Accepted/In Progress

Add Google Authenticator two-factor authentication to Webroot SecureAnywhere business console login

  • 2 November 2016
  • 42 replies
  • 9618 views


Show first post

42 replies

Userlevel 1
Badge +1
@BruceR @akim

Thanks for following this up, much appreciated - any update or an ETA for the feature?
Badge
If you weren't aware, bad actors are trying to break into webroot security console accounts and then distributing malware to endpoints, possibly utilizing the download and run a file features. MFA would prevent these attacks which are probably taking advantage of reused (previously compromised) or dumb passwords by the users.

WebRoot, in your own community, you've been saying for 5 years that you're working on MFA. You even had a blog post a year or two ago saying that everyone should be using MFA, but... WebRoot still doesn't have it, just some corny 2nd password. Please let us know if this is something you'll be doing now that your lack of MFA is a contributor to some bad days being had by your customers.
Userlevel 1
Badge
As a MSP we use 2FA DUO Security (MSP license) for ourselves and all our customers, DUO is widely used among Managed Service Providers. Would be very handy if DUO push would be supported.
Userlevel 1
Badge +1
Since there was some kind of security issue, Webroot is now forcing to use 2FA on the dashboard for all accounts. However, 2FA is their own method using the x character question.

Too bad Google Authenticator isn't implemented yet, when all customers are being forced to use the own 2FA method of webroot.

Webroot really missed the boat here... 😞
Badge
Like many others, I received the email from Webroot earlier regarding safeguards being taken due to active attacks to the platform. I logged into my account eager to setup second factor authentication only to find that there wasn't an option. Then I came across this thread.. How disappointed I was in finding that a company centered on computer security has ignored long and repeated requests for second factor authentication. It's sad to think that I have second factor auth turned on for services that require less security than a service centered on computer security.

Let it be clearly known that second factor authentication is not a second password, that's one password with a little higher entropy. This is basic security 101. Sending out an email to everyone telling them that second factor is now turned on when it's not actually that is very poor form and not how security training should happen because some people may not understand the difference then in turn learn improper security, further putting environments at risk. The security, incident response, and development teams at Webroot need to examine very closely and take note - my confidence in Webroot has been downgraded.
Userlevel 1
Badge +1
And even if you have turned on the '2FA' for the dashboard, there is a link there to reset the 2FA code. You get an e-mail to reset the code.

So this implementation of 2FA is useless if someone has access to your e-mail address.
Userlevel 1
Badge +1
I logged into my account eager to setup second factor authentication only to find that there wasn't an option.
.


You can enable '2FA' by editting your user account on the dashoard. There you have the option to enable 'Use Security Code during log in'. This is the so called '2FA' method of Webroot...
Userlevel 4
Badge +8
I understand your comments and will be watching this thread closely. Appreciate the input and discussion. As per my previous post we are working hard on implementing a new 2FA solution. Please keep watching this thread for updates. Thank you
Userlevel 1
Badge +1
With all due respect, but your current implementation isn't a real 2FA. Real 2FA uses a different device for the security code. For a company that's in the security business I simply can't understand why they haven't implemented a solid 2FA implementation yet. Especially since you are now forcing it to use it for all customers due to the latest events. More than 2 years ago you mentioned you were working on it, but it's still not there.
Badge
Image being a security company that doesnt understand security and takes 2 years to not even get 2FA out of a roadmap
Badge +1
2 years later and still nothing... this makes one re-evalute things. Also, since the Carbonite thing, really makes me question whether I want to continue using and supporting a company that doesn't take security seriously, as they should be...
Userlevel 1
Badge +6
Webroot, you've had years to implement this. Dont lie to your community, there is no reason this has taken this long and you need to really, actually, look into implementing this. You are a security company, right?
It's pathetic when a company asks you to make a feature request for something that's their legal responsibility. That's why I filing a complaint with the Attorney General.
Badge +1
https://www.secplicity.org/2019/07/08/msps-beware-attackers-targeting-msp-infrastructure-to-install-ransomware/

Specifically targeting the WebRoot console. BECAUSE THERE'S NO BLOODY 2FA
Userlevel 1
Badge
https://www.secplicity.org/2019/07/08/msps-beware-attackers-targeting-msp-infrastructure-to-install-ransomware/
Specifically targeting the WebRoot console. BECAUSE THERE'S NO BLOODY 2FA


This realy scares me! Please webroot give us a a timeframe when we can expect suiteable 2FA. The second password layer is not enough.

Also let us limit login from demographic, IP, etc. And get us users warned with email and/or SMS when there are suspicious login attempts.
Userlevel 6
Badge +24
2 years later and still nothing... this makes one re-evalute things. Also, since the Carbonite thing, really makes me question whether I want to continue using and supporting a company that doesn't take security seriously, as they should be...

Not two years. I've been administering the GSM for four years now, and the original feature requests are five years old.

Bruce, we've all heard the "working on it" and other similar statements that can be made under NDA. Really, my trust in Webroot to provide this ability has eroded to the point of "I'll believe it when I see it, and not before". I'm setting a timeline within our MSP; if I don't see it by Q1 of 2020, I'm going to get us started on the process of evaluating and switching.
Badge +1
I'm setting a timeline within our MSP; if I don't see it by Q1 of 2020, I'm going to get us started on the process of evaluating and switching.


We've already had to begin that process.
Webroot now has to be considered a threat to security.

Reply