Recent searches


No recent searches

Hide the dialog box when 2-Factor authentication

Answered


Posted Feb 22, 2021

We would like to use 2 factor authentication for Agenst every time.
However the dialog box that "Don't ask again on this computer for 30 days" appear on current Login page of 2FA.

We would like to make the dialog box hide it and enable 2 factor authentication every time.
We would appreciate it if you could consider adding this request to your future development plans.

Thanks!


2

3

3 comments

image avatar

Caroline Kello

Zendesk Product Manager

Hi! Thanks for this piece of feedback. We currently don't have any plans to remove this checkbox but it's an interesting idea for sure. I've added this feedback to our internal tool for tracking. 

1


Hi Caroline,

It is interesting that Zendesk think of IT security as simply a 'feature' and not a mandatory component.  Users will never upvote IT security in comparison to bells n whistles features.... right now there is extreme risk.

It is not a great answer though, Zendesk.  Sincerely the 2FA implementation is flawed.  2FA in a business context is meant to be implemented as a scheme that permits administrators to make the use of this mandatory.  

The current implementation does leave Zendesk open to potential legal action I would believe should Personally Identifying (PI) or sensitive data be stolen via a breach.

This would be straight-forward to remediate by implementing the common design that permits admin to enforce 2FA.

Why will Zendesk not consider and take action on this yourselves?  

It would be a relatively simple change to lock down the user screens to no longer permit the 30 day 'trust'.

Please note that as a very small company we do not have intention or capability to implement SSO.  However we do have copies of PI and possibly sensitive information within our tickets and we do take information security seriously and would like to see Zendesk make an uplift here to properly secure your 2FA design - for everyone.

I'd like to see Zendesk take the lead here.

Regards,
Troy

3


Dear Zendesk Team,

I would like to raise a concern regarding the authentication feature in Zendesk that allows users to select "Don't ask again for this computer for 30 days."

While I understand that this functionality is designed to improve user convenience, it introduces significant security risks, particularly in corporate environments where security must be a top priority.

  1. Reduced Effectiveness of Two-Factor Authentication (2FA):
    This option bypasses the second factor of authentication for an extended period, effectively downgrading 2FA to password-only authentication during that time. This significantly undermines the security purpose of 2FA, which is intended to protect against risks such as phishing or credential theft.
  2. Risk from Compromised Devices:
    If a device is shared, stolen, or accessed improperly, attackers can easily bypass the additional protection offered by 2FA. The locally stored token or cookie used to "remember" the device can be exploited if compromised, potentially exposing associated accounts.
  3. Impact on Compliance and Security Policies:
    Organizations adhering to strict data protection regulations or security policies may find it challenging to justify the use of this feature, as it undermines the principles of multi-factor authentication.

Recommendations:

  • Enable administrators to disable this option at the account level, enhancing security for organizations with stringent policies.
  • Reduce the "remember me" period to a more secure timeframe, such as 7 days, or implement periodic reconfirmation of credentials.
  • Provide logging or alerts in the Security Center when users utilize this option, offering greater control and visibility for administrators.

Thank you for your attention to this matter. I would appreciate understanding what measures might be implemented to enhance the security of this feature.

Best regards,

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post