LinkBack URL
About LinkBacksIs there any insight that Untangle is going to setup some kinda 2FA on the untangle.com/CMD portal ?
Untangle COmmand Center 2FA
Is there any insight that Untangle is going to setup some kinda 2FA on the untangle.com/CMD portal ?
Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!
Like this?
2fa.PNG
:-)
I'm going to be the pedant and point out that email based MFA, and SMS based MFA are NOT an MFA and are largely useless from a security perspective.
TOTP or go home...
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
How do you figure ? Explain.Originally Posted by sky-knight
Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!
That's neat, enabled 2fa logged out like instructions say! Poof not able to log in any more..
Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!
Well, email is bad because it's also remotely accessible, and because humans are stupid and prone to habits, it's trivial to assume the mailbox in question has been compromised long before the attacker attempts to access the cloud service. Now, if you're me and you use a 2FA protected mail service, then I suppose this isn't nearly as bad, and presumably everyone that has a brain has done this already... but it's still a weakness in depth.
SMS based auth is better than nothing, because it steps outside the usual human norms of passwords. But all you have to do is spoof a sim card to get someone's texts, this process is hilariously easy to do because all you have to do is talk a min wage counter clerk out of a sim card with relatively minimal risk and effort. This attack vector has been demonstrated to the tune of millions of dollars in losses. This is a problem because many services will utilize SMS based processes for password recovery. But, it is a more targeted assault that is vastly less likely than in general. So I consider it a half auth, as opposed to a 2nd.
Untangle as a security vendor knows this, and they should know better. Again, generic TOTP support at a minimum please. Bitwarden all the things! Duo the Bitwarden!
Last edited by sky-knight; 01-07-2020 at 11:57 AM.
Rob Sandling, BS:SWE, MCP
NexgenAppliances.com
Phone: 866-794-8879 x201
Email: support@nexgenappliances.com
The email for 2FA , totally understand. but the SMS no way.
Enableing 2fa on my account, now locked me out and not getting any texts or anything..
Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!
tell us more about what you are seeing / where you are at... You should have gotten an Email?
You can also contact support.
If you think I got Grumpy
Hi jim,
I did have to Contact support, they worked very quickly with me and were awesome to deal with.
Apparently when I enabled 2FA it does something to the existing password.
After i used the password reset tool it changed it then, after that the prompt came up to input the 2fa code and a code emailed to me. ONLY after I reset my password this all started working tho.
My email accounts both have 2fa on them so I'm further ahead than most
Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!
oh, ok - I have only done this CMD center once or twice.
Thanks for getting back to us!
Posting Permissions
