New

Please implement *real* 2FA ASAP, and remove the "Security Code"

  • 12 July 2019
  • 0 replies
  • 98 views

Userlevel 1
Badge +8
(FIrst, let me say the recent force-on of "security code" for all admins, including those not using it, was not well received by our admin team. It's a truly awful implementation, made worse by being suddenly "there".)
The "security code" is NOT not not 2FA. It is a constant password, created by the user, using a complex/different set of restrictions, and worse it's only a part of that password. But it is still ONLY another static password. Thus, the user is tempted to write it down.

2FA involves a second bit of DYNAMIC and TIMELY info ONLY that user can have, normally obtained via a DIFFERENT channel/path. The security code meets none of these parameters. Any of many well known 2FA apps and/or methods can work well.

We have admins worldwide. By definition, they have online access. However, if you're thinking of requiring something like the Google Authenticator, I need to query our team as to whether they are all able to use it.

I can tell you from experience: it is going to be important to have the ability to DISABLE 2FA, at least temporarily, at least for diagnostic purposes. Requiring 2FA at all times can be a real headache in various recovery and emergency situations.

0 replies

Be the first to reply!

Reply