Page 1 of 2 12 LastLast
Results 1 to 10 of 12
  1. #1
    Master Untangler
    Join Date
    Jul 2010
    Posts
    278

    Default Untangle COmmand Center 2FA

    Is there any insight that Untangle is going to setup some kinda 2FA on the untangle.com/CMD portal ?

  2. #2

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,038

    Default

    I'm going to be the pedant and point out that email based MFA, and SMS based MFA are NOT an MFA and are largely useless from a security perspective.

    TOTP or go home...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Jul 2010
    Posts
    278

    Default

    Quote Originally Posted by sky-knight View Post
    I'm going to be the pedant and point out that email based MFA, and SMS based MFA are NOT an MFA and are largely useless from a security perspective.

    TOTP or go home...
    How do you figure ? Explain.

  5. #5
    Master Untangler
    Join Date
    Jul 2010
    Posts
    278

    Default

    That's neat, enabled 2fa logged out like instructions say! Poof not able to log in any more..

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,038

    Default

    Quote Originally Posted by dashpuppy View Post
    How do you figure ? Explain.
    Well, email is bad because it's also remotely accessible, and because humans are stupid and prone to habits, it's trivial to assume the mailbox in question has been compromised long before the attacker attempts to access the cloud service. Now, if you're me and you use a 2FA protected mail service, then I suppose this isn't nearly as bad, and presumably everyone that has a brain has done this already... but it's still a weakness in depth.

    SMS based auth is better than nothing, because it steps outside the usual human norms of passwords. But all you have to do is spoof a sim card to get someone's texts, this process is hilariously easy to do because all you have to do is talk a min wage counter clerk out of a sim card with relatively minimal risk and effort. This attack vector has been demonstrated to the tune of millions of dollars in losses. This is a problem because many services will utilize SMS based processes for password recovery. But, it is a more targeted assault that is vastly less likely than in general. So I consider it a half auth, as opposed to a 2nd.

    Untangle as a security vendor knows this, and they should know better. Again, generic TOTP support at a minimum please. Bitwarden all the things! Duo the Bitwarden!
    Last edited by sky-knight; 01-07-2020 at 11:57 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    Jul 2010
    Posts
    278

    Default

    Quote Originally Posted by sky-knight View Post
    Well, email is bad because it's also remotely accessible, and because humans are stupid and prone to habits, it's trivial to assume the mailbox in question has been compromised long before the attacker attempts to access the cloud service. Now, if you're me and you use a 2FA protected mail service, then I suppose this isn't nearly as bad, and presumably everyone that has a brain has done this already... but it's still a weakness in depth.

    SMS based auth is better than nothing, because it steps outside the usual human norms of passwords. But all you have to do is spoof a sim card to get someone's texts, this process is hilariously easy to do because all you have to do is talk a min wage counter clerk out of a sim card with relatively minimal risk and effort. This attack vector has been demonstrated to the tune of millions of dollars in losses. This is a problem because many services will utilize SMS based processes for password recovery. But, it is a more targeted assault that is vastly less likely than in general. So I consider it a half auth, as opposed to a 2nd.

    Untangle as a security vendor knows this, and they should know better. Again, generic TOTP support at a minimum please. Bitwarden all the things! Duo the Bitwarden!

    The email for 2FA , totally understand. but the SMS no way.

    Enableing 2fa on my account, now locked me out and not getting any texts or anything..

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,654

    Default

    tell us more about what you are seeing / where you are at... You should have gotten an Email?

    You can also contact support.
    If you think I got Grumpy

  9. #9
    Master Untangler
    Join Date
    Jul 2010
    Posts
    278

    Default

    Quote Originally Posted by Jim.Alles View Post
    tell us more about what you are seeing / where you are at... You should have gotten an Email?

    You can also contact support.
    Hi jim,

    I did have to Contact support, they worked very quickly with me and were awesome to deal with.

    Apparently when I enabled 2FA it does something to the existing password.

    After i used the password reset tool it changed it then, after that the prompt came up to input the 2fa code and a code emailed to me. ONLY after I reset my password this all started working tho.

    My email accounts both have 2fa on them so I'm further ahead than most

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,654

    Default

    oh, ok - I have only done this CMD center once or twice.

    Thanks for getting back to us!
    dashpuppy likes this.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2