2 factor authentication, or how to stop sharing of login credentials

Does your organization use something like Duo Mobile? I think we do the MFA through our SSO on our IT side rather than on a Docebo side. Assuming this set up is for internal users. External would be more challenging. 

Hi Captain.  Thanks for the quick reply.  We are selling our courses to people all over the world, so they are all external. We need to avoid the need for everyone to also have a Google account, for example.  We just want them to have a Docebo account with some control on who uses it!

@pgbarker - I am curious where you land up going with this. If MFA is critical? A proposal consider that some cloud based SSO products like OKTA can also support the OAuth approach….bring it together with MFA? And you have achieved your goal.

That’s a seriously geeky way to say check with your team that is leading SSO efforts and see if you can leverage some type of architecture to what I am eluding to above.

Beyond that? I would say this is really a great idea request for the product. Offloading authentication from the application is THE preferred security trend and in your case could further support other benefits that come with the technologies that support the offload.

You may also want to look at this article…

Ok - I am learning too. It seems like you may not need an SSO to even achieve some of the magic you are after.

Take a nice look at that article. If the price is right - you may be able to do some really fancy stuff.

Hi @dklinger we are having the same issue.

We are using okta for our internal users.

We have 500k potential external users, and we don't have the resources to manage them through SSO solution. 

Docebo already has email verification. If it was a mandatory process where the user must verify his email when he first login to the system - it would be much more helpful. 

Hi! For our internal users - we use SSO and MFA. For our external users, we use log in credentials and a registration process- but still use MFA, it’s possible for external.

@simone.yaghi what kind of MFA you use for the external?

Just curious on the thoughts/reasoning behind this. Even with two factor authentication, it is easy for user A to text the code to user B for them to enter. We have certification exams in our platform that are linked to monetary gains. For these exams, we work with a 3rd party proctor to verify the users ID, scan the room to make sure no notes are used, etc. All of the pre-work technically could be done by someone else, but the exams are secured and thus the certifications we offer are secured as they are directly connected to exam scores. 

Under Advanced Settings > Advanced there are two options that appear to solve this for you if enabled, particularly the second option shown below:

@oferkenig Microsoft’s MFA

Hi @mark, 

As you mentioned above in the Advanced Settings, if you select the second option, does that affect a super admin when logging in as the user when you are trying to resolve an issue with a course that they are experiencing?

I suspect it might, though assuming you are logging in via the Admin > User > Login as User feature then Docebo might have disabled that IP check. If they haven’t then you could put in an Idea to have it changed.

Hi all.  Thanks for the replies and interesting discussion.  I’ve been digging into the Auth0 app and having some success.  Configuration is simple and the instructions are good enough.  Some of the dialogue and pages are pretty bad so I’ve been looking to get around some of those.  Eg, setting the logout behaviour to redirect to the login page as the default logout page is a purple bar and a bit of left-justified text.  It’s awful.  Using localization to change some of the text helps too.  And the branding within Auth0 looks good.

The major issue now is that Docebo always allows all users to log in via the main domain.  So even if you set up a user in a branch, associate a subdomain and set up Auth0 for that subdomain (which works well) that user can always just go to the main domain (ie mydomain.com, instead of sub.mydomain.com) and log in just with their username and password and completely bypass Auth0.  Any content you were hoping to protect - forget it.  I have this logged with support now and I’m hoping for a resolution, although this behaviour is stated policy 

Hi all,

Following all this discussion about multi-factor authentication, I understand that it would only solve the problem if Docebo´s product owner  implemented MFA. The IT areas of companies are increasingly demanding when it comes to application security.

Can anyone tell me if the product owner analyzing the inclusion of MFA in the product?

So this seems to have hit the nail on the head, the origin of the thread seems to be looking for native MFA with is not really there so the only real solution is to identify a third party to use for all your accounts and can sync with docebo to manage the accounts, unless it is picked up as an implementation in docebo, sounds like maybe an idea should be posted for gathering potential support. I’d suspect most people implementing already have an sso with supported infrastructure in place though. 

I think MFA other than email using your favourite 2 factor authenticator should be a base option, and most importantly for the super admin accounts on the system.

Our training program is open both to internal workers and external workers.

To ensure all data security, we need to have a back door for external that is has much secured as the internal front door.

If your house has a secure front door and an unsecured back door, the housebreakers will enter the home using the back door.

Default Docebo account should support Man option for MFA.

Hello, curious to know whether there is any update on this that anyone knows of? Not sure I can see anything in the roadmap so I think not, but does seem like a fundamental issue if using both internal and external users to a platform!