(spiceuser-6f50n) 1

Does Spiceworks offer MFA or 2FA for the agent account in the Spiceworks Help Desk? I am not seeing an option to enable this extra layer of security to protect the accounts anywhere.

Is SSO integration supported with any platform currently? I also did not see this as an option anywhere to be enabled.

8 Spice ups
2

Welcome to Spiceworks and its community, a community of IT professionals for IT professionals with a focus on SME. And please don’t forget to read the recommendations of our field guides, especially those on getting started and on pos(t)ing good questions, including the helpful references found at the bottom of its web page.

  • What do you mean by Spiceworks agent account?
  • Where do you find a Spiceworks agent account?

I could not see any Spiceworks agent account. The public Cloud Spiceworks Agents don’t need accounts and don’t have accounts. They are using a instance key instead, allowing to associate found data to correct instance of public Cloud solution. The Spiceworks remote agent of the legacy Windows desktop app does not need an account neither. For its local activity, it uses the configured and stored credentials of the local target devices. For its connection to central site, it uses HTTPS and hence does not need an account neither. It may use VPN.

I don’t remember, but some Spiceworks platforms already offer e.g. Google SSO. For several Spiceworks tools, there exist feature requests to add MFA support. These are ranking high and will probably be added soon. But Spiceworks has not given a timeline when to expect such updates.

  • Why are you asking?
  • For which Spiceworks tool or platform are you asking?
3

The simple answer is, no, MFA/2FA is not supported by Spiceworks at this time - for any product.

1 Spice up
4

I mean for the Employee Accounts you add to the Spiceworks Help Desk. Is there an option to enforce at a minimum 2FA for their account logins?

5

If this is the case that is very unfortunate. Especially in today’s IT world where compromised passwords are responsible for 80% of data breaches.

Additionally, this will singlehandedly determine if we choose to continue using this service in any capacity, whether it is free or premium. There is simply far too much risk with so little in place for security.

1 Spice up
6
  • Which source do you have for such a claim?

I’m almost sure that either your source is wrong or has a different definition of compromised passwords. Users re-using same credentials for different accounts despite being advised to use always unique credentials (and hence not re-use credentials for different accounts) are responsible for far more data breaches as far as I understood.

Congratulations that you succeed to use risk assessment and risk management for making such decisions front up and not only after introduction.

And Spiceworks does not offer paid service. It’s paid service has been abandoned a few years ago, and Spiceworks has no intentions to restore such an option. (Users are paying Spiceworks with their data as reported by its privacy statement, not with direct money transfers.)

7

MFA/2FA is a highly spiced feature request. I suggest adding your vote to help direct the programmers to their next enhancement.

https://community.spiceworks.com/feature_request/category/21?filter=spicy

MFA or 2FA Authentication, https://community.spiceworks.com/feature_request/show/Cloud%20Help%20Desk%20(CHD)/6677

2 Spice ups
8

Regarding SSO, that, too, is a highly requested feature and is number one on the spiciest feature request list .

SSO with Google Apps, Office 365 or Azure AD, https://community.spiceworks.com/feature_request/show/Cloud%20Help%20Desk%20(CHD)/6281

2 Spice ups
9

There is no premium version, free is all there is. 2FA/MFA is not beyond the scope of bypassing either, especially if someone continually gets pinged to allow access to their phone using push notifications at 3am, they will either click yes unknowingly or to shut it up or a threat actor can steal browser tokens to get in.

It does add another layer, but it’s not the answer to everything.

I do agree though, that for administrators as a minimum this should exist, currently however it does not.

10

That’s a terrible excuse to not implement mfa.
You wouldn’t drive a car without putting on the seat belt just because you "might die anyway in a collision?

11

Difficult to know who you are referring to.

FYI, no one on this topic is staff, and my posts are not posted as excuses or reasons why something is or is not in place, I’m simply advising that even with MFA people can be compromised. It’s not a magic fix for everything, it’s another layer in a very complicated onion.

If the setup doesn’t meet your requirements or security measures, you don’t have to use it, but I’ll bet you have other apps that do not use MFA either.