Why am I getting stuck with one MFA prompt when using Entra for multiple SSH logins?

By
Chris Evans
-
0
7
Asked By TechieTraveler99 On

I've been using SecureCRT to SSH into multiple devices simultaneously and we recently transitioned from Okta to Entra for multifactor authentication (MFA). With Okta, I could easily log into several devices at once and handle the MFA prompts in quick succession by just tapping "Yes, it's me" multiple times. However, now with Entra, I only receive one MFA approval request at a time, which causes all the other login attempts to fail. I'm curious if Entra is intentionally limiting the number of MFA requests as a security precaution, or if the Entra/Authenticator app simply cannot handle stacking multiple approval requests efficiently. I'm looking for solutions because I often need to connect to around 14 devices at the same time, and having to log in one by one is incredibly frustrating. Any insights on how to manage this would be greatly appreciated!

3 Answers

Answered By SSHSeeker22 On

We've had a similar experience after moving from Okta to Entra. The push notifications seem to not queue up for approval as effectively. The initial prompt comes through, but after that, it's hit or miss—often leading to timeouts or failures. It might be a form of anti-fatigue measure they've implemented. I suggest experimenting with TOTP (Time-based One-Time Password) instead of push notifications during those heavy SSH sessions. Although it’s not as convenient, it provides a more reliable integration with automation.

Answered By CyberSavvy12 On

I totally relate to the struggle with Entra and multifactor authentication! We faced a similar challenge with SecureCRT and ended up switching to TOTP with Protectimus for our bulk SSH connections. That way, you generate codes on-demand, and they don’t depend on receiving multiple notifications. This usually made it easier to manage without running into rate limiting issues, improving our workflow considerably!

Answered By PromptPanda88 On

It sounds like you're facing an issue with how Entra handles MFA requests compared to Okta. There’s a 20-second timeout on requests, and if they're sent too closely together, they might be treated as duplicates. This isn't particularly an Entra problem but may relate to the NPS (Network Policy Server) setup you're using. My recommendation would be to check out options like opkssh which can use OIDC natively with SSH. By utilizing a proper conditional access policy, you can enforce MFA without hitting those constraints. It could keep things running smoother for your SSH sessions.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.