Why email the MFA secret key?

  • 3 July 2021
  • 2 replies


This was a great post and I’m glad things are changing, but I would like to request one more improvement: can we not have the MFA secret key emailed?

Email has a tendency to leave a trail all over the place. A copy can be grabbed from a relay, a spam filter, a deleted bin or even in a company-policy-mandated permanent archive. So if an admin’s mail-enabled domain credential gets hacked and that account is used to administer CommVault, then it just takes a quick search (maybe in the admin’s own inbox) for “CommServe Administrator just doubled your safety” and now you have the MFA secret key. Keep in mind, it’s been shown that attackers are inside company networks sniffing around for a while before they make their attack.

The MFA secret key should be displayed to the end-user via the CommCell Console (ideally in a QR code) after the first successful authentication. It should never be sent through a permanent or semi-permanent medium such as email.

2 replies

Userlevel 7
Badge +23

Hey @deltazulu , great question!  I’ll get some internal folks to join this conversation.

Userlevel 1
Badge +2

This has been addressed already in SP25.