Please implement *real* 2FA ASAP, and remove the "Security Code"

  • 12 July 2019
  • 1 reply

Userlevel 1
Badge +8
(FIrst, let me say the recent force-on of "security code" for all admins, including those not using it, was not well received by our admin team. It's a truly awful implementation, made worse by being suddenly "there".)
The "security code" is NOT not not 2FA. It is a constant password, created by the user, using a complex/different set of restrictions, and worse it's only a part of that password. But it is still ONLY another static password. Thus, the user is tempted to write it down.

2FA involves a second bit of DYNAMIC and TIMELY info ONLY that user can have, normally obtained via a DIFFERENT channel/path. The security code meets none of these parameters. Any of many well known 2FA apps and/or methods can work well.

We have admins worldwide. By definition, they have online access. However, if you're thinking of requiring something like the Google Authenticator, I need to query our team as to whether they are all able to use it.

I can tell you from experience: it is going to be important to have the ability to DISABLE 2FA, at least temporarily, at least for diagnostic purposes. Requiring 2FA at all times can be a real headache in various recovery and emergency situations.

This topic has been closed for comments

1 reply

Userlevel 6
Badge +17

In case anyone has not heard the news yet, Webroot now supports 2FA! Please find the below articles for details on how to set that up.


Home users:

Business users: