We have set up sso to the tyk cloud dashboard successfully, bower we would like to retain two user accounts in tyk as “break glass” account as is general good practice.
As these break glass accounts are admin account mult-factor auth should apply.
Can we get a tyk native mfa
I’ll raise this internally with our Engineering team and see about getting it on the backlog.
Hey @grayson thanks for the suggestion, sounds useful. To refine the scope, is there anything beyond having 2FA on admin accounts that’s needed here to meet best practice? In fact is there a guide to this that you are following with your IDP or somewhere else, that we can check requirements against more broadly?
Ideally SSO should be used on Tyk and 2FA be done via that.
For Break glass accounts physical security should be used (locked in a safe) rather than 2FA.
(We have now done the above)
In the case where you are not using SSO and are solely using the Tyk Idp (like we were for the first year) that is the scenario where 2FA is important (especially as Tyk’s password policies are so weak). In no way we would get past any security review without 2FA (Quote form NIST: “It’s simple: turn on MFA today!”
NIST: NIST Password Guidelines and Best Practices for 2020