How can we use Just in Time 2FA

Just In Time 2FA allows for selected users to share a particular common username on a short term basis. This feature allows users to use a common username like Administrator or Admin etc. and not tie this to just one users access or token.

Example would be if user jsmith needs to log into a Windows Domain administrator account named acmeadmin. 

  • We create the user acmeadmin. Enable this user for Just In Time 2FA (JIT).
  • We then allow access to the acmeadmin account via an Passly Directory Manager Group.
  • Any member of the Group can reserve the username and will have the exclusive use of the username for the designated duration.

Note: Users must reserve the option to use this JIT enabled account each time they wish to authenticate.
The reservation is expired as soon as an authentication is successful.

Note: JIT user account must be in the ACTIVE state for the feature to work properly. Setting the account to ACTIVE status will consume a license.

Enabling Group access to the common username

  1. Administrator will log into your Passly tenant https://(your tenant).my.passly.com
  2. Select Directory Manager.

  3. Select Groups

  4. Select the green plus sign in the bottom right corner. 

  5. Name the Group JIT_Username.
    Note: Replace Username with the common username you want to allow access to.
    Example: Administrator or Admin.

  6. then select Add Group.

  7. Add the desired users to the Group Jit_Username.


To enable Just In Time 2FA for a common username

  1. Administrator will log into your Passly tenant https://(your tenant).my.passly.com
  2. Select Directory Manager.

  3. Select Users.

  4. Create the User account by selecting the Green plu in the bottom right.

  5. Name the user account with the common name. Example: Admin, Administrator, admintech etc...
  6. Enable User supports Just In Time 2FA.

    Note: Ensure that the user is manually set to Active Status.
  7. Select the Reservation Time.

    Note: This should be set to no less then 1 minute of an interval. 5 minutes is recommended to allow for enough time a user to be able to log in.
    Note: Each users will need to reserve the JIT username before then can use it. The reservation is only valid for one authentication.
  8. Select the Group Membership that will be allowed to access this user name.
    Note: User the Group JIT_Username that was created above.

Usage

  1. User will log into their Passly tenant.
  2. User selects Just In Time 2FA.

  3. User selects Reserve User on the JIT user account they wish to access.

The user should now be able to log into a resource such as a Windows Credential provider using the common username like Administrator and their own 2FA via PUSH or OTP (One Time Password).

 

Have more questions?

Contact us

Was this article helpful?
0 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section