Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
MFA on Integrated Auth
-
Is MFA available on integrated Auth accounts? and if so, what licence is required?
-
Hi @george_4088 ,
Users who are looking for MFA in our products will configure SAML to work with a login provider such as Entra ID that does MFA; we have some documentation on how to configure SAML here:
https://docs.inedo.com/docs/installation/saml-authentication/various-saml-overviewSAML is a ProGet Enterprise feature.
As an aside, we are often asked about best practices regarding MFA and public-facing repositories. I don't think MFA adds a lot of value to a product like ProGet because it's so API-key heavy, and API-based authentication can't use MFA obviously. The most important attack surface to cover is API keys. Those are often overlocked and tend to be haphazardly entered/exposed in scripts, logs, etc.
Cheers,
Alana
-
Thanks Alana.
From what I can see, when using ProGet for a private Chocolatey repo, the login page is exposed to the internet. So if the credentials were brute forced, a new package version could be uploaded and therefore distributed maliciously (on next choco update). As far as I'm aware an API key isn't required to do that.
-
Hi @george_4088,
That is correct, but a brute-force attack wouldn't succeed unless an administrator used something silly like
adminfor their username andpasswordfor their password. You could just as easily integrate with an LDAP/Active Directory server, which will add timeouts and account lockouts to make it impossible to "crack" in our lifetime. SAML is fine too.My point is that it's like 1000 times more likely that the API Key used to publish those Chocolatey packages would be exposed in logs, configuration files, etc. That's the attack surface you want to be careful of.
Cheers,
Alana
