Policy: Autolock + Require Password

[erickufrin-okta]

Allow for centralized policy control of certain settings + enforcement of password.

• enforce autolock after X-num min (for flexibility it should allow for X-number of minutes vs pre-defined increments)
• enforce autolock on startup (upon launch of a new chrome tab, the OTP's should be locked)
• enforce password be set (dont allow enrolling OTP tokens without a password set first)

Without these features it is easy for someone to access OTP codes on an unlocked workstation.

For things which may only require an OTP code, by having a password to unlock the Authenticator extension gives us an additional "factor" of "something known" as well as "something I have" being the enrolled OTP extension itself.

While having optional features to autolock and passwords is great, we need to have a way to make them mandatory by policy and push via normal management channels.

The 3 ways we apply policy to Chrome extensions are:

• Windows Group Policy
• macOS JAMF
• ChromeOS cPanel

[mymindstorm]

enforce autolock on startup (upon launch of a new chrome tab, the OTP's should be locked)

This is honestly a bit excessive. It already will display the password prompt on every fresh browsing session (I'm not clear on what you mean by 'startup'), combining enforcePassword and enforceAutolock should be more than enough control over when the password prompt comes up.

I've made the other two for you (and a disableExport setting), they will be available with the next release.

[erickufrin-okta]

Ok. Based on your description of the way it works when combining the two enforcements, that would in fact meet the need. Thanks for your consideration.

…

On Friday, August 30, 2019, mymindstorm ***@***.***> wrote: enforce autolock on startup (upon launch of a new chrome tab, the OTP's should be locked) This is honestly a bit excessive. It already will display the password prompt on every fresh browsing session (I'm not clear on what you mean by 'startup'), combining enforcePassword and enforceAutolock should be more than enough control over when the password prompt comes up. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#375?email_source=notifications&email_token=ADSF5X2T6TYACOCPJN6UCYDQHGRX5A5CNFSM4IMLMRAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5S7A3A#issuecomment-526774380>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ADSF5X2RY2MKGO3E7YRSFALQHGRX5ANCNFSM4IMLMRAA> .

-- *Eric Kufrin | Staff Architect - Information Security | Kohl's* W165N5830 Ridgewood Drive | Menomonee Falls, WI 53051 | office: 262.704.0138 | cell: 414.334.0025 | email:eric.kufrin@kohls.com CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent.