This is not 2FA

[nsdadmin]

This is not 2FA... it's bothering you with an email to login to your account. Two-Factor requires any two of these:

• Something you know (your username & password, check)
• Something you have (a software/hardware code generator, a Yubikey)
• Something you are (fingerprint, etc.)

Bio-metrics are far from perfect, and usually avoided in these situations - I'm just amazed you went through the effort to implement this "2 factor send you an email" when it's simple to implement the time-based solution that is used by Google and others. I've been waiting for a long time for you to add 2FA - and to have it implemented like this is insulting; I feel like you made a half-hearted attempt to placate me (and others that want 2FA).

 

Do it right, folks. Please.

[Chris]

Hi,

Thank you for your feedback. Pulseway currently only supports sending OTP via email at this moment, we have plans for adding support for Google Authenticator in the future too. This is a feature that is very functional and it does add another layer of security.

Chris

[VirtualPanther]

Over a year has gone by. Any news on bringing 2FA up to industry standard? Email verification isn't 2FA...

[Paul]

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

[ComputerConsulting]

8 hours ago, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

 

If it is coming, you should also put in there the ability to turn off the timeout for authenticated browsers.  There is nothing more time wasting than your so called 2FA when you have to constantly login again and again.  What's worse?  Having to get a code via email each time.

 

[Paul]

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

[ComputerConsulting]

On 2/24/2017 at 11:29 PM, Paul said:

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

 

As it stands now, it's off after 15 minutes or so.  I won't use 2FA because this, as it is a royal pain.  I should have the ability to set the timeout.  I know whether my computers are secure or not.  At the moment, you are making that decision for me, but your wrong.

[VirtualPanther]

On 2/23/2017 at 6:43 AM, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

Thanks for the update, Paul. I frequently access my account in a location with poor connectivity for my iPhone - cellular or Wi-Fi. Desktop PCs, which are hardwired, work fine. As such, using an authenticator app, of which there are many options, would greatly minimize the headache. My personal choice is Authy, since it enables backup and sync across devices.

[Martin_T]

On 24/02/2017 at 4:29 PM, Paul said:

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM?

The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within.

[Paul]

On 4/15/2017 at 10:29 AM, Martin_T said:

If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM?

The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within.

That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit.

-Paul

[ComputerConsulting]

It's still not available to us and it should be.

[Martin_T]

19 hours ago, Paul said:

That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit.

-Paul

That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins.

[Paul]

On 4/21/2017 at 2:46 PM, Martin_T said:

That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins.

That's odd. Can you try again from an incognito browser? It's possible that it's just browser cache.

-Paul

[VirtualPanther]

On 2/23/2017 at 6:43 AM, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

Paul,

Proper 2FA was "definitely coming" since 2016. You last updated us on its roadmap in 2017. Two years went by. No change whatsoever. Any updates?

[Paul]

Hi there,

We were forced to push it due to other features / issues that were more pressing. Here's our current roadmap:

-Paul

[cmiller]

Would love to have 2FA via google authenticator.  

[Chris]

Hi @cmiller,

We are actually working on the 2FA functionality, therefore it will be available into the near future.

[SamIam]

I too am concerned this has not been implemented. This is considered industry standard for proper security around cloud accessible systems. Google 2FA is available on many 'lesser' systems I use and should be on something as important and powerful as an RMM.

Please set this as one of the higher priorities in your development plan.

[Paul]

Hey everyone,

I'm excited to announce that we are working on Push-based and OTP-based 2FA as we speak. This is going to be super-awesome !

-Paul

[UTS Brian]

Any timeline on implementation... and please don't say "Coming Soon" "near future" or any variation of that because it is obvious at this point the definition of that term to Pulseway varies widely from the rest of the worlds.

[Paul]

This 2FA update is coming out in the first week of August. Wohoo !

-Paul

[Kyle]

It is now September.  What is the realistic ETA?

This is why it should be the TOP priority for development!

https://www.crn.com/news/channel-programs/continuum-msp-partner-hit-credentials-stolen-to-deploy-ransomware-to-several-end-customers

Two different MSPs, two different RMM tools. Is Pulseway next? I sure as heck hope not.

Especially since the agents have to authenticate with MY password! I suppose that in itself of a breach entry point.

[Paul]

Hey Kyle,

2FA with support for Mobile App authentication, TOTP and backup codes is coming out in the week that comes. We've pushed it a bit because we wanted to make sure that everything is bug-free and working smoothly from the get-go.

PS: We're still in August 

-Paul

[Kyle]

5 hours ago, Paul said:

Hey Kyle,

2FA with support for Mobile App authentication, TOTP and backup codes is coming out in the week that comes. We've pushed it a bit because we wanted to make sure that everything is bug-free and working smoothly from the get-go.

PS: We're still in August 

-Paul

That's great to hear.  My bad on the Sep comment.  Will it use authy or google authenticator or something else?

[Paul]

It will have three authentication methods:

• Mobile App (Pulseway) where you will see a push notification or when you open the app you will be prompted to approve the authentication request
• Time-based One Time Passcode (TOTP) will work with Google Authenticator, Authy, 1Password, LastPass, etc
• Backup codes (hopefully you won't ever need them)

You must select one of the first two options (you can have everything enabled too), backup codes will always be enabled if you have 2FA on.

-Paul