This idea has been merged into another idea. To comment or vote on this idea, please visit A10-I-171 Return of email two factor authentication.
The company I work for uses Bomgar to allow over 50 separate vendors of our manufacturing equipment to remotely connect to the manufacturing equipment to provide remote support. Since the two-factor email authentication code functionality was removed from Bomgar PAM, we have a significant security vulnerability/risk.
In our Bomgar environment, we setup each individual person from these vendors that support our manufacturing equipment with their own unique local Bomgar account and use their company email address.
Previously when two-factor authentication emails were being sent they would receive the two-factor authentication code via their company email address. Now if an employee from a particular vendor was terminated, the assumption was that the particular vendor would go through their employee off-boarding process, and within that process they would disable the person's company email account. This worked perfect, because if a person from a vendor was terminated and their email account was disabled, there was no way for them to receive the two-factor authentication code via email and in turn they were unable to log into Bomgar.
Now that Bomgar requires the use of a two-factor authenticator app, if an employee from one of the vendors that supports our manufacturing equipment is terminated, they are still able to log into Bomgar because the two-factor authenticator app is on their phone and their authentication to Bomgar does not require any form of authentication that can be disabled (such as an email account that is used to receive the two-factor email code) by the vendor they once worked for. This means that anytime one of the vendors that remotely support our manufacturing equipment terminates an employee who is setup with access to our Bomgar environment, that employee technically still has the ability to log into Bomgar and has access to remotely connect to devices via Bomgar until we are explicitly told by the vendor that the employee has been terminated.
This poses a significant security vulnerability/risk. We have over 50 separate vendors that make up a combine total of over 400 local users setup within our Bomgar environment. With this many vendors and individual local user accounts setup in Bomgar, it is almost impossible to receive/manage employee termination information from all these vendors when they terminate employees that have access to our Bomgar environment so we know that we need to remove their Bomgar access.