able to use the break glass account if needed?  It doesn’t look like the account can have multiple authenticator accounts attached to it.Thank you!

sbhatia · Accepted Answer

Hey! Best way to handle this is to set up at least two break glass accounts instead of just one. Give each account its own 2FA setup (like a different phone or security key) and assign them to different trusted teammates. That way, if one person’s unavailable, someone else can still get in during an emergency. Just makes things a lot safer and more reliable.

https://documentation.commvault.com/2024e/essential/adding_saml_application_01.html

Pradeep · Answer

Hi ​@Brent Atwood,Break Glass Account is an emergency administrative account that provides privileged access to critical systems or applications when normal administrative access is unavailable or compromised.Hence providing multiple authenticator is not an option here and due to security reason it does not allow more than 1 user to approve the request.

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded