logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
nobody961  
#1 Posted : Saturday, January 17, 2015 11:20:42 AM(UTC)
nobody961


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/14/2014(UTC)
Posts: 124
Germany

Thanks: 3 times
Was thanked: 10 time(s) in 8 post(s)
I have setup SC with additional authentication using a 6 digit pin which is sent by mail to my email address.
Yesterday I updated to SC 5.1.8208.5485, today to 5.1.8244.5494

With both Versions i cannot login any more into SC. Tried Mac Safari 5.1.x, IE11 with and without compatibility view, Firefox 3X versions.
Always the same message after the sucessful first login when entering the pin: login was not sucessful, please try again.

When I go into the administration and edit a user, the column regarding the additional authentication is missing!

lucky me, that I added an emergency admin which does not use a second authentication for login when I first installed the Software, so I am still able to login and does not have to revert to the latest backup.

Is there any thing I can do, or what has probably changed in SC 5.1 vs 5.0, to make two factor authentication working again?

TIA.

Edit: I reenabled the missing column, but, as I already expected that did not reenable login.

Edited by user Sunday, January 18, 2015 11:32:44 AM(UTC)  | Reason: Not specified

Scott  
#2 Posted : Monday, January 19, 2015 2:54:15 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
I just replicated the problem you're describing and I have registered it as a defect. I don't have an ETA on when the development team will be able to implement a fix, but it is a very high priority issue so keep an eye on the output stream.
ScreenConnect Team
nobody961  
#3 Posted : Tuesday, January 27, 2015 11:47:01 PM(UTC)
nobody961


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/14/2014(UTC)
Posts: 124
Germany

Thanks: 3 times
Was thanked: 10 time(s) in 8 post(s)
Originally Posted by: Scott Go to Quoted Post
I just replicated the problem you're describing and I have registered it as a defect. I don't have an ETA on when the development team will be able to implement a fix, but it is a very high priority issue so keep an eye on the output stream.


you just release a "stable" screenconnect 5.1 which still includes this major (?) bug ?

For me the two factor authentication is a very important feature: If you sit in front of an unknown PC, you never know, if forms autofill or password save is on, or if a virus is listening to your keystrokes. Therefore it makes me nervous that I currently have to use the Software without the additional security. I thought if a stable release is available this will include the two factor authentication.

If there is no real timeframe that this problem will be resolved in the next weeks I have to revert to SC 5.0

Edited by user Tuesday, January 27, 2015 11:51:08 PM(UTC)  | Reason: Not specified

Paul Moore  
#4 Posted : Tuesday, January 27, 2015 11:51:00 PM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Just an FYI.

An OTP via email isn't 2FA... but two-step verification.

You're better off using Google auth/yubikey.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
nobody961  
#5 Posted : Tuesday, January 27, 2015 11:58:52 PM(UTC)
nobody961


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/14/2014(UTC)
Posts: 124
Germany

Thanks: 3 times
Was thanked: 10 time(s) in 8 post(s)
Originally Posted by: Paul Moore Go to Quoted Post
Just an FYI.

An OTP via email isn't 2FA... but two-step verification.

You're better off using Google auth/yubikey.


I dont see a big difference between holding a mobile phone which receives a mail with a 5 digit number and yubikey. The important thing here is that I have to enter a password which is of no value to an observer - I dont see a reason that login is more secure using yubikey. Using an USB device also seems not the right choice in case you are in a location where no USB is available, or not supported on the Machine you use.
Paul Moore  
#6 Posted : Wednesday, January 28, 2015 12:04:10 AM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
2FA is a requirement to have a second factor, typically something you know & have.

An OTP by email is not a second factor, as each step is dependent on each other.

From a security standpoint, they're poles apart.
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
nobody961  
#7 Posted : Wednesday, January 28, 2015 12:28:33 AM(UTC)
nobody961


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/14/2014(UTC)
Posts: 124
Germany

Thanks: 3 times
Was thanked: 10 time(s) in 8 post(s)
Originally Posted by: Paul Moore Go to Quoted Post
2FA is a requirement to have a second factor, typically something you know & have.

An OTP by email is not a second factor, as each step is dependent on each other.

From a security standpoint, they're poles apart.


If you think this this way, fine, but for me a mobile phone is a second factor, I dont see the difference, and email fits me better, plus the security is the same:
Mail system, screenconnect, and mobile phone are all under my control and secured from end to end.
I agree, that it is possible my email account is hijacked by someone, but then, this someone most likely has to be inside my own company - not very likely.

