I'm curious if there's a way to set up the RSA MFA application on Windows workstations so that it can fail open when the RSA appliance or replicas become unreachable. The idea is that when the network goes down, users can still log in, and once connectivity is restored, they would be prompted for MFA again. I've heard about Duo's fail open functionality and wonder if something similar exists for RSA. Any thoughts?
4 Answers
I had a similar situation where our RSA service was taken down recently, and no one could authenticate, even though the identity routers appeared fine. If we'd configured a fail-open, that could have led to a lot of problems!
I really hope there's no way to do that! Allowing the system to fail open sounds risky to me. It could open the door for unauthorized access, making your security measures pretty useless in the long run.
Are you considering this for pre-production tests or some high-risk maintenance period? I agree with the others; it's not a good idea in a live setting. The risks just outweigh the benefits.
Honestly, wouldn't this just let anyone dodge MFA by simply blocking it? This could lead to all sorts of vulnerabilities, and I definitely see why you'd want to avoid this approach.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures