MFA on the Palo Support Portal?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

MFA on the Palo Support Portal?

L4 Transporter

I saw the announcement that they were going to start requiring MFA for logging in on the Palo Alto websites and it mentions a code via email, however, I was already set up to use an authenticator app for this.  When I went to log in today, it seems to be ignoring my account settings and doing the email code every time.  I tried switching to the email method, saving, and then changing back to the authenticator option and saving again but it still seems to only give me the option to email a code at login.

 

Is anyone else running into this too?

1 accepted solution

Accepted Solutions

Possibly cannot.

The only way to change the default 2FA method to others is login to the following website which required individual user credential.  It seems it's a per-user options.
https://sso.paloaltonetworks.com/enduser/settings

Life is full of surprise,
Just embrace it!

View solution in original post

13 REPLIES 13

L5 Sessionator

Internally I've had to reset my preferences 2 different times. Before you login, where you type your email, click the blue "get help" button to open a case, have them reset your preferences, and try it that way. Sometimes the frontend doesn't talk so good to the backend. 

Help the community! Add tags and mark solutions please.

Ok thanks.. we may have to do that.  I just went in there again and I was able to re-enroll in the Google Authenticator method successfully but the login process still seems to be ignoring it and going to the email code.

L2 Linker

@jsalmans were you able to re-enroll? for me it's not even show options to re-enroll. Get it going with email for now waiting to hear back from support. 

L2 Linker

This is what I got from palo support. 

Users may be asked to change their passwords in order to meet the new password policies.
MFA will be enforced for all customers, irrespective of the product or the application they are trying to access


Why am I being prompted for MFA?
MFA is enforced for all customers and partners irrespective of what application or product is accessed

What are the MFA factors that are currently supported with this change?
Only Email is supported and more MFA factors will be added in the future (Eg: Google Authenticator)

I currently use Google Authenticator as an MFA factor. Will it continue to work?
Unfortunately, No. Once we support the Google Authenticator on Okta, it will have to re-registered since there is no way to port over the data

Can a customer account be exempted from MFA?
No, this is no longer an option. A valid business justification will be required for an exemption, which will then be reviewed with the Information Security team to assess the risk of doing so.

Why am I being prompted for password change?
Customers are prompted to change if their current password does not comply with new password standards

How often do I need to change my password?
Every 365 days from the last time the password has been changed

L3 Networker

Anyone else having a hard time using the email authenticator? It took several tries to get an email before the session timed out.

L2 Linker

yup had some issue in beginning but then we whitelisted that email to bypass email gateway.

L2 Linker

The email of OTP for 2FA always delayed for me.  😑😑😑

Life is full of surprise,
Just embrace it!

L4 Transporter

Is it just me or is the MFA options completely gone now?  It's using the "email a code" method still but I figured by now they'd have re-implemented the option to use an Authenticator.  I looked the other day and I don't see anything MFA related at all anymore in the user sections.

Just found out last week, the other 2FA options have been moved to other places

 

If your account is FedRAMP (federal), single sign-on (SSO) supports the following 2FA methods:

  • Email
  • Okta Verify

If your account is not FedRAMP, SSO supports the following 2FA methods:

  • Email
  • Okta Verify
  • Google Authenticator


https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClN9CAK

Life is full of surprise,
Just embrace it!

L2 Linker

Thanks! that worked for me. 

Thanks!  Do you know if you can still control it for other users in your org?  I'd like to make the Google MFA option required for everyone on our portal like we used to have.

Possibly cannot.

The only way to change the default 2FA method to others is login to the following website which required individual user credential.  It seems it's a per-user options.
https://sso.paloaltonetworks.com/enduser/settings

Life is full of surprise,
Just embrace it!

L1 Bithead

Hi.

Since Palo Alto requires MFA for Support portal I am getting more and more frustrated, I am using Support portal, KB and everything everyday all the time. I have to authenticate all the time, this doesn't help me.

How can we improve user experince with all these security improvments?

 

KR

 

 

 

 

 

  • 1 accepted solution
  • 9652 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!