2 Factor Authentication for Global Site Manager?

  • 18 December 2016
  • 17 replies
  • 269 views

Userlevel 4
Badge +9
Are there plans to add 2 factor authentication to the SecureAnywhere Global Site Manager (GSM)?  Even if it's just a code via SMS or Email, that would suffice.  The secondary password is good, but feels inadequate.

17 replies

Userlevel 7
Badge +33
Hey @
 
Short answer is yes, there's plans for 2FA through things like SMS/Yubikey etc...
 
John
Nerds On Site
Badge +3
Hi, is there any schedule for 2FA, and is it going to be Google/MS authenticator application compatible?
 
As a new customer this was quite surprising, that the Global Site Manager is behind a "Security Code" instead of proper 2FA.
 
All current systems that I'm administrating, are 2FA'd with MS Authenticator app. These range from cloud to on-prem, O365 to NAS systems to RMM's etc., so for a security product this should be the very top of development priority.
 
Otherwise very happy with the product so far.
Userlevel 1
Badge +1
This has been 2 years and I'm suprised this has still not been implemented. The fact that the secondary password is actually stored in plain text (so you can prove the letters are correct makes it even more worrying.
Seeing Webroot also posting on their blog 2 years ago at https://www.webroot.com/blog/2017/11/07/two-factor-authentication/ about enabling 2factor is also rather ironic.

Any update on this?
Userlevel 7
Badge +31
Hi all,

Based on the feedback we have received from customers, we are looking to integrate with existing 2FA providers rather than implement our own mechanism.

We are still open to input on this , so please do post away as to what you'd like to us to do .


Regards

Jonathan Giffard
Senior Product Manager
Userlevel 1
Badge +1
Thanks Jonathan - I would agree that rolling your own is a waste of your time. As far as I'm concerned, I would not force users down any particular 2FA endpoint - we should be able to use any 2FA authenticator app on the phone whether it's google, duo, microsoft, authy etc - all we would need is the 6 digit otp. Push notification would be a plus in the ease of use but I would not imagine that to be a must have.
There are lots of search results for "add google authenticator code to website" and as this is a standard you wouldn't be tying anyone down to any one particular authenticator app.

I would hope that there are no admins using Webroot who do not have a 2FA app on their phone already for all the other administration tasks they do, so I don't think this is too much of an onerous task -especially for a security company.
Userlevel 1
Badge +1
Based on the feedback we have received from customers, we are looking to integrate with existing 2FA providers rather than implement our own mechanism.

We are still open to input on this , so please do post away as to what you'd like to us to do .


Agreed - it makes no sense producing your own. There are lots of existing 2FA providers out there with straightforward integration options as @helsby mentioned previously.

Please prioritise this issue. It's preventing us selling Webroot into certain companies due to security requirements (MFA everywhere).
Badge +2
i think 2 things should be done. SAML auth should be added for things like Okta, ADFS etc.
additionally a separate integration should be made for DUO security. As webroot is big in the MSP community and so is DUO this seems like a no brainer.
this will take 5 minutes of development time, why are we even discussing this. this is a security product that doesnt have these features in 2019???? this thread is 2 years old.

otherwise the product is a great value, couple of one off features and changes need to be made. .
Badge +1
Hi all,

Based on the feedback we have received from customers, we are looking to integrate with existing 2FA providers rather than implement our own mechanism.

We are still open to input on this , so please do post away as to what you'd like to us to do .


Regards

Jonathan Giffard
Senior Product Manager


"Post away as to what you'd like us to do."

Um, we've been "posting away" for 5 years that we wanted a 2FA solution. ANY 2FA solution! Now, after 5 years you're asking for feedback? Wow.

So - because EVERYONE knows Webroot has no 2FA, you're console is now under attack and thousands of endpoints are being infected with Ransomware because attackers KNEW your login protection was abhorrent.

Webroot should be absolutely ashamed.
Userlevel 1
Badge +8
"Post away as to what you'd like us to do."

Um, we've been "posting away" for 5 years that we wanted a 2FA solution. ANY 2FA solution! Now, after 5 years you're asking for feedback? Wow.

So - because EVERYONE knows Webroot has no 2FA, you're console is now under attack and thousands of endpoints are being infected with Ransomware because attackers KNEW your login protection was abhorrent.

Webroot should be absolutely ashamed.



Um. We got the email last night about them enabling "2FA" on the console. And some of our admin accounts got it enabled and some not.

There is very little information about why they started doing this, but support is tight lipped about why.

Their email explicitly states that some customers have been impacted by threat actors and this is why they are doing it.

You have said the console is under attack and endpoints are being infected. Can you provide any information on this?
Badge +1

"Post away as to what you'd like us to do."

Um, we've been "posting away" for 5 years that we wanted a 2FA solution. ANY 2FA solution! Now, after 5 years you're asking for feedback? Wow.

So - because EVERYONE knows Webroot has no 2FA, you're console is now under attack and thousands of endpoints are being infected with Ransomware because attackers KNEW your login protection was abhorrent.

Webroot should be absolutely ashamed.

Um. We got the email last night about them enabling "2FA" on the console. And some of our admin accounts got it enabled and some not.

There is very little information about why they started doing this, but support is tight lipped about why.

Their email explicitly states that some customers have been impacted by threat actors and this is why they are doing it.

You have said the console is under attack and endpoints are being infected. Can you provide any information on this?



https://www.reddit.com/r/msp/comments/c2wls0/kaseya_weaponized_to_deliver_sodinokibi_ransomware/
Userlevel 1
Badge +4
Please update this 2FAC with phone service.. this security code is PAINFUL!! 🙂
Badge +1
Please update this 2FAC with phone service.. this security code is PAINFUL!! :)

Just set it to '123456' and it's easy to remember.
But I totally agree with most posters that this type of '2FA' is worthless. Enforce a strong password rather than something like this. I use a password manager and have a 30 character password, randomly generated. I think that should suffice.
Why 30? Because that's the max length Webroot allows.
Userlevel 1
Badge +4
Smart 123456 ... but yeah this is worthless.
Userlevel 2
Badge +7
Bump
Badge +5
Also Security code is not 2FA, it's still "Something you know" it's an extra password where you aren't asked the complete password.

Please Support Fido2 WebAuth, this helps protect against fake portals as it authenticates both ends of the connection as part of the process.
Badge +1
WebRoot is now a threat vector due to lack of 2FA.

https://www.secplicity.org/2019/07/08/msps-beware-attackers-targeting-msp-infrastructure-to-install-ransomware/
Badge +1
When will Webroot implement real 2FA, this is of highest priority to feel secure with the Product, seems like it has been promised over and over for years but still no avialabillity.

Do you have a real scheduled plan for the release of Real 2FA with Google Authenticator and others or are you just "working on it" ? (worst answer i can get is "Working on it")
Q1 2020 release date is better but Q4 2019 is prefered :-)

Just solving it for one provider would satisfy me at the moment, better to release it with one public Authenticator like google or Microsoft rather than delay it to implement all possible providers.

Reply