Skip to main content
Solved

Multi Factor Authentication (MFA) Flaw


Forum|alt.badge.img+1

I started looking at the MFA on Command Centre and baffled as it is flawed. If my domain account has been compromised, I would be expecting the second factor to be the 2nd line of defence. But no, you can request a new pin that gets sent to your compromised domain account e-mail address. I then looked to see if I can amend my account by adding an external e-mail address, but LDAP pulls this from the domain and can not be edited. By editing the e-mail script we can omit the pin, but I think this hasn’t been thought through by Commvault, considering that backups are supposed to be the last line of defence against a cyber attack the two factor serves only to delay the time it takes for SMTP to deliver a new pin.

Best answer by Anand

@dude  In other words, yubikey option doesn’t get invoke, when we do SSO.  In case of ADFS, yubikey support need to be added in AD. When token comes back to us, user is already marked authenticated. Internally we have tried yubikey with Azure AD setup and it worked fine. Currently we are adding feature to allow local or direct AD user authentication with yubikey.

Editing in FR25 to mark this as the best (and complete) answer.

 

 

 

 

View original
Did this answer your question?

29 replies

MichaelCapon
Vaulter
Forum|alt.badge.img+14

This is an issue when using domain user accounts. - If you omit the PIN from the Email, you can use one of the supported App’s to generate the PIN.

For Domain accounts you could give a “View Only” role to avoid any compromised accounts making changes.


You could use a local user account (non-domain) that has privileges in the CommCell and add the users email address to that local account. 

Then to be compromised they would have to obtain the Commvault local credentials and the user’s domain credentials for the PIN email.

 

Best Regards,

Michael


Mike Struening
Vaulter
Forum|alt.badge.img+23

@Dancer , I’ll speak to some internal folks about this.


Forum|alt.badge.img+1
  • Author
  • Bit
  • 3 replies
  • May 19, 2021

That was meant to say “considering backups is supposed to be the last line of defence”


Mike Struening
Vaulter
Forum|alt.badge.img+23
Dancer wrote:

That was meant to say “considering backups is supposed to be the last line of defence”

I edited the original post for you :grin:

I have asked some devs to take a look at this thread as well!


Forum|alt.badge.img
  • Vaulter
  • 1 reply
  • May 20, 2021

we are checking this internally with

 @Divya Trivedi@Tharun Pathepuram  @Anand 


we will get back on this.


Forum|alt.badge.img+2
  • Vaulter
  • 7 replies
  • May 20, 2021
Dancer wrote:

I started looking at the MFA on Command Centre and baffled as it is flawed. If my domain account has been compromised, I would be expecting the second factor to be the 2nd line of defence. But no, you can request a new pin that gets sent to your compromised domain account e-mail address. I then looked to see if I can amend my account by adding an external e-mail address, but LDAP pulls this from the domain and can not be edited. By editing the e-mail script we can omit the pin, but I think this hasn’t been thought through by Commvault, considering that backups are supposed to be the last line of defence against a cyber attack the two factor serves only to delay the time it takes for SMTP to deliver a new pin.

This is being worked on. 

  1. Option to block the pin to be sent in email.
  2. Option to set the email for the AD/LDAP account if user has rights.

Forum|alt.badge.img+1
  • Author
  • Bit
  • 3 replies
  • May 21, 2021

Great stuff. Maybe the AD/LDAP email address should stay for the purpose of scheduled reports etc, but a 2nd e-mail field used exclusively for recovery purposes. Users should be flagged that their recovery email address is empty if MFA is enabled, and periodically prompted (6 months) to check their details are still correct. I also think any manual amending of the e-mail address be limited to the user, therefore a administrator can create\disable an account but not amend it.


Forum|alt.badge.img+1
  • Author
  • Bit
  • 3 replies
  • May 21, 2021

We also just discovered disabling SSO has forced the java client to prompt for 2 factor auth. For wider community as I presume you know this.


Forum|alt.badge.img+2
  • Vaulter
  • 7 replies
  • May 24, 2021
Dancer wrote:

Great stuff. Maybe the AD/LDAP email address should stay for the purpose of scheduled reports etc, but a 2nd e-mail field used exclusively for recovery purposes. Users should be flagged that their recovery email address is empty if MFA is enabled, and periodically prompted (6 months) to check their details are still correct. I also think any manual amending of the e-mail address be limited to the user, therefore a administrator can create\disable an account but not amend it.

