We are getting notifications that MFA will be required for epicweb, does that extend to the epicor learning center? We have some factories where the users don’t have cell phones for MFA. Does anybody know if this will affect the people who access the learning center from within Kinetic?
2 Likes
We have the same question. Was contemplating logging a support case to ask but haven’t got around to it.
1 Like
We will probably get a better answer on this forum. 
6 Likes
I logged a case and will report back
2 Likes
It won’t be required for anything other than EpicCare right now.
The bad news. If you have MFA on your Epicor Identity account and use that for EpicCare you get two MFA prompts.
3 Likes
I had some similar questions when I saw that…
Do ADA accomodation options exist? That’s guaranteed to be an issue for some employer downstream of this change.
At smaller company scales, dependence on a device for MFA can become a single point of failure. What does recovering access to support look like if your only account with support access can’t access support?
2 Likes
There’s a KB article on resetting your MFA.
Not quite. If a small company has only one power user, single point of fail looks like one dropped phone.
1 Like
You’d likely have to email the MFA support email or something in that case. Or call into support.
Sorry for interrupting, but I read this and instantly thought…how much wood would a woodchuck chuck if a woodchuck could chuck wood?
You’re dead on though - a failed MFA device could be a showstopper. I’ve seen some that will allow email as a valid onetime code receipt method. Always liked security questions as a fallback too.
I sent them some feedback on it. They claim they’ll pass it on. But we know how that goes.
1 Like
You never know…sometimes feedback can end up in the right hands.
1 Like
It’s possible it will get passed onto the right person.
1 Like
I just don’t even understand the point. Are support cases a high value target for hackers? Logging into epiccare is already a pain. Do we really need to make it even worse? Please, if somebody wants to log into my epiccare and update all my cases, go for it lol.
8 Likes
Security questions are the funniest (in hindsight…) security story I have! A bank started requiring security questions to be populated. Account recovery checked answers with a multiple choice form. Three questions, five options each. Rate limiting didn’t matter, the randomly populated incorrect answers would change with a page refresh. The funny part is, all of the answers I’d provided were random strings. Is my favorite actor Tom Cruise, Fred Astaire, l#^XCEme%Avvd7YGDd&%zAbQx*rHeQ, etc.
The most recent was a bank’s new MFA, a robot calling a phone and reading out a one time security code. It wasn’t clear enough to use reliably, and besides, fat chance I’m depending on SIM for financial security. I asked about ADA compliance and got some pushback. It didn’t take half an hour for legal to catch wind and take over. The bank quickly punched an ad hoc MFA method through their new security just for me.
4 Likes
Got my answer on the ticket
"Hi Mark,
MFA will only be required for users logging into EpicCare, not EpicWeb or the ELC. For EpicCare it will require an authenticator app on a mobile device while logging into the portal.
Please let me know if you have additional questions or concerns."
1 Like
They’re really not protecting support cases; MFA is required whenever we share secrets. Why? How many users use the same password for multiple accounts? If that password escapes, MFA provides an extra layer of protection - depending on the strength of the MFA of course. Passwords are convenient for humans, but humans are not good at remembering good passwords. And even if they were, adversary in the middle attacks, poor password management practices by solution providers, and local attacks on secret keepers make them very difficult to protect.
Enter what you think is a good “good” password at Have I Been Pwned: Who’s Been Pwned. You may be surprised what you find.
The better security practice involves as many attributes as possible and continuously checking those: is this a known device (i.e. has a certificate installed during registration), is this a normal time of day for this kind of access, is this a significant transactions (add new credential, etc.), does this user normally do this type of transaction, does it pass the impossible travel test (logged into two geographic regions), is this a usual network range, etc.
What if they did and wrote on every case, “You were right. I was wrong”?
6 Likes