Should 2FA be enabled on service accounts?If multi factor authentication is enabled, how should that affect self-service password reset?Generating backup codes for a 2FA implementationHow to fix a repeatedly hacked gmail account (where 2FA is enabled and passwords are changed)?Strange messages from Gmail regarding my recovery email address changingWhatsapp is adding passwords: what is the threat model that they want to protect their users from?If I add two accounts to the same 2FA app, are those accounts linked from a privacy point of view?How should disabling 2FA be handled by a service?Attacker circumventing 2FA. How to defend?What is optimal way to connect accounts to 2FA on phone?Sharing 2FA tokens
Why put copper in between battery contacts and clamps?
How to efficiently shred a lot of cabbage?
Can a US President, after impeachment and removal, be re-elected or re-appointed?
Raindrops in Python
Should students have access to past exams or an exam bank?
Why did I lose on time with 3 pawns vs Knight. Shouldn't it be a draw?
Why would an invisible personal shield be necessary?
Why does calling cout.operator<<(const char*) print the address instead of the character string?
How to prevent a single-element caster from being useless against immune foes?
PCB design using code instead of clicking a mouse?
Why would anyone ever invest in a cash-only etf?
What is a good example for artistic ND filter applications?
What is the highest achievable score in Catan
Would people understand me speaking German all over Europe?
Solve equation using Mathematica
Is it okay for me to decline a project on ethical grounds?
Is it unprofessional to mention your cover letter and resume are best viewed in Chrome?
What would the United Kingdom's "optimal" Brexit deal look like?
How can you tell the version of Ubuntu on a system in a .sh (bash) script?
Was Donald Trump at ground zero helping out on 9-11?
Would it take any sort of amendment to make DC a state?
What Marvel character has this 'W' symbol?
Are all French verb conjugation tenses and moods practical and efficient?
Best Ergonomic Design for a handheld ranged weapon
Should 2FA be enabled on service accounts?
If multi factor authentication is enabled, how should that affect self-service password reset?Generating backup codes for a 2FA implementationHow to fix a repeatedly hacked gmail account (where 2FA is enabled and passwords are changed)?Strange messages from Gmail regarding my recovery email address changingWhatsapp is adding passwords: what is the threat model that they want to protect their users from?If I add two accounts to the same 2FA app, are those accounts linked from a privacy point of view?How should disabling 2FA be handled by a service?Attacker circumventing 2FA. How to defend?What is optimal way to connect accounts to 2FA on phone?Sharing 2FA tokens
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
See the title. I'm involved in a security audit right now, and am wondering whether 2FA should be enabled on not just human login accounts but also on service accounts (non-human accounts)? If so, how is this normally managed? Someone must still be at the other end to confirm the 2FA right? And would this be mainly a one time thing at setup or would they need to reconfirm the 2FA request periodically?
multi-factor
asked 9 hours ago
JasonJason
211 bronze badge
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
See the title. I'm involved in a security audit right now, and am wondering whether 2FA should be enabled on not just human login accounts but also on service accounts (non-human accounts)? If so, how is this normally managed? Someone must still be at the other end to confirm the 2FA right? And would this be mainly a one time thing at setup or would they need to reconfirm the 2FA request periodically?
multi-factor
asked 9 hours ago
JasonJason
211 bronze badge
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Assume for the moment the service you're authenticating against is 3rd party. That means you'll have to automate 2FA for a service intended for a human, but now needs to be automated. That sounds like something just waiting to break if the 3rd party changes the way the 2FA works where I human wouldn't care, but automation might rely on the old structure.
– Steve Sether
9 hours ago
add a comment |
See the title. I'm involved in a security audit right now, and am wondering whether 2FA should be enabled on not just human login accounts but also on service accounts (non-human accounts)? If so, how is this normally managed? Someone must still be at the other end to confirm the 2FA right? And would this be mainly a one time thing at setup or would they need to reconfirm the 2FA request periodically?
multi-factor
asked 9 hours ago
JasonJason
211 bronze badge
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
See the title. I'm involved in a security audit right now, and am wondering whether 2FA should be enabled on not just human login accounts but also on service accounts (non-human accounts)? If so, how is this normally managed? Someone must still be at the other end to confirm the 2FA right? And would this be mainly a one time thing at setup or would they need to reconfirm the 2FA request periodically?
multi-factor
multi-factor
asked 9 hours ago
JasonJason
211 bronze badge
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
JasonJason
211 bronze badge
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
JasonJason
211 bronze badge
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 9 hours ago
JasonJason
211 bronze badge
asked 9 hours ago
JasonJason
211 bronze badge
211 bronze badge
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Jason is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Assume for the moment the service you're authenticating against is 3rd party. That means you'll have to automate 2FA for a service intended for a human, but now needs to be automated. That sounds like something just waiting to break if the 3rd party changes the way the 2FA works where I human wouldn't care, but automation might rely on the old structure.
