/
MFA for backoffice operators - Alternative Without Mobile Phone

MFA for backoffice operators - Alternative Without Mobile Phone

Context 

For security and integrity concerns, Secutix wants to enforce MFA authentication for backoffice operators.

The current S360 MFA solution involves the generation of TOTP. The recommended approach is to install Google Authenticator to generate these TOTP codes.

However, in some countries, the law prevent the employer to force an employee to use his personal mobile device for work purposes.

In that context, we can propose the alternative below.

Proposal

The customers who don't want to use mobile devices to access TOTP codes could rely on 3rd party TOTP generators available on Desktop, as Saas Products, or as Firefox extensions.

These products could be suggested : KeePass (desktop, works offline), LastPass (Cloud, paying version), Bitwarden (Cloud, paying version), authenticator.cc (Firefox extension, not widely used : https://addons.mozilla.org/en-US/firefox/addon/auth-helper/ )

Here we will discuss the setup and usage of KeePass, which is free, widely used and reliable, as it forces the hacker to have access to the machine directly.

Initial Configuration

This step has to be done by an admin user, it could be complicated for a cashdesk operator.

Download and install KeePass from https://keepass.info/download.html

Create a new database. The database will be created once for each operator.

image-2024-9-17_14-2-5.png

Choose a master password that will be distinct for each operator, and different from his backoffice account password.

Depending on the configuration of operators and windows profiles, the database will be associated to the correct windows profile.

Configure MFA for the operator

See the reference here to activate MFA feature for your operator : MFA

KeePass TOTP Configuration 

At the first login of your operator, the QRCode will be displayed. Instead of scanning it with your authenticator mobile, app just copy the secret key below.

image-2024-9-17_14-12-32.png

In your KeePass database, create a new entry : Entry → Add Entry.

You can enter the backoffice password in the password field to simplify further login.

Click on Tools → OTP Generator Settings.

In the new popup, paste the secret you copied from the QRCode step and REMOVE THE SPACES

image-2024-9-17_14-16-52.png

Validate the creation of the TOTP Generation, and validate the entry

Don't forget to save the database status.

You can also delete the sample entries with right click, delete entry.

Close KeePass

Operator Login 

At S360 Login, the operator will first be requested its login / password in the default login page.

He can open the KeePass application: by default the last database will be re-opened. He is then requested his KeePass password (second authentication factor)

Then, he can select the MFA_Secutix entry, click Ctrl + C to copy the password, and Ctrl + V to paste it in Secutix password field.

When the TOTP value is requested, he can switch again to KeePass, select again the entry and Ctrl + T (to copy the TOTP code). This value can be pasted in S360 screen, as follow, and the operator should login successfully.

Be careful, the values from KeePass are only copied for 10 seconds. If you need more time to switch between the windows, you will have to copy / paste again.