VMware Cloud Provider HubTM offers a single portal for VMware partners to purchase, provision and manage VMware suite of Cross-Cloud services. Providers can login to VMware Cloud Provider Hub to manage these services for their tenants. Tenants can consume the service using the same portal and the access to features or functionalities are based on role-based access permissions of the roles assigned. For details on onboarding or managing tenants and services, refer to previous blog here.
Recently we announced the support for Multi-factor authentication for VMware Cloud Provider Hub. Multi-factor Authentication (MFA) also referred to as two-factor authentication is a simple best practice that provides increased security for user accounts, provider as well as tenant users. It provides an extra layer of protection on top of your username and password.
Each user needs to opt in to this additional level of security by choosing to Activate MFA device under My Account-> Security in VMware Cloud Provider Hub console. We are supporting virtual MFA device at this time. Before activating virtual MFA device, the device needs to be installed with virtual MFA application as Google Authenticator or Duo Mobile for generating the Time Based One Time Passcode (TOTP) needed to authenticate. Please refer here for the latest list of supported two factor applications.
Activating MFA Device can be achieved in three easy steps
Step 1: Login using username and password to VMware Cloud Services. Under My Account -> Security-> Activate MFA Device
Step 2: The device used to generate TOTP needs to have supported application installed as specified here.. Once you point the application in your device to the QR code in the console, provide
- password of your account
- first passcode generated in the device
- a second passcode generated in the device after 30 sec
- Select ACTIVATE
Step 3:
Now Recovery Codes are generated which needs to be downloaded and stored in a persistent location. Recovery codes allow you to login in case the device used becomes unavailable at any time.
Once you COPY or DOWNLOAD or PRINT the recovery codes, Finish option can be selected and that’s it. The MFA device is activated.
Log in after MFA activation
Once MFA is activated, user needs to use both the credentials (username / password ) and the MFA code generated in the virtual MFA device to log in to VMware Cloud Provider Hub.
A provider will need to use MFA to authenticate, whether he logs into provider organization or tenant organization once MFA is activated. Managing MFA can be done from any organization.
If at any time, the MFA device is unavailable, one of the recovery code can be used with Troubleshoot MFA to login.
Deactivate MFA Device
At any time the user can choose to switch off the two factor authentication , in which case the device is still activated, but login does not require the second factor to authenticate.
However Deactivate MFA Device will actually remove the virtual device for this user. Deactivation requires confirmation of user password. At any time, you can have only one device attached. To attach another device, you need to Deactivate MFA Device and Activate the device of choice. If you want to attach the same device after deactivation, you need to rescan the QR code again.
Thus we can see how easy it is to use MFA for authentication and yet provides security to your identity and thus your resources in VMware Cloud Provider Hub.
Soon VMware Cloud Provider Hub will support identity federation with corporate directories when providers and tenants can choose their own MFA policies.
Additional Resources
Visit VMware Cloud Provider Hub site for latest updates and resources.