– Steve Sether
9 hours ago
add a comment |
Assume for the moment the service you're authenticating against is 3rd party. That means you'll have to automate 2FA for a service intended for a human, but now needs to be automated. That sounds like something just waiting to break if the 3rd party changes the way the 2FA works where I human wouldn't care, but automation might rely on the old structure.
– Steve Sether
9 hours ago
Assume for the moment the service you're authenticating against is 3rd party. That means you'll have to automate 2FA for a service intended for a human, but now needs to be automated. That sounds like something just waiting to break if the 3rd party changes the way the 2FA works where I human wouldn't care, but automation might rely on the old structure.
– Steve Sether
9 hours ago
Assume for the moment the service you're authenticating against is 3rd party. That means you'll have to automate 2FA for a service intended for a human, but now needs to be automated. That sounds like something just waiting to break if the 3rd party changes the way the 2FA works where I human wouldn't care, but automation might rely on the old structure.
– Steve Sether
9 hours ago
add a comment |
2 Answers
2
active
oldest
votes
The trouble with requiring MFA on service accounts, is that it would have to be fully automated. For instance, a time based OTP.
But as this OTP is based on a secret seed, it is effectively just another password stored in a config available to the service account. And it therefore gives no real additional security above that of just a single factor such as a password.
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
2
Agree! A 2FA token is just another password. Make the service password a random, large password, and you are done. 2FA will not bring much security, and will be a moving part waiting to break.
– ThoriumBR
6 hours ago
add a comment |
Multi-factor authentication is certainly possible without human intervention.
However, it requires a frame challenge.
When dealing with humans, the three typical factors for authentication are something you know (password), something you have (TOTP device/program, phone with SMS, access to an email account, etc.), and something you are (biometrics). You can not combine different things from the same factor and call it multifactor authentication. I.e., a fingerprint and a retina scan is not 2FA, but a fingerprint and a password is 2FA.
Biometrics doesn't work over a network, whether you're scanning a human's fingerprints or you're "fingerprinting" a computer, since you can't verify that the client isn't lying unless you have a trusted agent standing by. "The client is in the hands of the enemy." -- Raph Koster (Game designer, not security expert, but the advice is well applied.) Without that trusted agent, biometrics are only useful for identification, not for authentication(*).
The next authentication factor, something you have, is usually indistinguishable from something you know when you're a computer. TOTP seeds, passwords, session tokens, RSA private keys, and so on are just bytes to a computer, and at some point will reside in RAM. Humans can get away with having TOTP seeds, session tokens, cryptographic keys, and the like be second factors, because humans are very unlikely to be able to memorize these, so they need access to separate hardware (or at least something written down).
However, there are things that a computer can't "know" ahead of time. If you have a hardware device that performs cryptographic operations and stores the private key inside in a way that can't be copied (without obvious evidence of tampering), such as a U2F dongle, then this qualifies as something the computer has but doesn't know. Similarly, information sent out-of-band can also be considered something the computer has, rather than something it knows. For instance, a token can be emailed, FTPd, or sent through SMS. Depending on your threat model, simply opening a connection on a different port may be good enough to fool automated surveillance tools, though I wouldn't trust it against an active eavesdropper.
Speaking of threat models, the current threat models against users using passwords isn't the fact that it's just one factor. The threat model is that most users reuse passwords, have low entropy passwords, and that nearly every human's data has been included in multiple data breaches, including many data breaches that have never been detected or reported. Since computers don't have any problem memorizing very long and truly random passwords, and can memorize every password that's given to them, it is trivial to set up a unique, high entropy password for every service account.
Footnotes:
(*) Identification is different from authentication in that, I can identify myself as the queen of Mars, but I can't be authenticated as the queen of Mars. A username is identification, but a username and password is authentication. A fingerprint is identification, but a fingerprint taken with a trusted agent overseeing the process is authentication.
