I have requested a conversation directly with your IT Security or Enterprise architecture team. Please have them contact me directly.
2FA has been poorly implemented. Business software should not permit users to have control over whether to use 2FA each login or not. That is a decision of each company administrator.
Will Zendesk re-consider and take action on this yourselves?
A very simple fix - provide admin the ability to set default on user ability to disable any trust by user to their device for 30 days. Hence permit admin to lock this as "None" so that the sessions will expire as per the other 2FA settings.
It is interesting that Zendesk think of IT security as simply a 'feature' and not a mandatory component. Users will never upvote IT security in comparison to bells n whistles features.... right now there is extreme risk to being hacked or otherwise breached.
Right now the implementation provides some misleading assurance of being secure and using sessions. The current implementation does leave Zendesk open to potential legal action I would believe should Personally Identifying (PI) or sensitive data be stolen via a breach.
This would be straight-forward to remediate by implementing the common design that permits admin to enforce 2FA.
Please note that as a very small company we do not have intention or capability to implement SSO. However we do have copies of PI and possibly sensitive information within our tickets and we do take information security seriously and would like to see Zendesk make an uplift here to properly secure your 2FA design - for everyone's benefit.
I'd like to see Zendesk take the lead here.
There have been other requests on this same question for 12 months without action. Please do not leave IT Security for a popular up-vote before acting.
It is so important.
Please sign in to leave a comment.