GFI Forums: Kerio Control » 30 days 2 way authentication

Home » GFI User Forums » Kerio Control » 30 days 2 way authentication (User in control)

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

30 days 2 way authentication [message #135089]

Tue, 11 April 2017 14:30

Tuxis
Messages: 282
Registered: October 2011
Location: Ede

Hi,

Not a feature request but it might be.
When enabeling 2 factor authentication, the user is able to choose to remember him.

"Users must use the verification code every time they try to connect to the Kerio Control network from the Internet. If they select Remember me on this device, their browser remembers the connection for the next 30 days from the last connection."

It makes the 2 factor authentication useless in some cases.
Case:
You have a laptop.
You use authentication to open ports on the firewall from the outside. So a user that is at home must authenticate before he can RDP to a server that is in the office behind the firewall.
The laptop gets stolen and the thief somehow knows the username and password.

He can login without the token because the user set the remember me on this device option.

Is there any way to shorten the 30 days? Or even disable it so the 2 factor authentication has to be done every time?

--
Tuxis Internet Engineering
https://www.tuxis.nl/
https://www.tuxis.nl/mijn-kerio/

Report message to a moderator

Re: 30 days 2 way authentication [message #135092 is a reply to message #135089]

Tue, 11 April 2017 16:55

silars
Messages: 285
Registered: March 2012

This is a classic issue with 2FA.

In this case, the laptop becomes the second factor. In all cases, if the second factor is compromised (key fob, CAC/PIV, authenticator app/phone, fingerprint, retina, etc.), and you also lose the user/pw, 2FA will be defeated.

Some argue that your phone with the authenticator app is more easily lost than the laptop.

Though, almost all security problems devolve to a human engineering issue (insider threat). You can train personnel to not accept that, or use browsers with Privacy mode or delete browsing data.

All said, having more options is a good thing. These forums aren't the best place to suggest changes. Through the Control UI, you can submit ideas and get placed into the queue.

Report message to a moderator

Re: 30 days 2 way authentication [message #135093 is a reply to message #135089]

Tue, 11 April 2017 16:55

Kerio/GFI Brian
Messages: 852
Registered: March 2004
Location: California

There is not an option to adjust the timeout. However regarding your scenario, if a thief has both the user's laptop and their credentials (for both Kerio Control and the laptop OS), he will have two factors of identification. Further, your users can easily (and will likely) install a TOTP app on their computer so the thief would have access to the verification code assuming he has all other login credentials.
Consider also that if you introduce obstacles and additional layers of annoyance to your users, they will be less inclined to connect remotely or they will try to find alternative ways to accomplish their work.

Brian Carmichael
Instructional Content Architect

Report message to a moderator

Re: 30 days 2 way authentication [message #151944 is a reply to message #135093]

Thu, 16 June 2022 08:20

mik256
Messages: 22
Registered: April 2016

Considering user selects "remember password" in kerio control vpn client and his laptop is a typical Windows system (where OS authentication could not be taken seriously) there is no password the thief needs to know.

This is not really secure in my eyes- I'd like to have at least 1 factor always present, preferably disable this "remember password" checkbox in vpn client.

[Updated on: Thu, 16 June 2022 08:21]

Report message to a moderator

Previous Topic:	Use remote gateway as setting per user
Next Topic:	DNS suffix push from Kerio IPSec Server

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Thu Aug 18 19:00:31 CEST 2022

Total time taken to generate the page: 0.02883 seconds