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Jason is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214430%2fshould-2fa-be-enabled-on-service-accounts%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The trouble with requiring MFA on service accounts, is that it would have to be fully automated. For instance, a time based OTP.
But as this OTP is based on a secret seed, it is effectively just another password stored in a config available to the service account. And it therefore gives no real additional security above that of just a single factor such as a password.
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
2
Agree! A 2FA token is just another password. Make the service password a random, large password, and you are done. 2FA will not bring much security, and will be a moving part waiting to break.
– ThoriumBR
6 hours ago
add a comment |
The trouble with requiring MFA on service accounts, is that it would have to be fully automated. For instance, a time based OTP.
But as this OTP is based on a secret seed, it is effectively just another password stored in a config available to the service account. And it therefore gives no real additional security above that of just a single factor such as a password.
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
2
Agree! A 2FA token is just another password. Make the service password a random, large password, and you are done. 2FA will not bring much security, and will be a moving part waiting to break.
– ThoriumBR
6 hours ago
add a comment |
The trouble with requiring MFA on service accounts, is that it would have to be fully automated. For instance, a time based OTP.
But as this OTP is based on a secret seed, it is effectively just another password stored in a config available to the service account. And it therefore gives no real additional security above that of just a single factor such as a password.
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
The trouble with requiring MFA on service accounts, is that it would have to be fully automated. For instance, a time based OTP.
But as this OTP is based on a secret seed, it is effectively just another password stored in a config available to the service account. And it therefore gives no real additional security above that of just a single factor such as a password.
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
answered 8 hours ago
Geir EmblemsvagGeir Emblemsvag
9031 gold badge5 silver badges10 bronze badges
9031 gold badge5 silver badges10 bronze badges
2
Agree! A 2FA token is just another password. Make the service password a random, large password, and you are done. 2FA will not bring much security, and will be a moving part waiting to break.
– ThoriumBR
6 hours ago
add a comment |
2
Agree! A 2FA token is just another password. Make the service password a random, large password, and you are done. 2FA will not bring much security, and will be a moving part waiting to break.
– ThoriumBR
6 hours ago
2
2
Agree! A 2FA token is just another password. Make the service password a random, large password, and you are done. 2FA will not bring much security, and will be a moving part waiting to break.
– ThoriumBR
6 hours ago
Agree! A 2FA token is just another password. Make the service password a random, large password, and you are done. 2FA will not bring much security, and will be a moving part waiting to break.
– ThoriumBR
6 hours ago
add a comment |
Multi-factor authentication is certainly possible without human intervention.
However, it requires a frame challenge.
When dealing with humans, the three typical factors for authentication are something you know (password), something you have (TOTP device/program, phone with SMS, access to an email account, etc.), and something you are (biometrics). You can not combine different things from the same factor and call it multifactor authentication. I.e., a fingerprint and a retina scan is not 2FA, but a fingerprint and a password is 2FA.
Biometrics doesn't work over a network, whether you're scanning a human's fingerprints or you're "fingerprinting" a computer, since you can't verify that the client isn't lying unless you have a trusted agent standing by. "The client is in the hands of the enemy." -- Raph Koster (Game designer, not security expert, but the advice is well applied.) Without that trusted agent, biometrics are only useful for identification, not for authentication(*).
The next authentication factor, something you have, is usually indistinguishable from something you know when you're a computer. TOTP seeds, passwords, session tokens, RSA private keys, and so on are just bytes to a computer, and at some point will reside in RAM. Humans can get away with having TOTP seeds, session tokens, cryptographic keys, and the like be second factors, because humans are very unlikely to be able to memorize these, so they need access to separate hardware (or at least something written down).
However, there are things that a computer can't "know" ahead of time. If you have a hardware device that performs cryptographic operations and stores the private key inside in a way that can't be copied (without obvious evidence of tampering), such as a U2F dongle, then this qualifies as something the computer has but doesn't know. Similarly, information sent out-of-band can also be considered something the computer has, rather than something it knows. For instance, a token can be emailed, FTPd, or sent through SMS. Depending on your threat model, simply opening a connection on a different port may be good enough to fool automated surveillance tools, though I wouldn't trust it against an active eavesdropper.
