We have a customer requirement to force a prompt during change approval, essentially MFA, to validate the person approving is the person actually approving the request. At some point there was an incident where there was email delegated, an unlocked device or something where something was approved prompted additional validation during approval chains. Has anyone implemented MFA or emulated a prompt (assume a mobile device) in a custom app? Are there events we can listen for other than ticket update (e.g. approval click) to effectively interject into the approval chain for a Change Control? Any guidance on if this is a feasible request to implement would be greatly appreciated.
I looked up app documentation and APIs for Freshservice, I can confirm from the platform’s end that there isn’t any direct API to listen to the user click events over “approve”. But seems like there’s a feature within Freshservice that allows admins to add specific users to a group that will force users to perform MFA when using Freshservice
Here’s more information regarding it: How Can an Organization Admin Enforce 2FA as a Policy for All or Some Users in the Organization?
Are you looking specifically looking to bring 2FA or MFA only for the change approval alone?
The customer wants approvals to have a secondary authentication to ensure they are the approving user. For instance, you click to approve a change, you would get a text message with a code to enter or notification on your device like Duo, Google Authenticator, Microsoft Authenticator, “Is this you approving CHN-1234?”. The customer will likely have 2FA\MFA to get into the application, but they want another layer specifically for Change Control approvals. Having the ability to do push notifications to the mobile app might provide some options, but have not seen anything like that in the documentation.
From what I’m seeing in the documentation, you would have to catch the approval after it’s complete with a ticket update event, perform validation, and then rollback the approval if secondary authentication occurred.
You are right, @rasimm
Both from the integration options provided by the Freshworks platform or Freshservice product seems like we’ve hit a dead end.
I can advocate the platform to scope such requirements from the platform side. I will do it.
From my product knowledge standpoint, I am out of options I will try to connect you with the Freshservice team to take this discussion further in the hope find a possible solution.
UPDATE: The ticket has been created for you and Freshservice team. You can follow up on the same ticket.
Freshservice Support:
Hi Rob Simmers,
We don’t support 2FA in approvals, for now. We’ll take it as a feature request.
Workaround: If you’ve implemented 2FA in your FS login mechanism, you can enforce the approvers to log in before approving