Prevent access to TOTP Secret
complete
D
Dean F.
We are looking for a system to manage shared MFA accounts (TOTP) but we don't want our technicians to be able to retrieve the OTP secrets as this gives them the ability to add these accounts to whatever personal MFA app they please which we see as a fairly significant security risk. We would like Hudu to either have a security level that prevents this (while still giving full "editor" rights to everything) or to simply have a checkbox when entering an OTP secret for the first time to
never
reveal the secret to anybody once it is entered.D
Dean F.
Thanks, I've had a look at this functionality in the new permissions system and while this helps it doesn't completely do what I was hoping. I can create a permission group preventing access to TOTP codes but this prevents users from even adding new ones.
The whole purpose of this feature is so that nobody in our team regardless of their permission level should be able to retrieve a TOTP code once it's been entered so it can not be taken away and entered in to another unknown MFA app somewhere outside of Hudu. Ideally even super admins shouldn't be able to view a TOTP code once it's entered and this is not currently possible as we can't add any permission levels above "Editor" to a permission group.
Currently for shared MFA we are forced to use Microsoft Authenticator on a shared mobile phone (which gets very frustrating to juggle) as this is exactly how it behaves - once a TOTP code is saved all you can ever retrieve is the current 6 digit code, the TOTP code itself is hidden forever.
The Hudu Team
complete
In Hudu 2.1.5.10 :)
The Hudu Team
in progress
The Hudu Team
This is a feature in the next version of Hudu :)