What will you do with the yubikey if you want to support someone and hold some kind of window mobile or an old blackberry or android tablet/phone, or a kind of locked down PC?
You will have to revert to a rescue account which only uses username + password for authentication.
Therefore I like to have something which will be usable in any environment.
Paul Moore  
#8 Posted : Wednesday, January 28, 2015 12:40:13 AM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Sure, I'm not suggesting you should use something which doesn't fit your threat model... but it's important to distinguish between 2 factors and 2 steps.

It's not my interpretation, it's as outlined by NIST.

See:
https://ramblingrant.co....two-step-authentication/ or the white paper on "electronic authentication guidelines" section 6.1.3/4

Cheers
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
nobody961  
#9 Posted : Wednesday, January 28, 2015 1:00:29 AM(UTC)
nobody961


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/14/2014(UTC)
Posts: 124
Germany

Thanks: 3 times
Was thanked: 10 time(s) in 8 post(s)
Originally Posted by: Paul Moore Go to Quoted Post
Sure, I'm not suggesting you should use something which doesn't fit your threat model... but it's important to distinguish between 2 factors and 2 steps.

It's not my interpretation, it's as outlined by NIST.

See:
https://ramblingrant.co....two-step-authentication/ or the white paper on "electronic authentication guidelines" section 6.1.3/4

Cheers


Cheers too...
The example in the website you cite is regarding sms or simple email.
Agreed to the link in your post, but the details are important - my phone is not like any phone, I have to elaborate a little more details:
I use a blackberry phone which is tied to my blackberry enterprise server, which runs in the perimeter of the screenconnect server and my mailserver behind a firewall.
The blackberry phone is married to the server. Only the server is authenticated to feed emails to the blackberry. Both authenticate against each other using a certificate. The communication is secured and authenticated between server and blackberry. So, I see the Blackberry device itself as a second factor.
Would that fit better as a two Factor authentication ?
Paul Moore  
#10 Posted : Wednesday, January 28, 2015 1:13:19 AM(UTC)
Paul Moore


Rank: Advanced Member

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 9/16/2011(UTC)
Posts: 334

Thanks: 5 times
Was thanked: 70 time(s) in 44 post(s)
Still no ;)

If I asked you for the OTP first, then your password... you couldn't provide it. That proves they're inextricably linked and that you technically don't "have" (possession being the second factor) the OTP.

As per NIST, if you have to supply a factor (password) to obtain a second (OTP), that's multi-step authentication, not multi-factor.

The fact your devices are dependent on each other means you have a strong 2SV deployment but not 2FA.

Either way, this needs fixing :)
ScreenConnect Reporting - Collects live & historical information including session times.
http://goo.gl/nrF3e9
nobody961  
#11 Posted : Wednesday, January 28, 2015 1:17:04 AM(UTC)
nobody961


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/14/2014(UTC)
Posts: 124
Germany

Thanks: 3 times
Was thanked: 10 time(s) in 8 post(s)
Originally Posted by: Paul Moore Go to Quoted Post
Still no ;)

If I asked you for the OTP first, then your password... you couldn't provide it. That proves they're inextricably linked and that you technically don't "have" (possession being the second factor) the OTP.

As per NIST, if you have to supply a factor (password) to obtain a second (OTP), that's multi-step authentication, not multi-factor.

The fact your devices are dependent on each other means you have a strong 2SV deployment but not 2FA.

Either way, this needs fixing :)


I surrender for the moment. I have to get some sleep for tomorrow.
Have nice day however!


kaplancomputers  
#12 Posted : Wednesday, January 28, 2015 3:54:49 PM(UTC)
kaplancomputers


Rank: Newbie

Joined: 1/28/2015(UTC)
Posts: 1
United States
Location: Raynham

Need help too!!!

I just upgraded to 5.1 Stable release. Now I cannot login! I use 2 step authentication and it will not accept the 6-digit code I receive from text message to login. When will this be fixed. This was bug was released in a stable build!!!
Scott  
#13 Posted : Wednesday, January 28, 2015 6:25:19 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
I'm sorry about the problem, but we have just posted another 5.1 build with a fix for the TFA issue.
ScreenConnect Team
nobody961  
#14 Posted : Thursday, January 29, 2015 10:47:47 PM(UTC)
nobody961


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/14/2014(UTC)
Posts: 124
Germany

Thanks: 3 times
Was thanked: 10 time(s) in 8 post(s)
Great. I can confirm, multi-step authentication works again!
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.