Mon, Jul 6th, 2020
In August, we announced our intention to move to mandatory two-factor authentication (2FA) for Datto RMM after a period of feedback. Your supportive responses leave us confident that mandating 2FA for Datto RMM is the appropriate action to keep our partners and their end clients secure. We also recognized an opportunity to act on many of the enhancement suggestions received. We will be implementing a series of changes to:
This plan brings MSPs closer to a single login experience for all Datto products and delivers many of the requested benefits that already exist within Datto SSO. If you have any questions or concerns, please email firstname.lastname@example.org.
We learned the following from reviewing and discussing all of the feedback we received:
It became clear to us that, to create a satisfactory solution for our partners, we couldn’t just add/fix 2FA features to Datto RMM. We needed to expedite our move to SSO across all Datto products. This would result in less disruption and also significant benefits for our partners:
A: Users can authenticate using Time-based One-time Password (TOTP) or Authy. TOTP is most commonly used with tokens generated by Google Authenticator, Microsoft Authenticator, DUO, Lastpass, Myki or others. We will also be able to deliver the tokens over email. Authy can work with Push notifications in its mobile app. Tokens can also be delivered using the app, SMS or voice call. A great benefit of Authy in addition to Push support is that users can migrate their configurations between phones. Authy requires a phone number to setup. More details on these options can be found in this Knowledge Base article.
A: No, users will be able to login from the same place as before (https://www.centrastage.net/csm/login or autotask.net)
A: No, users who had Google Authenticator setup will be able to use it as before; we are migrating your configuration.
A: This change will have no effect on SSO between Autotask PSA and Datto RMM. When users jump from Autotask PSA to Datto RMM no re-authentication will be required. Be sure to enable 2FA in Autotask PSA if you allow users to SSO into RMM. In the future, Autotask PSA will also move to Datto Authweb (SSO).
A: There are various solutions that support TOTP in a desktop application. Applications like Authy and Myki can be configured to generate tokens for you without the need for an app on a phone, either via a Desktop or Browser app. The email based 2fa would also work without the need for a phone.
A: Yes - the iOS app doesn’t support our new authentication method, fixing it demands significant time and effort. Note that our new interfaces (UI and Web Remote) are responsive and mobile-compatible by default.
A: Yes, user sessions and activity will still be available in the User Activity log.
A: The IP validation feature, requiring user approval for sessions from unknown IPs, is only in effect for users without 2FA enabled. Since all users will be required to use 2FA, this feature will no longer be necessary. Authweb will however send you an email notification anytime someone logs in from an unauthorized IP.
A: Under Setup -> My info, the options for 2FA and Change Password will redirect to the corresponding page in Datto Portal.
Under Setup -> Account Settings, the option to Enable/Disable 2FA for all users will be removed.
A: After a new user is created in RMM, the user will receive an email with steps to create their own password and setup 2FA.
It will no longer be incumbent on the Administrator to set a password for the new user.
A: Administrators will be able to send password reset emails to users wishing to change their passwords.
A: IP whitelisting rules that are setup in the RMM portal will still be in effect. If configured, users will only be able to login from IP addresses listed in the whitelisting section.
A: Yes, logging in and interacting on the Datto RMM Community is unchanged.
A: Yes. Authentication will happen using auth.datto.com with IP address 188.8.131.52
A: No changes will be made to radius based authentication.
A: Please contact our support group with any questions you might have: https://www.datto.com/contact
You can also use the Community if you have other questions.