Been looking at the documentation relating to enabling Two Factor Authentication for accessing the various Commvault interfaces/consoles as found at https://documentation.commvault.com/commvault/v11/article?p=107087.htm
In reviewing the documentation, it appears that the initial Secret Key required to set-up a user’s PIN generating Tool is sent be email from the Commvault application the first-time a user attempts to log-in after Two Factor Authentication is enabled.
Apart from options for customizing two email templates (one containing the PIN and Secret Key, and one sending only the PIN), the only other security option is to use TLS or SSL on the Email Server to further secure the email. However, it is not clear to me whether choosing the PIN only email template means the Secret Key is not sent via email since the documentation about “Obtaining a Secret Key for Two Factor Authentication” explicitly says it is sent by email and only email. At https://documentation.commvault.com/commvault/v11/article?p=7960.htm
Surely sending a persistent two-factor authentication Secret Key by email, encrypted or not, is not an ideal way to implement this capability, especially as this Secret Key appears to be persistent?
Hoping the product team is able to look into leveraging a more secure method of providing the Secret Key that doesn’t rely on an email to the user from the Commvault application. Perhaps the Secret Key can be provided via the web console interface with a limited time-frame to enable it be registered with the PIN generating app or as a QR code that can be scanned by one of the PIN generating apps?