Independent MFA for infrastructure apps with PIV key#30749
Conversation
Initial draft for clipboard control changelog
Changelog updates and dev docs
Not proofed yet. Trying to combine an existing draft with other sources
|
|
||
| 4. Select **Save**. | ||
|
|
||
| Enrolled PIV keys that do not meet these requirements are rejected during SSH authentication. |
There was a problem hiding this comment.
The leaf and intermediate cert upload will fail in the app launcher if they don't meet the requirements. If the user is able to successfully save that page, then their PIV key is valid (in accordance to the requirements).
|
|
||
| The output should show an `ecdsa-sha2-nistp256` key. | ||
|
|
||
| #### Generate a PIV key |
There was a problem hiding this comment.
This section should be above the Generate attestation certificates section. You have to generate the PIV key first before you can extract the certs.
| --data '{ | ||
| "mfa_settings": { | ||
| "mfa_use_global_settings": false, | ||
| "mfa_bypass": false, |
There was a problem hiding this comment.
Excellent catch. Thanks
| | Field | Type | Description | | ||
| | ---------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------- | | ||
| | `mfa_use_global_settings` | Boolean | If `true`, uses the organization-level MFA settings. Other fields are ignored. | | ||
| | `mfa_bypass` | Boolean | If `true`, MFA is not required for this application, even if global settings enforce MFA. | |
| {} | ||
| --- | ||
|
|
||
| The PIV key authenticator is only available for infrastructure applications. If PIV key is the only allowed MFA method in your organization's global settings, users who access non-infrastructure applications will not see any available MFA method and will be unable to log in. Ensure your global settings include at least one other authenticator type (for example, TOTP, security keys, or biometrics), or configure non-infrastructure applications with custom MFA settings. |
There was a problem hiding this comment.
I think we should also include that access is blocked if piv key is not one of the authenticators and mfa is globally required. Their option in this case is to disable mfa per app/policy to carve out and allow access.
4 participants
Summary
Access for Infrastructure now supports independent multi-factor authentication (MFA) for SSH connections using YubiKey PIV keys. This adds a hardware-backed second factor to SSH access, ensuring that a compromised device session alone is not sufficient to reach your servers.
Screenshots (optional)
Documentation checklist