Setting up 2FA for FalconPy?

[cyberbeach33]

Hi, Is there a document explaining how to setup 2FA for FalconPy (using okta/duo/etc)? Also, I've used PSFalcon in the past and used Microsoft Powershell SecretVault to store creds, is there a similar way to do auth for FalconPy? Also, if there a way to push auth to a phone when a user wants to run falconpy scripts? Thanks!

[cyberbeach33]

Additional comment... does anyone have a key management system they recommend that is locally hosted (in a file/encrypted) and requires auth to get new Client Token for use? Again, the "SecretVault" from MSFT in powershell works pretty well, but would love to have a python solution not requiring PS.

[jshcodes]

Hi cyberbeach33 -

Thanks for the questions! 😄

Note

While FalconPy maintains credentials and authentication state within the Authentication Object, it does not maintain information about how these credentials are provided or additional authentication factors used. This is intentional, and allows for more developer flexibility regarding these types of requirements.

Let’s start with credential storage.

Storing credentials

There are many examples of storing credentials using Python online, with none of them necessarily being the “right” or “wrong” answer. Each solution has unique advantages and disadvantages. Some solutions may align to the needs of your environment, others… maybe not so much.

FalconPy repository examples

We have a few examples demonstrating potential solutions here within this repo:

• Local encryption - Store credentials locally encrypted within a file or the environment. There is a discussion post related to this solution here. This example demonstrates AES/CBC but can be modified as needed.
• AWS Parameter Store - Store credentials within AWS Parameter Store.
• Azure Key Vault - Store credentials within Azure Key Vault.
• GCP Secrets Manager - Store credentials within GCP Secrets Manager.

A few other possibilities

Additional options that leverage different vendors:

• CyberArk - Found a possible example here.
• HashiCorp Vault - Simple example here.

• Okta may be more complex depending on what we are trying to do. Here is a simple flask project example that also talks about authentication and may speak to pieces of this ask.

Two-factor authentication

As mentioned, FalconPy doesn’t handle this part of your application, but there are several potential solutions that would work in conjunction with a project leveraging FalconPy. Some of the available options provide SMS / phone interaction as an available second factor, others you may need to do more work to get there. All of these vendors provide documented SDKs for interacting with their APIs. These solutions could also be potentially mixed with the examples mentioned above.

Important

Depending on implementation, it may be trivial for your application users to circumvent these solutions if they have access to the Python source.

• Auth0 - A writeup for working with Auth0 and Python can be found here.
• Duo - A writeup for working with Duo and Python can be found here.
• Google Authenticator
• Plivo - Writeup documentation can be found here.
• Twilio / Authy - Blog post describing this solution.

[cyberbeach33]

Excellent. Thanks for the help!