2FA / MFA / 2 Factor Auth expiration
planned
S
Steven Sproat
(This applies to several area of the system, and wasn't sure where to best post it in canny.)
We have recently switched on 2FA and have instantly had a lot of grumbles from our staff regarding the need to 2FA often. Going into backoffice, POS, CloudMT all require a 2FA prompt, and it seems this has a short expiration - if the login session expires, then the next login requires 2FA.
Can the 2FA expiration be increased independently of the login expiration?
Also can a small and easy UI improvement be made - to auto-focus the 'enter the code' input textbox after sending the 2FA code.
P
Phil Topliss
What happens if a staff member doesn't have a mobile or doesn't bring it into work, is there a backup method
Neil McQuillan - CEO Citrus-Lime
planned
Neil McQuillan - CEO Citrus-Lime
OK I think perhaps settling on 7 days seems like a plan? We are going to include this in the May release which is scheduled to go out W/c 6th of May.
B
Ben
Neil McQuillan - CEO Citrus-Lime Did this miss the May release? We have just enabled but seems to have a very short expiration date still?
R
Richard Twinn
Neil McQuillan - CEO Citrus-Lime Suzy Weightman is this now live? Thanks
B
Ben
Richard Twinn unfortunately not, a shame as having 2FA available for Cloud POS is very appropriate at the moment but at this point perhaps the cost of a hack is worth the risk given the amount of time the team are now having to fiddle around with 2FA (joking of course! But the sentiment remains).
R
Richard Twinn
Ben yes, shame we got no update. Would be good to know an ETA!
J
Jacob
Completely agree.. it is a nightmare for my team.
Neil McQuillan - CEO Citrus-Lime
The current 2FA session expiry is the current login session, we are up for changing this.
If it was 30 days on a shared machine this would be quite insecure. Maybe 24 hours?
S
Steven Sproat
Neil McQuillan - CEO Citrus-Lime I agree that 30 days is too long. For the website that I run, it's a 9hr window, given that's an 8hr working day and 1hr breaks.
R
Richard Twinn
Neil McQuillan - CEO Citrus-Lime At least 24 hours would be ideal if we could stretch to 48 that would be helpful! Thank you
B
Ben
Neil McQuillan - CEO Citrus-Lime We are looking at turning on but sounds difficult to manage in its current form and could interfere with customer service in a busy shop environment with shared machines. A cashier fumbling with their phone whilst trying to serve a customers doesn't look great. I think 7 days seems reasonable for 2FA unless I am missing a threat. Many other platforms that have 2FA have long expiry times per device. As long as it requests it each time a new device is used.
R
Richard Twinn
I was about to turn this on for our staff, but it seems like it is difficult to manage in its current state.
there should be a single sign on for all areas, one MFA login should work for all areas and stay signed in for example 30 days (sites like mailchimp, xero, meraki do this)
Suzy Weightman what's the session expiration time for MFA?
i'd like to make it a smooth transition and things like the autofocus could help a lot