Recent searches
No recent searches
Concern Regarding the "Don't ask again for this computer for 30 days" Option
Planned
Zendesk Luminary
Posted Dec 27, 2024
Dear Zendesk Team,
I would like to raise a concern regarding the authentication feature in Zendesk that allows users to select "Don't ask again for this computer for 30 days."
While I understand that this functionality is designed to improve user convenience, it introduces significant security risks, particularly in corporate environments where security must be a top priority.
-
Reduced Effectiveness of Two-Factor Authentication (2FA):
This option bypasses the second factor of authentication for an extended period, effectively downgrading 2FA to password-only authentication during that time. This significantly undermines the security purpose of 2FA, which is intended to protect against risks such as phishing or credential theft. -
Risk from Compromised Devices:
If a device is shared, stolen, or accessed improperly, attackers can easily bypass the additional protection offered by 2FA. The locally stored token or cookie used to "remember" the device can be exploited if compromised, potentially exposing associated accounts. -
Impact on Compliance and Security Policies:
Organizations adhering to strict data protection regulations or security policies may find it challenging to justify the use of this feature, as it undermines the principles of multi-factor authentication.
Recommendations:
- Enable administrators to disable this option at the account level, enhancing security for organizations with stringent policies.
- Reduce the "remember me" period to a more secure timeframe, such as 7 days, or implement periodic reconfirmation of credentials.
- Provide logging or alerts in the Security Center when users utilize this option, offering greater control and visibility for administrators.
Thank you for your attention to this matter. I would appreciate understanding what measures might be implemented to enhance the security of this feature.
Best regards,
1
2
2 comments
Emily Reidy
Thank you for taking the time to provide us with your feedback. This has been logged for our PM team to review. For others who may be interested in this feature request, please add your support by upvoting this post and/or adding your use case to the comments below. Thank you again!
0
Caroline Kello
Hey Vinicius - I completely agree with you and we have plans to address this setting this year. Appreciate you taking the time to leave such detailed feedback.
0