Failed to authenticate the Provision Manager:Please authenticate with MFA

swatts123
swatts123
Community Member

Getting the above error when trying to prepare our account for SCIM.
The error is being displayed and preventing us from downloading the session file.
Get the same error when trying to generate new credentials as well.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • swatts123
    swatts123
    Community Member

    Temporarily disabling MFA enforcement resolved this issue.

  • Hi @swatts123

    This is a known issue with the SCIM Bridge and the new 1Password Advanced Protection feature set. I would strongly recommend you to keep the Enforced MFA off until the issue is resolved, otherwise your Provision Manager will not be able to make changes to your account.

    Sorry for the inconvenience.

    Graham

  • angrycustomer
    angrycustomer
    Community Member

    Any news about when this issue will be fixed?

  • @angrycustomer ,

    I have no explicit timeline to share, but I can say it will not be before the New Year. The fix is not an easy nor simple one without poking a big hole in account security. We have to take the time to fix it properly.

    Graham

  • ICanHasWine
    ICanHasWine
    Community Member

    Any update on being able to Enforce MFA while using a SCIM Bridge?

  • ag_ana
    ag_ana
    1Password Alumni
    edited April 2020

    @ICanHasWine:

    We don't have any updates yet, but the request is still on our radar :)

    ref: dev/b5/op-scim#225

  • rickh
    rickh
    Community Member

    Isn't it possible to make that option to force-enable 2FA on accounts that belong to specific groups instead of making it a tenant-wide option?

    We would like to use this as well, instead of manually policing our users and tell them they need to.

  • Hey @rickh

    We have been working hard on this issue, and it is getting closer to being properly fixed! Currently it is moving from the development stage to the testing stage, so it will be in your hands in the near future.

    To explain a bit as to why we can't just set MFA enforcement on some users/groups, as it is a part of your account security, MFA is baked in at a very low level during the authentication process. By design, when you want to enforce MFA it is applied to all your users during the initial handshake with no exceptions. There were some workarounds we considered implementing, but they all required a level of development time and testing comparable to the solution we chose.

    Therefore we have essentially had to add a whole new type of user who authenticates in a different way. The utility of this user we are very excited about, as it not only fixes this SCIM Bridge issue but adds so much more. I'm getting a little ahead of myself, but the proper fix for this is in the pipeline and is coming soon. We will update this thread when the fix is released.

    Graham

  • custom_er
    custom_er
    Community Member

    Any updates on this issue?

  • Thanks for checking in @custom_er.

    The fix to this issue is in its final stages of development and testing, and should be coming soon. We will update this thread when it is released.

    Graham

  • ag_audrey
    ag_audrey
    1Password Alumni

    Hello everyone!

    We're super excited to announce that 1Password now supports enforced two-factor authentication while using automated provisioning 🎉

    You can read more about enforced MFA and our other new features in our blog post: https://blog.1password.com/improved-automated-provisioning/

This discussion has been closed.