Jump to content

Suggestion re: 2FA


Recommended Posts

Just upgraded to Endpoint Detection and Response, using Nebula platform. Love it a lot, great work guys. Have some concerns about 2-factor authentication -- I'm leery of using an app on a phone, I never heard of those 2FA apps, also I need to make sure my IT cover person can also log in using the same email address. 

Why not just use standard send-a-code-to-phone-or-email 2FA?  Can we please add this?

Another great option would be, in lieu of setting up 2FA at all, have an email Event Notification for LOGINs.... That way if I got a notification someone logged onto the Nebula console and it wasn't me, I could jump on and at least change the password?  How is it, that this Notification is missing in a product that is otherwise incredibly well thought out?

 

Thanks,

 

Ralph

Link to post
Share on other sites

  • Staff

Greetings,

Thank you for the suggestions, I will be sure to pass them on to the Product team for consideration.

With regards to the 2FA app, I would speculate that it may be due to the fact that standard 2FA can be spoofed/hijacked/cracked:

https://www.csoonline.com/article/3272425/11-ways-to-hack-2fa.html
https://blog.malwarebytes.com/cybercrime/2019/01/two-factor-authentication-defeated-spotlight-2fas-latest-challenge/
https://blog.malwarebytes.com/101/2018/09/two-factor-authentication-2fa-secure-seems/

It's possible they are using a dedicated app to defeat man-in-the-middle 2FA attacks and/or some other known method for bypassing/cracking 2FA.  Again, that's just speculation on my part though, so I leave it to any staff members to provide any definitive responses on the subject.

I personally loathe 2FA, but that has more to do with the fact that I don't keep a cell phone on my person at all times and I refuse to use a smart phone (I still own an old flip phone which has no internet access whatsoever because I have my computer for accessing the web and I hate touchscreens).  I too like receiving email notifications for any anomalous logins (such as those offered by PayPal, Google, Microsoft etc.) so I too would like to see this feature added, at least in addition to 2FA because it is quite handy for monitoring your account and ensuring you know the devices/places it's being accessed from.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.