Jump to content
nsdadmin

This is not 2FA

Recommended Posts

This is not 2FA... it's bothering you with an email to login to your account. Two-Factor requires any two of these:

  • Something you know (your username & password, check)
  • Something you have (a software/hardware code generator, a Yubikey)
  • Something you are (fingerprint, etc.)

Bio-metrics are far from perfect, and usually avoided in these situations - I'm just amazed you went through the effort to implement this "2 factor send you an email" when it's simple to implement the time-based solution that is used by Google and others. I've been waiting for a long time for you to add 2FA - and to have it implemented like this is insulting; I feel like you made a half-hearted attempt to placate me (and others that want 2FA).

 

Do it right, folks. Please.

Screenshot from 2016-02-09 08-34-52.png

Share this post


Link to post
Share on other sites

Hi,

Thank you for your feedback. Pulseway currently only supports sending OTP via email at this moment, we have plans for adding support for Google Authenticator in the future too. This is a feature that is very functional and it does add another layer of security.

Chris

Share this post


Link to post
Share on other sites
8 hours ago, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

 

If it is coming, you should also put in there the ability to turn off the timeout for authenticated browsers.  There is nothing more time wasting than your so called 2FA when you have to constantly login again and again.  What's worse?  Having to get a code via email each time.

 

Share this post


Link to post
Share on other sites

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

Share this post


Link to post
Share on other sites
On 2/24/2017 at 11:29 PM, Paul said:

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

 

As it stands now, it's off after 15 minutes or so.  I won't use 2FA because this, as it is a royal pain.  I should have the ability to set the timeout.  I know whether my computers are secure or not.  At the moment, you are making that decision for me, but your wrong.

Share this post


Link to post
Share on other sites
On 2/23/2017 at 6:43 AM, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

Thanks for the update, Paul. I frequently access my account in a location with poor connectivity for my iPhone - cellular or Wi-Fi. Desktop PCs, which are hardwired, work fine. As such, using an authenticator app, of which there are many options, would greatly minimize the headache. My personal choice is Authy, since it enables backup and sync across devices.

Share this post


Link to post
Share on other sites
On 24/02/2017 at 4:29 PM, Paul said:

We will not be removing the timeout on the webapp for security purposes. We are considering on implementing a way to gradually slow down the refresh timer to a point where it stops and asks if you're still around but not logging you out only after a couple of hours.

-Paul

If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM?

The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within.

whatis.PNG

Share this post


Link to post
Share on other sites
On 4/15/2017 at 10:29 AM, Martin_T said:

If the timeout isn't being removed from the webapp, what's the point of this setting (attached) within the RMM?

The PSA has an adjustable timeout which arguably will have more sensitive information regarding clients held within.

whatis.PNG

That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit.

-Paul

Share this post


Link to post
Share on other sites
19 hours ago, Paul said:

That setting allows you to specify what the timeout you want it to be (within reasonable limits). You will notice that it doesn't allow you to exceed a certain limit.

-Paul

That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins.

Share this post


Link to post
Share on other sites
On 4/21/2017 at 2:46 PM, Martin_T said:

That's fine but this limit is 120 minutes (2 hours) but still expires after 10/15 mins.

That's odd. Can you try again from an incognito browser? It's possible that it's just browser cache.

-Paul

Share this post


Link to post
Share on other sites
On 2/23/2017 at 6:43 AM, Paul said:

Hi,

We actually have this scheduled for the end of Q1 beginning of Q2 so we can say that this is definitely coming.

-Paul

Paul,

Proper 2FA was "definitely coming" since 2016. You last updated us on its roadmap in 2017. Two years went by. No change whatsoever. Any updates?

Share this post


Link to post
Share on other sites

Hi there,

We were forced to push it due to other features / issues that were more pressing. Here's our current roadmap:

-Paul

Share this post


Link to post
Share on other sites

I too am concerned this has not been implemented. This is considered industry standard for proper security around cloud accessible systems. Google 2FA is available on many 'lesser' systems I use and should be on something as important and powerful as an RMM.

Please set this as one of the higher priorities in your development plan.

Share this post


Link to post
Share on other sites

Hey everyone,

I'm excited to announce that we are working on Push-based and OTP-based 2FA as we speak. This is going to be super-awesome :lol:!

-Paul

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...