Speaking of threat models, the current threat models against users using passwords isn't the fact that it's just one factor. The threat model is that most users reuse passwords, have low entropy passwords, and that nearly every human's data has been included in multiple data breaches, including many data breaches that have never been detected or reported. Since computers don't have any problem memorizing very long and truly random passwords, and can memorize every password that's given to them, it is trivial to set up a unique, high entropy password for every service account.
Footnotes:
(*) Identification is different from authentication in that, I can identify myself as the queen of Mars, but I can't be authenticated as the queen of Mars. A username is identification, but a username and password is authentication. A fingerprint is identification, but a fingerprint taken with a trusted agent overseeing the process is authentication.
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
add a comment |
Multi-factor authentication is certainly possible without human intervention.
However, it requires a frame challenge.
When dealing with humans, the three typical factors for authentication are something you know (password), something you have (TOTP device/program, phone with SMS, access to an email account, etc.), and something you are (biometrics). You can not combine different things from the same factor and call it multifactor authentication. I.e., a fingerprint and a retina scan is not 2FA, but a fingerprint and a password is 2FA.
Biometrics doesn't work over a network, whether you're scanning a human's fingerprints or you're "fingerprinting" a computer, since you can't verify that the client isn't lying unless you have a trusted agent standing by. "The client is in the hands of the enemy." -- Raph Koster (Game designer, not security expert, but the advice is well applied.) Without that trusted agent, biometrics are only useful for identification, not for authentication(*).
The next authentication factor, something you have, is usually indistinguishable from something you know when you're a computer. TOTP seeds, passwords, session tokens, RSA private keys, and so on are just bytes to a computer, and at some point will reside in RAM. Humans can get away with having TOTP seeds, session tokens, cryptographic keys, and the like be second factors, because humans are very unlikely to be able to memorize these, so they need access to separate hardware (or at least something written down).
However, there are things that a computer can't "know" ahead of time. If you have a hardware device that performs cryptographic operations and stores the private key inside in a way that can't be copied (without obvious evidence of tampering), such as a U2F dongle, then this qualifies as something the computer has but doesn't know. Similarly, information sent out-of-band can also be considered something the computer has, rather than something it knows. For instance, a token can be emailed, FTPd, or sent through SMS. Depending on your threat model, simply opening a connection on a different port may be good enough to fool automated surveillance tools, though I wouldn't trust it against an active eavesdropper.
Speaking of threat models, the current threat models against users using passwords isn't the fact that it's just one factor. The threat model is that most users reuse passwords, have low entropy passwords, and that nearly every human's data has been included in multiple data breaches, including many data breaches that have never been detected or reported. Since computers don't have any problem memorizing very long and truly random passwords, and can memorize every password that's given to them, it is trivial to set up a unique, high entropy password for every service account.
Footnotes:
(*) Identification is different from authentication in that, I can identify myself as the queen of Mars, but I can't be authenticated as the queen of Mars. A username is identification, but a username and password is authentication. A fingerprint is identification, but a fingerprint taken with a trusted agent overseeing the process is authentication.
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
add a comment |
Multi-factor authentication is certainly possible without human intervention.
However, it requires a frame challenge.
When dealing with humans, the three typical factors for authentication are something you know (password), something you have (TOTP device/program, phone with SMS, access to an email account, etc.), and something you are (biometrics). You can not combine different things from the same factor and call it multifactor authentication. I.e., a fingerprint and a retina scan is not 2FA, but a fingerprint and a password is 2FA.
Biometrics doesn't work over a network, whether you're scanning a human's fingerprints or you're "fingerprinting" a computer, since you can't verify that the client isn't lying unless you have a trusted agent standing by. "The client is in the hands of the enemy." -- Raph Koster (Game designer, not security expert, but the advice is well applied.) Without that trusted agent, biometrics are only useful for identification, not for authentication(*).
The next authentication factor, something you have, is usually indistinguishable from something you know when you're a computer. TOTP seeds, passwords, session tokens, RSA private keys, and so on are just bytes to a computer, and at some point will reside in RAM. Humans can get away with having TOTP seeds, session tokens, cryptographic keys, and the like be second factors, because humans are very unlikely to be able to memorize these, so they need access to separate hardware (or at least something written down).
