2FA / MFA / 2 Factor Auth expiration
planned
S
Steven Sproat
(This applies to several area of the system, and wasn't sure where to best post it in canny.)
We have recently switched on 2FA and have instantly had a lot of grumbles from our staff regarding the need to 2FA often. Going into backoffice, POS, CloudMT all require a 2FA prompt, and it seems this has a short expiration - if the login session expires, then the next login requires 2FA.
Can the 2FA expiration be increased independently of the login expiration?
Also can a small and easy UI improvement be made - to auto-focus the 'enter the code' input textbox after sending the 2FA code.
Neil McQuillan - CEO Citrus-Lime
planned
Neil McQuillan - CEO Citrus-Lime
OK I think perhaps settling on 7 days seems like a plan? We are going to include this in the May release which is scheduled to go out W/c 6th of May.
J
Jacob
Completely agree.. it is a nightmare for my team.
Neil McQuillan - CEO Citrus-Lime
The current 2FA session expiry is the current login session, we are up for changing this.
If it was 30 days on a shared machine this would be quite insecure. Maybe 24 hours?
S
Steven Sproat
Neil McQuillan - CEO Citrus-Lime I agree that 30 days is too long. For the website that I run, it's a 9hr window, given that's an 8hr working day and 1hr breaks.
R
Richard Twinn
Neil McQuillan - CEO Citrus-Lime At least 24 hours would be ideal if we could stretch to 48 that would be helpful! Thank you
B
Ben
Neil McQuillan - CEO Citrus-Lime We are looking at turning on but sounds difficult to manage in its current form and could interfere with customer service in a busy shop environment with shared machines. A cashier fumbling with their phone whilst trying to serve a customers doesn't look great. I think 7 days seems reasonable for 2FA unless I am missing a threat. Many other platforms that have 2FA have long expiry times per device. As long as it requests it each time a new device is used.
R
Richard Twinn
I was about to turn this on for our staff, but it seems like it is difficult to manage in its current state.
there should be a single sign on for all areas, one MFA login should work for all areas and stay signed in for example 30 days (sites like mailchimp, xero, meraki do this)
Suzy Weightman what's the session expiration time for MFA?
i'd like to make it a smooth transition and things like the autofocus could help a lot