Enabling multi factor authentication after admins are created

SOLVED
Pugmiester
Building a reputation

Enabling multi factor authentication after admins are created

Hi all,

 

We are looking to tighten up the security on our existing Meraki organisation by enforcing all admins to have multifactor authentication enabled on their account. What we're not sure about is the impact of enforcing it after the accounts have been created.

We have a number of full organisation admin accounts and all of those with any sort of write permissions have MFA enabled but there are accounts with either organisational read-only or guest ambassador roles that currently don't.

If we throw the switch and enforce MFA under Organization > Settings > Security, does anyone know if that would effectively lock all of the non-MFA enabled users out completely or is there an automated process that relays those users to the MFA setup the first time they try to log back in?

We're just trying to avoid a bunch of help desk calls if we can and an automated process would make that a lot simpler.

1 ACCEPTED SOLUTION
Cmiller
Building a reputation

Been a while since I did this on my orgs but I remember it going smoothly. Once enabled, the next time a user logs into the dashboard it will guide them through setting up 2FA. That user is unable to continue until completed.

See meraki doc:
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication

View solution in original post

10 REPLIES 10
Cmiller
Building a reputation

Been a while since I did this on my orgs but I remember it going smoothly. Once enabled, the next time a user logs into the dashboard it will guide them through setting up 2FA. That user is unable to continue until completed.

See meraki doc:
https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Two-Factor_Authentication
Pugmiester
Building a reputation

Hi @Cmiller, that's what I was hoping for. We have a reasonable number of guest ambassadors as we have 25+ networks with local ambassadors managing the guests so it's a decent sized update for them all but if it's a guided process it will make things a bit simpler.
Cmiller
Building a reputation

It was guided, and in this era of constant leaks and hacks 2FA is a must. You can choose to setup 2FA on your account and "demo" what the guided setup will look like for your users = Click your username in the top right > My Profile > scroll to the Two-Factor authentication section.

Good luck with the conversion and remember to save those one time codes in a safe place (I use and love 1Password)

I assume if the password currently set does not comply with the new rules, it would instruct the user to change it accordingly as well?

 

Regards,

 

stockster

Cmiller
Building a reputation

correct
BrechtSchamp
Kind of a big deal

When you enable it, the next time an admin logs in they will see the following page:

2019-04-16 16_43_08-Window.png

If SMS auth doesn't work in your country you can click on the offline access links in the green box and you will be brought to 2FA using an authenticator AP:

2019-04-16 16_47_23-Window.png

 

They can't login before they set it up.

Pugmiester
Building a reputation

Hi @BrechtSchamp, that's great. Sounds like this shouldn't be a big a headache, just plenty of warning for the affected users and some hand holding to make sure the less technical staff (guest ambassadors) have an authentication app ready to go.
Cmiller
Building a reputation

@BrechtSchamp  I knew someone would have some sexy screenshots. Thanks for sharing those sir

Well I didn't have them, but I thought I'd just test it out and take them.

 

(Trying not to lock myself out in the process, hence the delay in my response.)

Thanks, this helps a lot.
Stacy
Get notified when there are additional replies to this discussion.