However, there are things that a computer can't "know" ahead of time. If you have a hardware device that performs cryptographic operations and stores the private key inside in a way that can't be copied (without obvious evidence of tampering), such as a U2F dongle, then this qualifies as something the computer has but doesn't know. Similarly, information sent out-of-band can also be considered something the computer has, rather than something it knows. For instance, a token can be emailed, FTPd, or sent through SMS. Depending on your threat model, simply opening a connection on a different port may be good enough to fool automated surveillance tools, though I wouldn't trust it against an active eavesdropper.
Speaking of threat models, the current threat models against users using passwords isn't the fact that it's just one factor. The threat model is that most users reuse passwords, have low entropy passwords, and that nearly every human's data has been included in multiple data breaches, including many data breaches that have never been detected or reported. Since computers don't have any problem memorizing very long and truly random passwords, and can memorize every password that's given to them, it is trivial to set up a unique, high entropy password for every service account.
Footnotes:
(*) Identification is different from authentication in that, I can identify myself as the queen of Mars, but I can't be authenticated as the queen of Mars. A username is identification, but a username and password is authentication. A fingerprint is identification, but a fingerprint taken with a trusted agent overseeing the process is authentication.
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
Multi-factor authentication is certainly possible without human intervention.
However, it requires a frame challenge.
When dealing with humans, the three typical factors for authentication are something you know (password), something you have (TOTP device/program, phone with SMS, access to an email account, etc.), and something you are (biometrics). You can not combine different things from the same factor and call it multifactor authentication. I.e., a fingerprint and a retina scan is not 2FA, but a fingerprint and a password is 2FA.
Biometrics doesn't work over a network, whether you're scanning a human's fingerprints or you're "fingerprinting" a computer, since you can't verify that the client isn't lying unless you have a trusted agent standing by. "The client is in the hands of the enemy." -- Raph Koster (Game designer, not security expert, but the advice is well applied.) Without that trusted agent, biometrics are only useful for identification, not for authentication(*).
The next authentication factor, something you have, is usually indistinguishable from something you know when you're a computer. TOTP seeds, passwords, session tokens, RSA private keys, and so on are just bytes to a computer, and at some point will reside in RAM. Humans can get away with having TOTP seeds, session tokens, cryptographic keys, and the like be second factors, because humans are very unlikely to be able to memorize these, so they need access to separate hardware (or at least something written down).
However, there are things that a computer can't "know" ahead of time. If you have a hardware device that performs cryptographic operations and stores the private key inside in a way that can't be copied (without obvious evidence of tampering), such as a U2F dongle, then this qualifies as something the computer has but doesn't know. Similarly, information sent out-of-band can also be considered something the computer has, rather than something it knows. For instance, a token can be emailed, FTPd, or sent through SMS. Depending on your threat model, simply opening a connection on a different port may be good enough to fool automated surveillance tools, though I wouldn't trust it against an active eavesdropper.
Speaking of threat models, the current threat models against users using passwords isn't the fact that it's just one factor. The threat model is that most users reuse passwords, have low entropy passwords, and that nearly every human's data has been included in multiple data breaches, including many data breaches that have never been detected or reported. Since computers don't have any problem memorizing very long and truly random passwords, and can memorize every password that's given to them, it is trivial to set up a unique, high entropy password for every service account.
Footnotes:
(*) Identification is different from authentication in that, I can identify myself as the queen of Mars, but I can't be authenticated as the queen of Mars. A username is identification, but a username and password is authentication. A fingerprint is identification, but a fingerprint taken with a trusted agent overseeing the process is authentication.
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
edited 6 hours ago
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
answered 7 hours ago
GhedipunkGhedipunk
3,3351 gold badge13 silver badges23 bronze badges
3,3351 gold badge13 silver badges23 bronze badges
add a comment |
add a comment |
Jason is a new contributor. Be nice, and check out our Code of Conduct.
Jason is a new contributor. Be nice, and check out our Code of Conduct.
Jason is a new contributor. Be nice, and check out our Code of Conduct.
Jason is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f214430%2fshould-2fa-be-enabled-on-service-accounts%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Assume for the moment the service you're authenticating against is 3rd party. That means you'll have to automate 2FA for a service intended for a human, but now needs to be automated. That sounds like something just waiting to break if the 3rd party changes the way the 2FA works where I human wouldn't care, but automation might rely on the old structure.
– Steve Sether
9 hours ago