Under Review

Add two-factor authentication to Webroot SecureAnywhere console login


Userlevel 7
Note this is a mostly copy of my business idea, which I submitted over a year ago.
However, with my purchase of WSA Complete with its cloud storage/syncing feature I've become more concerned about security. The way it currently is I do not plan to use it for sensitive data, which I already entrust to another provider with a long track record.
 
Please integrate 2-factor authentication into Webroot SecureAnywhere online console for home and bussines users. Most people are familiar with this as an RSA dongle, a phone app that gives you one time passwords, a phone app that supports push (like Duo Security) or something like the WoW Authenticator. The security lies in that logging in requires something you know (your password) and something you must HAVE (a physical thingy).
 
Companies require no client-side investment. You can
  • use existing phone apps with TOTP
  • SMS with code
  • Call a phone number and have user press a key 
  • Retail dongles like YubiKey. Customer can buy their own dongles, Webroot doesn't need to provide or sell them. Webroot's password toolbar service is actually a rebranded LastPass service, which already supports the Yubikey. Part of your product is already two-factor enabled. 
And your cloud storage/syncing competitors already support it as well. 
 
As a security company constantly blogging about stolen credentials and leading the way in protecting against browser manipulation, Webroot should be pushing hard for 2-factor authentication. The security code is a nice and effective touch, but it's not a complete solution, which I've explained on the business forum discussion.
 
Consumers are entrusting you with ongoing, remote access to their most sensitive data. I'm sure you already have it implemented for your employees accessing the backend support sysytem, this should be an easy win. You will need to redesign the authentication flow in the WSA agent a bit, yes.
 
You even tweeted about how important it is.
https://twitter.com/Webroot/status/393796055298736128
 

17 replies

Userlevel 7
Hi explanoiit
 
Whilst I agree with you in principle that it is always a good thing to increase the level of security I suspect that in the consumer product two factor authentification would be seen the normal user and/or prospective normal users, as some what excessive/interfering with usability.
 
Now whilst you and a number of the more security concious users in the Community understand the benefits I suspect that most will see any such addition as a negative...unfortunately.  Not sure if it would be possible to introduce such a feature as optional at user discretion, l.e., you can use it if you want to or not.
 
If that additional aspect of the feature can be included then I think it will fly...otherwise not.
 
Baldrick
Userlevel 7
Hi Baldrick,
Yes, it would be completely up to the user to select and enable it. This is mostly to see if there's been any movement on this, and to let the home users take a look at the idea.
Userlevel 7
Well, I do like the idea of having the option of using such a system...should I need to..hence my endorsement of your feature idea.
 
😉
Userlevel 7
Badge +56
This one is in the works - not sure on the timeline, but we're working on it.
That's great to hear! How good it is that Webroot remains open to users ideas and suggestions 😉
Userlevel 7
Badge +56
Yeah, I'm happy that user feedback and suggestion systems are becoming more mainstream, and that we're on the cutting edge of this.  Speaking of two-factor, I was happy to find out that my new credit union here in Colorado uses it for logging in.  If you are logging in from a non-approved computer it won't let you in without a texted or emailed code to confirm.
Userlevel 7
Excellent news Nic...as Mike has already commented "Webroot remains open to users ideas and suggestions" and that the Ideas Exchange process works. :D
+1 for the Yubikey as a TFA option, especially since you already use LP rebranded for your use.
Hi! 
 
 
Now you are able to login by a phone number, but i am afraid that this is NOT 2fA, still ... 
TWO YEARS later...and still no 2FA?! Where is the progress on this?? An attacker could COMPLETELY destroy my infrastructure from the Web Console, and you're not doing more to secure it?!
Userlevel 7
I do not see how an attacker would get through without the proper credentials, so as long as you keep them safe you should be OK...I do however agree that the option for 2FA would be a good thing but the lack of it is hardly as disastrous as you are making out...in my humble opinion. 
Userlevel 7
 It has been two years, this is an incredible failure to implement a basic security control. This is not worthy of a security company. Please provide me a timeline.
I would not go as far as saying it is not worthy of a security company because they have other security controls (Personal Security Control), but it is a concern to not have MFA for a cloud application that could be accessed from anywhere around the world.
Userlevel 6
Badge +24
Google Authenticator becomes more used by the day.  Webroot itself recommends 2FA for security.  Respectfully, this is a long time for an idea to stay in the implementation stage.
Userlevel 7
Badge +22
Thanks @ for refreshing the thread. We are working towards replacing our  web  portal security code feature with a better 2FA security mechanism. I would estimate being able to introduce an update early next year. 
Although i didnt get a chance to update this thread, this has been one of the items that sits high on our list. We completely understand the concern.
 
Thanks
Pawani
 
Userlevel 1
Can we PLEASE have 2FA on the console? Having a second password is annoying, when I could just use Authy or Duo or even a text. A second password is NOT true 2FA.
 
Every one of my MSP tools has 2FA. Except Webroot's console. Pretty please, fix this?
 We need this for Webroot SecureAnywhere GSM Console BADLY!  MSP level security that MUST be in place for a security company!!!
 
We use 3rd party RMM integration which we would gladly switch to any vendor who ticks the correct security boxes.  On the whole, we LOVE Webroot, but this is a serious lapse in our oppinion (nevermind the inherent limited security that SMS and OTP based 2FA provide, but also consider UFA for the real deal).  
 
The Webroot GSM provides quick, global remote command line execution capabilities!!! This is a big deal!  Please complete your implementation ASAP!

Reply