I understand that you want end user to amend the email but admin may not like it. They would like to keep the user email same as AD email to avoid defragmentation, data leak or security issues. We are targeting to update the email only when it’s empty. Ex- service account, SAML account etc. 


Forum|alt.badge.img+2
  • Vaulter
  • 7 replies
  • May 24, 2021
Dancer wrote:

We also just discovered disabling SSO has forced the java client to prompt for 2 factor auth. For wider community as I presume you know this.

Second factor is asked only when CV does the password authentication. When password is validated thru SSO or IDP, we act as relying party. 


dude
Byte
Forum|alt.badge.img+15
  • Byte
  • 287 replies
  • June 3, 2021

@Anand any way to get ADFS and allow Yubikeys?


dude
Byte
Forum|alt.badge.img+15
  • Byte
  • 287 replies
  • June 7, 2021

@Mike Struening just wondering if you would be able to look my question above about ADFS/Yubikey and check internally? Thanks


Forum|alt.badge.img+2
  • Vaulter
  • 7 replies
  • Answer
  • June 7, 2021

@dude  In other words, yubikey option doesn’t get invoke, when we do SSO.  In case of ADFS, yubikey support need to be added in AD. When token comes back to us, user is already marked authenticated. Internally we have tried yubikey with Azure AD setup and it worked fine. Currently we are adding feature to allow local or direct AD user authentication with yubikey.

Editing in FR25 to mark this as the best (and complete) answer.

 

 

 

 


Mike Struening
Vaulter
Forum|alt.badge.img+23

@dude , let me know if @Anand ‘s reply satisfied your question :nerd:


dude
Byte
Forum|alt.badge.img+15
  • Byte
  • 287 replies
  • June 7, 2021
Anand wrote:

@dude  In other words, yubikey option doesn’t get invoke, when we do SSO.  In case of ADFS, yubikey support need to be added in AD. When token comes back to us, user is already marked authenticated. Internally we have tried yubikey with Azure AD setup and it worked fine. Currently we are adding feature to allow local or direct AD user authentication with yubikey.

 

 

 

 

@Anand I`m not sure I understand. It is currently not supported but it is coming in future release? do you  know when?


Mike Struening
Vaulter
Forum|alt.badge.img+23

Hey @Anand , do you have any ETA on release for @dude ?


Mike Struening
Vaulter
Forum|alt.badge.img+23

@dude , this is coming inFR25.


dude
Byte
Forum|alt.badge.img+15
  • Byte
  • 287 replies
  • June 15, 2021
Mike Struening wrote:

@dude , this is coming inFR25.

Thanks


Mike Struening
Vaulter
Forum|alt.badge.img+23

Anytime, man!


Mohit Chordia
Byte
Forum|alt.badge.img+11

@Mike Struening :

@dude 

@Anand 

Do we have the the option in FR25 now to disable PIN over email feature ? If yes , please share the documentation.


dude
Byte
Forum|alt.badge.img+15
  • Byte
  • 287 replies
  • December 9, 2021

@Mohit Chordia you do not need to use PIN over email. You have additional options such as Google Authenticator App, Microsoft Authenticar App, Commvault Token Desktop.

Refer to : https://documentation.commvault.com/11.24/expert/7935_pin_generating_tools.html


Mohit Chordia
Byte
Forum|alt.badge.img+11

@dude 

I understand that PIN generating apps can be used  but is there any option to disable PIN over email feature in 11.25 . I want to ensure that if a user is not using PIN generating app should not receive the PIN over email.

Any new capabilities added in 11.25 for MFA ?

Regards, Mohit


dude
Byte
Forum|alt.badge.img+15
  • Byte
  • 287 replies
  • December 9, 2021
Mohit Chordia wrote:

@dude

I want to ensure that if a user is not using PIN generating app should not receive the PIN over email.

Any new capabilities added in 11.25 for MFA ?

Regards, Mohit

Ohh sorry I misundertood you before. Looking at the docs, I am not quite sure it is documentated or if it is possible. I would recommened opening a case with that request and if that is not possible today, I`m sure they would provide options to get around that.


Mohit Chordia
Byte
Forum|alt.badge.img+11

Np, workaround is present to modify the email template but going through the thread i thought that something new is introduced in 11.25 release.


dude
Byte
Forum|alt.badge.img+15
  • Byte
  • 287 replies
  • December 9, 2021

What I would do in this case, would talk to support in hopes that there is a qcommand / qscript that can disable the MFA Email notification and only allow the Apps. I would not be surprised if they have a way to do that.


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings