Just In Time 2FA allows for selected users to share a particular common username on a short term basis. This feature allows users to use a common username like Administrator or Admin etc. and not tie this to just one users access or token.
Example would be if user jsmith needs to log into a Windows Domain administrator account named acmeadmin.
- We create the user acmeadmin. Enable this user for Just In Time 2FA (JIT).
- We then allow access to the acmeadmin account via an Passly Directory Manager Group.
- Any member of the Group can reserve the username and will have the exclusive use of the username for the designated duration.
Note: Users must reserve the option to use this JIT enabled account each time they wish to authenticate.
The reservation is expired as soon as an authentication is successful.
Note: JIT user account must be in the ACTIVE state for the feature to work properly. Setting the account to ACTIVE status will consume a license.
Enabling Group access to the common username
- Administrator will log into your Passly tenant https://(your tenant).my.passly.com
- Select Directory Manager.
-
Select Groups
-
Select the green plus sign in the bottom right corner.
-
Name the Group JIT_Username.
Note: Replace Username with the common username you want to allow access to.
Example: Administrator or Admin. -
then select Add Group.
- Add the desired users to the Group Jit_Username.
To enable Just In Time 2FA for a common username
- Administrator will log into your Passly tenant https://(your tenant).my.passly.com
- Select Directory Manager.
- Select Users.
- Create the User account by selecting the Green plu in the bottom right.
- Name the user account with the common name. Example: Admin, Administrator, admintech etc...
- Enable User supports Just In Time 2FA.
Note: Ensure that the user is manually set to Active Status. - Select the Reservation Time.
Note: This should be set to no less then 1 minute of an interval. 5 minutes is recommended to allow for enough time a user to be able to log in.
Note: Each users will need to reserve the JIT username before then can use it. The reservation is only valid for one authentication. - Select the Group Membership that will be allowed to access this user name.
Note: User the Group JIT_Username that was created above.
Usage
- User will log into their Passly tenant.
- User selects Just In Time 2FA.
- User selects Reserve User on the JIT user account they wish to access.
The user should now be able to log into a resource such as a Windows Credential provider using the common username like Administrator and their own 2FA via PUSH or OTP (One Time Password).