2FA FAQ for Business
1. What is 2FA?
The National Institute of Standards and Technology (NIST) summarizes Multi-Factor Authentication (MFA), sometimes referred to as two-factor authentication or 2FA, as a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account. Credentials fall into any of these three categories: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). Credentials should come from two different categories to enhance security.
More information is available from https://www.nist.gov/itl/tig/back-basics-multi-factor-authentication.
2. What kind of 2FA is Webroot enabling?
Webroot is implementing a Time-Based One-Time Password (TOTP) solution. This type of 2FA solution generates a passcode which is active for only a short period of time. This passcode is generated from a range of Authenticator Apps that can be downloaded to your mobile device or tablet from either the Google Play or Apple App stores.
3. Why do we have to opt-in and not opt-out?
We encourage all users to opt-in to maintain a higher level of security. However, we want to give our users options, especially those that leverage Webroot for home and personal use. For future releases, Webroot will be considering making 2FA as opt-in only for its Business customers.
4. Can a Business Admin opt-in its users?
No, a Business Admin cannot opt-in a user in the current version. However, they can see who has enabled 2FA from the management console. More information about how to do that is in the Knowledge Base. Webroot is working on a solution to enable Admins to make enabling 2FA mandatory for all of its users in a future release.
5. Can Business Admins see who has it enabled?
Yes, Business Admins can see who has 2FA enabled and disabled via the Admins tab in the Management Console. More information about how to do that is in the Knowledge Base.
6. Why aren’t there any SMS-based authentication options?
SMS-based two-factor authentication is not as secure as other schemes. NIST advises companies to adopt alternative methods using tokens or software cryptographic authenticators instead.
The attacks on SMS, and what is commonly referred to as "SIM Swap" or “SMS intercept,” date back nearly ten years.
With this in mind, Webroot evaluated its services and their security options and determined 2FA via Time Based One Time Password (TOTP) solutions offered the best balance of security and user experience.
7. Why did Webroot enable 2FA at this time?
Webroot has evolved its secure login offering from a secondary security code to a full two-factor authentication (2FA) solution. While this has been on our product roadmap for a while, we had a secondary security code in place that was serving as an alternative authentication option. We now are ready to evolve our option and offer a TOTP 2FA solution.
8. Are we aware of the risks of not making it mandatory / why isn’t it mandatory?
Webroot is aware that not enabling an authentication solution comes with risks. We will consider making 2FA mandatory in the future, but for now, we felt it was important to give our users, especially our home users, the choice to opt-in.
9. What if I have enabled 2FA and I do not have my Mobile device or tablet with me?
If your mobile device or tablet has been:
Lost, Stolen, Forgotten, Damaged or Upgraded
You will need to click the Lost or stolen device link on the 2FA login page to disable 2FA and then re-enable 2FA when your mobile device/tablet is available again to you.
More information on how to do this is in the Knowledge Base.
This will require you to enter the answers to your 3 chosen security questions. The 2 that you chose during 2FA set up and the original one that you chose during your account creation.
If you have forgotten your original security question answer you can change this at any time from your settings in your management console.
If you need further assistance, please contact Support.
10. I received an email telling me that 2FA was disabled on my account?
Each time that 2FA has been disabled on an account Webroot will send an email to the account holder informing them that this has taken place.
The only times that this should occur are:
- If you have manually disabled 2FA from within your console.
- If your device has been lost, stolen, damaged, etc. and you have disabled 2FA using the recovery flow.
- If you have contacted support and they have disabled 2FA on your account on your behalf.
If none of the above actions have been performed by you, then we recommend you contact Support and they will help you to change your password to protect your account.
11. I enter my passcode generated by my authenticator app and I get a message saying “Invalid Log in code”
The code generated by your authenticator app is time-based and expires after 30 seconds before a new code is generated. It may be that the code you saw on screen was about to time out before you had a chance to click log in. You will see a countdown timer (different icon for depending on the authenticator app you are using) next to the code. Re-try the code ensuring that you click Log in before the counter has expired and generated a new code.
12. Why do I have to re-enter my user name and password when I want to disable 2FA from within my console when I am already authenticated and logged in already?
For additional security, we ask you to reauthenticate both your user name/password and confirm this with the 2FA log in again to ensure that it is you disabling 2FA. This will prevent anyone else who may have access to your console disabling 2FA without your knowledge.