Improving Security for Support Access

[Randy Calvert]

It is recommended by Invision to store information regarding FTP/SFTP and ACP login to our communities in order for IPS staff to be able to more quickly provide support when needed.  I understand and support this as I appreciate being able to reduce the amount of time going back and forth trying to get access.  

However I would like to see IPS add additional controls on how it accesses our sites.  For example:

• IPS staff ask us to disable 2FA for an account used by support.  This literally opens a back door to our site.  We should not be forced to enable/disable 2FA access for IPS to provide support.  There are ways to staff to be able to share a 2FA token.  We could technically create a second Admin group that does not require 2FA access, but again it opens an avenue for an attacker to potentially work around the existing controls.
• IPS does not support password-less FTP/SFTP access.  Passwords are a huge security risk.  They open the door to brute force attack unnecessarily for those who choose a more secure method of using keys.  Please consider allowing us to store a key file for access instead of just a password.  

I understand not everyone needs/wants the additional layers of security, however I would hope IPS would be willing to consider supporting additional these additional capabilities for those that do add additional layers of controls to their community.  

[Runar]

I agree completely, especially regarding password-less server access. My way of solving this issue is to leave the support account in the member group, and only make it an administrator when I actually need support. In addition to this, I have disabled password-less access to my servers and it’s never been necessary to change this.

I did once try to configure SFTP with access to the necessary files only, but on my current setup this is disabled as well.