Jump to content

This is not 2FA


nsdadmin

Recommended Posts

This is not 2FA... it's bothering you with an email to login to your account. Two-Factor requires any two of these:

  • Something you know (your username & password, check)
  • Something you have (a software/hardware code generator, a Yubikey)
  • Something you are (fingerprint, etc.)

Bio-metrics are far from perfect, and usually avoided in these situations - I'm just amazed you went through the effort to implement this "2 factor send you an email" when it's simple to implement the time-based solution that is used by Google and others. I've been waiting for a long time for you to add 2FA - and to have it implemented like this is insulting; I feel like you made a half-hearted attempt to placate me (and others that want 2FA).

 

Do it right, folks. Please.

Screenshot from 2016-02-09 08-34-52.png

Link to comment
Share on other sites

  • Staff

Hi,

Thank you for your feedback. Pulseway currently only supports sending OTP via email at this moment, we have plans for adding support for Google Authenticator in the future too. This is a feature that is very functional and it does add another layer of security.

Chris

Link to comment
Share on other sites

  • 1 year later...
8 hours ago, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

 

If it is coming, you should also put in there the ability to turn off the timeout for authenticated browsers.  There is nothing more time wasting than your so called 2FA when you have to constantly login again and again.  What's worse?  Having to get a code via email each time.

 

Link to comment
Share on other sites

  • Administrators

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

Link to comment
Share on other sites

On 2/24/2017 at 11:29 PM, Paul said:

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

 

As it stands now, it's off after 15 minutes or so.  I won't use 2FA because this, as it is a royal pain.  I should have the ability to set the timeout.  I know whether my computers are secure or not.  At the moment, you are making that decision for me, but your wrong.

Link to comment
Share on other sites

On 2/23/2017 at 6:43 AM, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

Thanks for the update, Paul. I frequently access my account in a location with poor connectivity for my iPhone - cellular or Wi-Fi. Desktop PCs, which are hardwired, work fine. As such, using an authenticator app, of which there are many options, would greatly minimize the headache. My personal choice is Authy, since it enables backup and sync across devices.

Link to comment
Share on other sites

  • 1 month later...
On 24/02/2017 at 4:29 PM, Paul said:

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM?

The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within.

whatis.PNG

Link to comment
Share on other sites

  • Administrators
On 4/15/2017 at 10:29 AM, Martin_T said:

If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM?

The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within.

whatis.PNG

That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit.

-Paul

Link to comment
Share on other sites

19 hours ago, Paul said:

That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit.

-Paul

That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins.

Link to comment
Share on other sites

  • Administrators
On 4/21/2017 at 2:46 PM, Martin_T said:

That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins.

That's odd. Can you try again from an incognito browser? It's possible that it's just browser cache.

-Paul

Link to comment
Share on other sites

  • 1 year later...
On 2/23/2017 at 6:43 AM, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

Paul,

Proper 2FA was "definitely coming" since 2016. You last updated us on its roadmap in 2017. Two years went by. No change whatsoever. Any updates?

Link to comment
Share on other sites

  • 2 weeks later...
  • 1 month later...
  • 2 months later...

I too am concerned this has not been implemented. This is considered industry standard for proper security around cloud accessible systems. Google 2FA is available on many 'lesser' systems I use and should be on something as important and powerful as an RMM.

Please set this as one of the higher priorities in your development plan.

Link to comment
Share on other sites

  • 4 weeks later...

Any timeline on implementation... and please don't say "Coming Soon" "near future" or any variation of that because it is obvious at this point the definition of that term to Pulseway varies widely from the rest of the worlds.

Link to comment
Share on other sites

  • 2 weeks later...

It is now September.  What is the realistic ETA?

This is why it should be the TOP priority for development!

https://www.crn.com/news/channel-programs/continuum-msp-partner-hit-credentials-stolen-to-deploy-ransomware-to-several-end-customers

Two different MSPs, two different RMM tools. Is Pulseway next? I sure as heck hope not.

Especially since the agents have to authenticate with MY password! I suppose that in itself of a breach entry point.

Link to comment
Share on other sites

  • Administrators

Hey Kyle,

2FA with support for Mobile App authentication, TOTP and backup codes is coming out in the week that comes. We've pushed it a bit because we wanted to make sure that everything is bug-free and working smoothly from the get-go.

PS: We're still in August :lol:

-Paul

Link to comment
Share on other sites

5 hours ago, Paul said:

Hey Kyle,

2FA with support for Mobile App authentication, TOTP and backup codes is coming out in the week that comes. We've pushed it a bit because we wanted to make sure that everything is bug-free and working smoothly from the get-go.

PS: We're still in August :lol:

-Paul

That's great to hear.  My bad on the Sep comment.  Will it use authy or google authenticator or something else?

Link to comment
Share on other sites

  • Administrators

It will have three authentication methods:

  • Mobile App (Pulseway) where you will see a push notification or when you open the app you will be prompted to approve the authentication request
  • Time-based One Time Passcode (TOTP) will work with Google Authenticator, Authy, 1Password, LastPass, etc
  • Backup codes (hopefully you won't ever need them)

You must select one of the first two options (you can have everything enabled too), backup codes will always be enabled if you have 2FA on.

-Paul

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...