Posted February 9, 20169 yr This is not 2FA... it's bothering you with an email to login to your account. Two-Factor requires any two of these: Something you know (your username & password, check) Something you have (a software/hardware code generator, a Yubikey) Something you are (fingerprint, etc.) Bio-metrics are far from perfect, and usually avoided in these situations - I'm just amazed you went through the effort to implement this "2 factor send you an email" when it's simple to implement the time-based solution that is used by Google and others. I've been waiting for a long time for you to add 2FA - and to have it implemented like this is insulting; I feel like you made a half-hearted attempt to placate me (and others that want 2FA).  Do it right, folks. Please.
February 9, 20169 yr Staff Hi, Thank you for your feedback. Pulseway currently only supports sending OTP via email at this moment, we have plans for adding support for Google Authenticator in the future too. This is a feature that is very functional and it does add another layer of security. Chris
February 23, 20178 yr Over a year has gone by. Any news on bringing 2FA up to industry standard? Email verification isn't 2FA...
February 23, 20178 yr Administrators Hi, We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming. -Paul
February 23, 20178 yr 8 hours ago, Paul said: Hi, We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming. -Paul  If it is coming, you should also put in there the ability to turn off the timeout for authenticated browsers.  There is nothing more time wasting than your so called 2FA when you have to constantly login again and again.  What's worse?  Having to get a code via email each time. Â
February 24, 20178 yr Administrators We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours. -Paul
February 27, 20178 yr On 2/24/2017 at 11:29 PM, Paul said: We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours. -Paul  As it stands now, it's off after 15 minutes or so.  I won't use 2FA because this, as it is a royal pain.  I should have the ability to set the timeout.  I know whether my computers are secure or not.  At the moment, you are making that decision for me, but your wrong.
March 1, 20178 yr On 2/23/2017 at 6:43 AM, Paul said: Hi, We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming. -Paul Thanks for the update, Paul. I frequently access my account in a location with poor connectivity for my iPhone - cellular or Wi-Fi. Desktop PCs, which are hardwired, work fine. As such, using an authenticator app, of which there are many options, would greatly minimize the headache. My personal choice is Authy, since it enables backup and sync across devices.
April 15, 20177 yr On 24/02/2017 at 4:29 PM, Paul said: We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours. -Paul If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM? The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within.
April 20, 20177 yr Administrators On 4/15/2017 at 10:29 AM, Martin_T said: If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM? The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within. That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit. -Paul
April 21, 20177 yr 19 hours ago, Paul said: That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit. -Paul That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins.
April 24, 20177 yr Administrators On 4/21/2017 at 2:46 PM, Martin_T said: That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins. That's odd. Can you try again from an incognito browser? It's possible that it's just browser cache. -Paul
March 3, 20196 yr On 2/23/2017 at 6:43 AM, Paul said: Hi, We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming. -Paul Paul, Proper 2FA was "definitely coming" since 2016. You last updated us on its roadmap in 2017. Two years went by. No change whatsoever. Any updates?
March 15, 20196 yr Administrators Hi there, We were forced to push it due to other features / issues that were more pressing. Here's our current roadmap: -Paul
April 24, 20195 yr Staff Hi @cmiller, We are actually working on the 2FA functionality, therefore it will be available into the near future.
June 26, 20195 yr I too am concerned this has not been implemented. This is considered industry standard for proper security around cloud accessible systems. Google 2FA is available on many 'lesser' systems I use and should be on something as important and powerful as an RMM. Please set this as one of the higher priorities in your development plan.
June 26, 20195 yr Administrators Hey everyone, I'm excited to announce that we are working on Push-based and OTP-based 2FA as we speak. This is going to be super-awesome ! -Paul
July 22, 20195 yr Any timeline on implementation... and please don't say "Coming Soon" "near future" or any variation of that because it is obvious at this point the definition of that term to Pulseway varies widely from the rest of the worlds.
July 22, 20195 yr Administrators This 2FA update is coming out in the first week of August. Wohoo ! -Paul
August 3, 20195 yr It is now September. What is the realistic ETA? This is why it should be the TOP priority for development! https://www.crn.com/news/channel-programs/continuum-msp-partner-hit-credentials-stolen-to-deploy-ransomware-to-several-end-customers Two different MSPs, two different RMM tools. Is Pulseway next? I sure as heck hope not. Especially since the agents have to authenticate with MY password! I suppose that in itself of a breach entry point.
August 4, 20195 yr Administrators Hey Kyle, 2FA with support for Mobile App authentication, TOTP and backup codes is coming out in the week that comes. We've pushed it a bit because we wanted to make sure that everything is bug-free and working smoothly from the get-go. PS: We're still in August -Paul
August 4, 20195 yr 5 hours ago, Paul said: Hey Kyle, 2FA with support for Mobile App authentication, TOTP and backup codes is coming out in the week that comes. We've pushed it a bit because we wanted to make sure that everything is bug-free and working smoothly from the get-go. PS: We're still in August -Paul That's great to hear. My bad on the Sep comment. Will it use authy or google authenticator or something else?
August 5, 20195 yr Administrators It will have three authentication methods: Mobile App (Pulseway) where you will see a push notification or when you open the app you will be prompted to approve the authentication request Time-based One Time Passcode (TOTP) will work with Google Authenticator, Authy, 1Password, LastPass, etc Backup codes (hopefully you won't ever need them) You must select one of the first two options (you can have everything enabled too), backup codes will always be enabled if you have 2FA on. -Paul
_a9c1b4.png){kind=logo}
_49ee3f.png){kind=logo}
Create an account or sign in to comment