Ok I figured I’d ask here before opening a support ticket since they are just so difficult to work with.
How is everyone handling login’s to Kinetic Cloud? We are a manufacturing company that is required to adhere to ITAR and NIST 800-171 security requirements due to the storage of CUI and contracts with Government suppliers.
Right now I would say I’m a little behind the ball since we don’t have Epicor SSO to our domain, or MFA setup for Epicor (Not sure if you even can for 10.2.700) but going forward and going to cloud we NEED to do something since we have some generic login’s that some area’s use, as well as being publicly available, all of the logins need to be secured by MFA since they will at the very least all have access to part tracker subsequently allowing them access to BOM’s of the sensitive data.
What are you guys doing for login’s? How are they sync’d with your Active Directory if you have one? and what licenses (outside of Epicor) are necessary to have a MFA solution deployed.
My current setup consists of an on prem Active Directory that we sync with our O365 environment which controls our email. We don’t have government level cloud for O365 so we do not use any cloud or OneDrive storage. All users and PW’s are sync’d with Microsoft Entra, and that’s where I manage and enforce MFA for Webmail/Mobile accessible users. MFA for inhouse AD logins are utilizing Yubikeys and AuthLite application. It’s only enabled and required for those who have access to sensitive data or those who have VPN access.
My big question is how does Epicor integrate into that environment? and do the users in that environment need a Microsoft license in order to have MFA enabled on their account? Or does Epicor Cloud have a stand alone option for those users who may not have a Microsoft license where I can just set them up in the Kinetic cloud environment and enable MFA there?
Ok, I may have answered one of my questions. I had a AD account that is sync’d with Entra and has no Microsoft applications licensed to it and I was able to add it to my MFA group, and when I tried logging into Office.com with those credentials it had me setup MFA using Microsoft authenticator. Logs into the Office account and shows no apps, as it should.
Oh here’s another one, what MFA solutions do companies use in an environment where phones are not authorized to be on a manufacturing floor? For cloud based logins of course… I see everything these days pushing Microsoft Authenticator, Google Authenticator, or TXT message.
I don’t know what people are doing where the shop floor computer is being used for data collection, but obviously needs a Kinetic user to log in and if you’re fully SSO for compliance or whatever, does that mean every hourly worker you have you have to add to entra? Sounds like a lot for HR/IT… so you could create one entra account and a tie it to a yubi key and instruct people what to do when it asks for MFA (which will be the yubi key) and that way you don’t need a phone.
THANK YOU! I was wondering if this was a possibility… And since it appears that it is I can lock down our MES user to only be able to login from our two IP addresses.
Cool, I need to dig into this further, our current YubiKey’s say they support FIDO2 so that should provide us with an easier solution for MFA login to Office and not require a device. As well as it ties into something we already have in use. I will have to test and see if I can link my current YubiKey to my O365 login.
When I asked Kramer an Gail about this yesterday they didn’t seem phased about having a generic auto login for MES even when we move to cloud. Currently people don’t know the password and I can make it extremely difficult if it’s setup for autologin so that alone can help secure it. If I had to introduce a YubiKey for that on the floor… oh deer god would that not go over well.
I tested this on my profile for now, also had to migrate our MFA environment up to the newest version on Entra before I could even test it… But since it treats the FIDO2 login as completely password less, it requires you to setup a PIN that gets tied to that USB device, or at least the way I was testing it, it required that. SO if that’s how it works, then the users would need to know the pin, and have the token. That would be miserable for Data Collection.
I have not been successful in getting it to allow me to login using it though, so I’m still working at it. I have so many other things going on it’s hard to dedicate time to this one thing and get it working.
Yeah, the pin to the USB device, but in Entra you can add conditional access so that user can only log in to the device from a certain network, etc. You could post the PIN if you wanted to, no different than sharing a password. I know all of these suggestions are probably not sanctified by NIST or something else, would love to hear @Mark_Wonsil 's take.
McDonald’s was one of the first users of the Entra QR Code authenticator. I think the video is below, if not I’ll update the post. The McDonald’s Entra ID person said they can’t afford FIDO Keys for everybody and they needed to be able to issue creds in the field when an employee forgets their badge. Sounded like there’s still room for improvement but it might be interesting.
I had the same thought, until we did it almost 10 years ago now. We use the Yubikey Micros on the shop floor. There is a USB extension on top of the desk. With a little training everyone figured it out. It’s 2nd nature now and no one thinks about it. Looking back, was pretty painless.
What exactly do you use the YubiKey to login to? Is that to log the MES machine onto the network or is that linked to a Epicor MES account for paswwordless sign-on?
We’ve had things established in this company for years, and those still aren’t 2nd nature. Unfortunately anything that has to do with tech, a large majority of our employees struggle with it.
Of course Microsoft had to complicate adding a YubiKey for a sign in device too. They require the user to already be setup with MFA before you can setup the YubiKey so that means if the user doesn’t already use Authenticator, you need to set them up with a Temporary passcode and then enroll them with the YubiKey.
I guess I still don’t know enough about how Epicor will tie in their login process to our already established O365 environment. I’m really wondering how that will work since our O365 is not government level but we are required to purchase the government level for Kinetic Cloud.
I’m trying to plan for this before we are signing papers for the uplift, but it seems like I can’t do that, and we have to just figure it out as we go.
I’m liking the potential option to locking down a user to only sign on from a specific IP address. That may work out well for our MES account, but we’ll see.
Yubikey is one option, for our secure accounts we’ll be using smart cards to accomplish the same thing. The entra SSO works fine, and as long as you meet the FIPS requirementsin NIST 800-171 I’m sure many things would work.
