In regards to the MFA via mobile device, would it be possible to have one or a few accounts set up this way before it changes for all team members?
- Yes, we can arrange for a soft roll-out for specific users, if a partner would like to test this out prior to the wider implementation.
Can a single user (one email address) utilize both forms of authentication (Mobile & Yubi Key)? For example, a user may have a Yubi key tied to their personal workstation, but then they also use their mobile device for additional shared workstations throughout the facility?
- Yes, one user may utilize both forms of authentication.
With the MFA set up will we need the operators’ mobile phone numbers?
- No, each user will download the necessary application and will scan a QR code to enable MFA on their specific mobile device.
Can multiple accounts be associated with the same mobile number? Due to the way different tasks are served within Asset QC, some partners may have multiple email addresses onboarded for the same user. So, for the QC operator role, John Smith may be onboarded under firstname.lastname@example.org. Then, for the QC verifier role, they may have a separate account under email@example.com.
- Yes, most mobile device authentication options can support multiple profiles for each user tied to different email addresses.
Vendor managers can reassign jobs, but they won't be able to complete a job logged in with the operators’ credentials, and this will make the individual metrics monitoring irrelevant/unavailable. They log in as their operators to pick tasks in advance to schedule their staff ahead of their actual shifts. Can task selection, QC & verification Start, QC & verification Completion all be moved to the Vendor Manager role.
- This will require a significant product change. We are currently evaluating the impact versus the engineering lift this would require with our product team and will factor in MFA as an additional point of operational friction for our partners where this change would be beneficial.
Is it possible to adapt the Download Manager role in Asset QC to allow QC operators to also download content? Having a single person tied to a ‘transfer only’ function does not seem feasible as we do not have transfer personnel available 24/7. If that person is out on vacation or sick, our operators would be unable to work on the tasks. Having the operator logins also allow for content download would definitely streamline the QC workflow.
- Currently, we are not planning to make any changes to allow QC operators to download content. That being said, you can simply enable multiple Download Managers, if you need to allow for additional coverage. For jobs downloaded across multiple shifts, we do not see an issue allowing downloads to complete after an operator finishes their shift. We suggest creating a shift change process, if possible. When an operator leaves for the day, they do not interrupt any downloads in progress, and they simply sign out of their account. If the transfer fails or times out for any reason, the next shift can restart or retry the download, or they can submit a support ticket to investigate.
Vendor Manager logins typically consist of more than 1 person in our company. Adjusting this to a single user per email address brings up the same issue as mentioned above with Download Managers.
- The single user accounts will not affect your ability to onboard multiple users to that role. They just EACH need to have their own account, versus being under a single email group/ distro list.
There are also times where a Vendor Manager may need to personally troubleshoot a download issue and will log in using the distro account in order to help the download team. Should we request to have content shared with every individual Download Manager account, or is the expectation that each request should always be shared with just one account?
- The Vendor Manager and Download Manager roles specifically, can both be granted to a single user. Content can be shared with as many or as few individual users as needed. Netflix applications are designed to be accessed from anywhere in the world, and a shared account/ email distribution list means that credentials and access are in violation of basic account security by design. It’s our preference to grant access to all individuals who may need access rather than having a shared account. Shared accounts make an investigation of security incidents quite difficult, as anyone with credentials for that account can download content from anywhere in the world with zero visibility into which user initiated the transfer or has access to the content. Single user accounts also give us the ability to quickly disable accounts for users who no longer work for a given partner.
Would it be ok to use Authy for MFA, if our facility is already trained and using it for other MFA enabled portals?
- Yes, our single sign-on method supports Authy, so this should not require any additional work or alterations on the part of Netflix or our partners who choose that option.
Our downloads are largely automated. We’ve previously suggested creating a new account for our automation. This account can be tied to a single IP to minimize security concerns (if possible within AssetQC). Would this be a reasonable solution?
- We don't enable IP exceptions on our internally developed applications. For these accounts, we recommend using the Yubi key option, which can be set up to link access to the Netflix Studio applications on the workstation where this key/dongle is registered.
Will there be any limitation to the number of QC operators and flexibility to add/delete operators, as has been the case historically?
- There’s NO limit on the number of individual accounts we can set up. The ability to add/ delete and also update approved task types/ roles will remain unchanged. It will just mean the additional step of setting up MFA for any new users you may add and disabling access for any users who may no longer be at your facility or have moved to a different team. So, we will rely on each partner to keep us informed when there are personnel changes.
Will Vendor Managers still have access to change the operator as the schedule requires without the multi-factor authentication requirement?
- The goal will be to enable MFA for ALL users (including Vendor Managers). The process will be the same as outlined above for operators, vendor managers, and download managers.
None of our operators have company issued mobile devices. Will personal mobile devices be allowed?
- Yes, personal mobile devices will be allowed for mobile device authentication.
If a user tied to an anonymous email address (e.g. firstname.lastname@example.org) subsequently leaves the team/ company, the MFA will be tied to that user's mobile device. Will partners have the ability to repurpose that anonymous email address for a new user and set up MFA tied to the new user's mobile device?
- Yes, we have the ability via Starship to deactivate the existing account and re-add the same email address under a new account and enable MFA to allow a new user to set up their specific mobile device. MFA will then be tied to the new user's device. We are still investigating internally whether Starship Admins at our partners have this ability as well, so that they may self-serve. But, in the meantime, partners may reach out to their point of contact to request these types of account changes.
For the mobile device option, when an operator clicks “Start QC” or selects a task from the SASS pool, will they then get an authentication code sent to their mobile device that needs to be entered into the system?
- The MFA will actually occur when they log in to their account. When they enter in their login credentials, they will see a prompt to check their mobile device. The authentication app on their device will then have a corresponding prompt that they just need to "approve" before their login will be accepted.
Would it be possible to get more information on how the YUBI Key works so we can assess if it aligns with our internal protocols?
- At a high level, we would need to provision a number of keys to match the number of workstations AND/OR number of operators (depending on the particular operational workflow a partner chooses). There would be some initial set up on your end to connect the keys to each workstation and register each user's fingerprint. Once set up, anytime a user attempts to log in with their credentials to our Studio applications, they will be prompted to confirm their authentication via the key (which will require a fingerprint scan). Their login will only be accepted after they scan their fingerprint, which is tied to their credentials.
Will each user that chooses the Yubi Key option receive ONE key that they can move from workstation to workstation, or would we need a key for every workstation to be used by all individuals logging in from that workstation? Does a single Yubi key need to stay tied to ONLY ONE device?
- We can actually support either option. It actually may be that a partner will prefer to have different options for different teams within their facility (i.e. one key per person for QC operators, but one key tied to a specific station(s) for the Data I/O team).
For the Yubi key option, which requires a fingerprint scan via the key for authentication, how are those fingerprints “stored” on the Netflix side, and who has access to those fingerprints?
- Netflix does NOT have access to the actual fingerprints, nor are they stored on our side. There are unique hashes associated with each fingerprint scan at the time of Yubi key setup, which are then tied to the specific key.
Added question around repurposing anonymous email accounts for new users, in the event that a previous operator leaves the company.