Raynor

My Emsisoft: 2FA

Recommended Posts

Quick Question:

I just had a look around the "My Emsisoft" account settings and stumbled
across the new option "Enable two-factor authentication" (see attached screenshot).

I was wondering: What's the second factor ? How is this supposed to work exactly ?
I would perhaps like to enable it, but I wouldn't want to risk locking myself if things go wrong...

Thanks!

2FA.png
Download Image

Share this post


Link to post
Share on other sites

Ha! Thought so, thanks :)

Suggestion: why not add this little bit of info to the explanatory text,
that might save other users from having the same question/confusion.

Share this post


Link to post
Share on other sites

Just a follow up - we are in the process of installing the cloud console and there will be more than one person accessing the details. I like 2FA but if this is via email it assumes that everyone has access to that email account. At the moment I would have to ask my colleague to call me and to provide the code to him over the phone. Is there any option to use google authenticator instead of email?   I also can't see where I could potentially turn off the feature.

Cheers 

Share this post


Link to post
Share on other sites
56 minutes ago, Eddie said:

Is there any option to use google authenticator instead of email?

At the moment we don't have that option. It's possible it may be added in the future, as it would certainly be ideal to have more than one method for better flexibility.

 

59 minutes ago, Eddie said:

I also can't see where I could potentially turn off the feature.

That option was removed. There are too many bots attempting automated logins with stolen credentials, and too many people who still reuse the same login information on multiple websites. Since we expect most people would simply turn off Two-Factor Authentication and open their accounts for compromise, we decided to remove it from the settings to prevent this from happening.

You may want to consider having each member of your team who needs access to your workspace in MyEmsisoft creating an account, and then inviting those accounts to the workspace where you can manage them (in the settings for the workspace):
https://help.emsisoft.com/en/2323/emsisoft-cloud-console-user-guide/#inviteusers

If it's absolutely imperative to turn off Two-Factor Authentication, then please send our support team an e-mail from the e-mail address associated with the account that needs Two-Factor Authentication disabled, and be sure to let them know why. Keep in mind though that we normally only do this when someone can't log in to their account at all.

Share this post


Link to post
Share on other sites

GT, thanks for that. I am sure we will be allright and there is no need to go through support in this case. I will have a look at the options to set up additional users with their own log in - it will only be two, so either way I can live with it.  Just wondered about google authenticator - I was initially sceptical about that but now find it very easy to use and 

so far very reliable.

Share this post


Link to post
Share on other sites
10 minutes ago, Eddie said:

Just wondered about google authenticator - I was initially sceptical about that but now find it very easy to use and so far very reliable.

That's understandable. Hopefully it, and other authenticator apps, are something we can add support for soon.

Share this post


Link to post
Share on other sites

Some banks use phone numbers to send an SMS code to... and they tend to provide a choice of numbers - typically "home", "work" & "mobile" - though they can be anything and their three labels are irrelevant.  But at least there's some resilience if, say, one phone network is unavailable.  How difficult would it be for the Emsisoft code to support use of an alternate pre-defined email address? After all, email is not by any means 100% reliable. 

Also, do Emsisoft have any monitored checking that their email-sending code (or the providers they use) is still working?  What happens if the SMTP server they use ends up on a blacklist?   

Share this post


Link to post
Share on other sites
15 hours ago, JeremyNicoll said:

Some banks use phone numbers to send an SMS code to...

As does PayPal and a few other services. Unfortunately this is not an ideal method of 2FA, since sim-swapping would allow someone else to receive your 2FA code on their phone rather than your own, and it's generally preferred that it not be the primary 2FA option offered by online services.

 

15 hours ago, JeremyNicoll said:

How difficult would it be for the Emsisoft code to support use of an alternate pre-defined email address?

I'm not certain how difficult the implementation would be. All I know for certain is that other means of 2FA are on the table, and it's possible you may see them in the future.

 

15 hours ago, JeremyNicoll said:

Also, do Emsisoft have any monitored checking that their email-sending code (or the providers they use) is still working?  What happens if the SMTP server they use ends up on a blacklist?

Right now if someone isn't receiving their 2FA code when trying to log in, the best course of action is to try to contact us via our live chat on help.emsisoft.com, or via private message here on the forums, as these methods of communicating with our support staff still work even when someone can't receive our e-mails.

Share this post


Link to post
Share on other sites

>> Some banks use phone numbers to send an SMS code to...

> As does PayPal and a few other services. Unfortunately this is not an ideal method of 2FA, since sim-swapping would allow someone else to receive your 2FA code on their phone
> rather than your own...

I see some (most?) modern phones have SIM drawers readily accessible from the outside of the phone ... which would make that quite a risk.   In mine, you'd have to take off an outer cover, then prise the back off the phone, then take out the battery, then the SIM.  It's a whole-lot less likely to happen.  I expect one would be more likely to have one's phone stolen... and then the email option is no more secure.

Share this post


Link to post
Share on other sites
7 hours ago, JeremyNicoll said:

I see some (most?) modern phones have SIM drawers readily accessible from the outside of the phone ... which would make that quite a risk.

SIM swapping isn't actually a physical attack/theft. It's sort of like a form of identity theft (or at least that's usually the end result), where someone convinces your mobile phone service provider that they're you, and requests a new SIM card in your name. They then insert the new SIM card into their own phone, and take over your phone service, allowing them access to any 2FA codes sent to you via SMS (as well as any new calls or SMS/MMS messages you would have received, and your voicemail).
https://krebsonsecurity.com/2018/08/hanging-up-on-mobile-in-the-name-of-security/
https://krebsonsecurity.com/2018/11/busting-sim-swappers-and-sim-swap-myths/
https://krebsonsecurity.com/2019/08/who-owns-your-wireless-service-crooks-do/

My understanding is that in cases like this, it can be difficult to convince the service provider that they've made a mistake, and sometimes even more difficult to convince companies that the criminal did business with under your name that it was a case of fraud/identity theft.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.