Multi-Factor Authentication
    • Dark
      Light
    • PDF

    Multi-Factor Authentication

    • Dark
      Light
    • PDF

    Article summary

    You can use EUC Scouts to test EUC gateways that require multi-factor authentication (MFA). MFA is supported for all EUC Scouts except Citrix Storefront Scouts.

    You can select the MFA method when you create or edit an EUC Scout.

    The supported MFA methods depend on whether your gateway login uses single step MFA or dual step MFA.

    Single Step MFA Methods

    A single step MFA login form is one where the one-time password is entered at the same time as the username and password. The login form looks similar to this:
    SingleStep2FA

    For a single step MFA login, you can use a static PIN, or you can register the Scout as an MFA device using a TOTP code.

    Static PIN

    You can configure your gateway service account to use a static passcode that never changes. Set the MFA method of the Scout to Static PIN and enter the passcode. The Scout always uses this code when accessing the gateway.

    To configure static PIN MFA:

    1. Create a gateway service account with an MFA passcode that never changes.
    2. In the Scout creation window, enter the username and password of the service account.
    3. Set the MFA method to Static PIN.
    4. Enter the static passcode that you configured for the service account.

    TOTP Code

    You can register the Scout as a verified MFA device with your MFA provider in the same way that you would register your phone. The Scout receives the current one-time passcode from your MFA provider and enters the code when accessing the gateway.

    To configure TOTP code MFA:

    1. Follow the steps to add a new MFA device for the gateway service account until you get a TOTP code. For example, the TOTP code might look like this:
      RegisterOTPDevideCode
    2. In the Scout creation window, enter the username and password of the service account.
    3. Set the MFA method to TOTP code.
    4. Enter the TOTP code that is associated with the service account from your MFA provider.
      Enter TOTP Code.png

    Dual Step MFA Methods

    A dual step MFA login form is one where the user is prompted to enter the one-time password after they have entered the username and password. The two login steps look similar to this:
    DualStep2FAPart1

    DualStep2FAPart2

    For a dual step MFA login, you can use SMS or a phone call for MFA, or you can bypass your gateway's MFA requirement. You must first contact Scoutbees Support to set up a phone number for SMS or phone call MFA. You can view your accounts that are configured for SMS or phone call MFA in Settings > Phone Numbers.

    SMS

    A phone number can be assigned to a service account, which receieves an SMS with a passcode from your MFA provider. The Scout enters the code when accessing the gateway.

    To configure SMS MFA:

    1. Contact Scoutbees Support to set up a phone number for a service account.
    2. In the Scout creation window, enter the username and password of a user that has been assigned a phone number for MFA.
    3. Set the MFA method to SMS.
    4. Select the phone number that has been assigned to the user credentials that you entered for the Scout. After you select a phone number, MFA Username shows the username that is configured for the selected phone number.
    5. If your MFA provider is configured to send multiple passcodes in a single SMS message, then select Multiple passcodes in a single message.

    Phone

    A phone number can be assigned to a service account, which receives a phone call with a passcode from your MFA provider. The Scout enters the code when accessing the gateway.

    To configure phone call MFA:

    1. Contact Scoutbees Support to set up a phone number for a service account.
    2. In the Scout creation window, enter the username and password of a user that has been assigned a phone number for MFA.
    3. Set the MFA method to Phone.
    4. Select the phone number that has been assigned to the user credentials that you entered for the Scout. After you select a phone number, MFA Username shows the username that is configured for the selected phone number.

    Bypass

    You can bypass your gateway's MFA requirement for the Scout service account and IP address of the Hive running the Scout. For the IP addresses of Cloud Hives, visit Cloud Hive Overview.

    Supported MFA Providers

    Scoutbees supports the following MFA providers.

    • Microsoft Azure MFA
    • Duo
    • Netscaler Native OTP (for Citrix Netscaler Gateway and Cloud Gateway)

    Other providers might work if you are using the same MFA methods listed above. Contact Scoutbees Support if you are having issues with MFA.


    Was this article helpful?