The Water Cooler

 View Only
Expand all | Collapse all

Two factor authentification settings

  • 1.  Two factor authentification settings

    Posted Jan 06, 2020 06:44 AM
    Edited by Carsten Schmitz Jan 06, 2020 06:48 AM
    ​Hi.

    The forums now appear to employ two factor security. The box on the input field allows me to "cache" the second factor for five minutes, then I need to jump through that hoop again.

    Seeing how this is a publicly visible forum where virtually anonymous people post, not home banking or the nuclear launch app*), I kindly question whether this is entirely justified.

    Maybe you'd want to consider if that doesn't serve to put people off.

    Best regards,


    *) why yes, there totally is one! Available on the dark web for Android only.



    (edit: I am not asking for it to be switched off, only for it to be set to a reasonable interval like a week or so, remembered via IP address or cookies or some such).


    ------------------------------
    I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
    ------------------------------


  • 2.  RE: Two factor authentification settings

    Community Manager
    Posted Jan 06, 2020 09:02 PM
    @Carsten Schmitz  -   I am working internally on resolving the forced two-factor authentication for the Community.    All external applications were auto rolled into the new company SSO program on Dec 18th.   I missed the email and have now requested an exemption for Okta on Community.    I will post an update to this thread when this issue has been resolved.

    @Lenn Thompson , @Diane Craddock and @Christopher Hackett ​​​​

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 3.  RE: Two factor authentification settings

    Posted Jan 29, 2020 11:56 AM
    Yea...  the two factor authentication is causing me a bother.   There are places and things that for what ever reason I can't go to or download or watch because of rules on our network, (anything that I can prove I have to have for my exact job they will let me get to).   So...  I have been looking/watching at them on my home computer.  My home computer does NOT have access to my work email where this authentication wants to send the email for the code.   So now I'm stuck not being able to go/see/watch these places/things that I can't at work because of our firewall.  It is a bit disconcerting. 


    ------------------------------
    RenateLynn Edwards
    Workload Automation Administrator CA7/CA11/CA1
    Security Service Federal Credit Union
    Texas
    ------------------------------



  • 4.  RE: Two factor authentification settings

    Posted Jan 07, 2020 02:18 AM
    I fully support that.

    On top, the user experience is very poor with the current implementation. Why do I have to do an extra click for triggering the OTK message? It should be sent automatically. Not to mention that sometimes I experience a delay of several minutes until the message arrives in my inbox.


  • 5.  RE: Two factor authentification settings

    Posted Jan 07, 2020 03:56 AM

    @Jason McClellan Thanks! Much appreciated.



    > ​On top, the user experience is very poor with the current implementation. 

    +1.

    I didn't want to pile on it, but I also looked at my inbox the first time until I realized I need to trigger the email with a button, and it does not get sent automatically when trying to log in, like with virtually 99% of all other sites.


    > ​I experience a delay of several minutes until the message arrives in my inbox.

    This I can not confirm. Takes about 10-15 seconds for it to arrive for me. Much like with the Javascript overload on various websites that blows up in corporate proxies, however, one could make the case that delayed mail routing by virtue of silly appliances is an unfortunate reality of many corporate customers. And e-mail has conceptionally never been intended as a real-time thing, so it's not a great choice for two factor, at least not as the only available means. But since Jason said he'll strive to get rid of it altogether, that*s a moot point.

    Best,
    Carsten


  • 6.  RE: Two factor authentification settings

    Community Manager
    Posted Jan 07, 2020 09:39 AM
    @Michael Schoch  - I recently noticed that negative change internally ​and asked the same question.   I'm not sure what you see as options but besides text I have other options like Symantec VIP and a few others.   Either way, whatever the default is it should send immediately.    Cheers ~jm

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 7.  RE: Two factor authentification settings

    Posted Jan 07, 2020 09:13 AM
    As long as people are piling on...

    This two factor authentication isn't only for Communities. I also get it when I log in for tech support.  Which raises the problem of a critical issue being worked at a time that for whatever reason e-mail isn't working. It happens. And it will be ugly when it does. 

    And I agree with everyone else: It took me some time to figure out that the reason I hadn't gotten an e-mail with a code was because I had to tell it to send it. That's just very poor design. At least indicate that requirement on the screen.  

    I have heard these same complaints from several coworkers.


  • 8.  RE: Two factor authentification settings

    Community Manager
    Posted Jan 07, 2020 09:46 AM
    First, are you saying two-factor authentication is on for casupport.broadcom.com?    We have multiple support sites depending on the division.  Brocade, CA are a few.  We are working towards creating a single front door for all support to simplify customers getting in via one URL to the support site.   I'll ask my manager who leads all support related websites if he is aware and ask him if he actually chose to activate or was auto-enrolled.    I agree with adding an additional hurdle for this type of support site is problematic.    As someone mentioned this is not a financial site but the user should still have the option to activate two-factor authentication if they choose to.     Thanks for the note, I'll escalate.   ~jm

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 9.  RE: Two factor authentification settings

    Posted Jan 07, 2020 09:48 AM
    Edited by Carsten Schmitz Jan 07, 2020 09:50 AM
    > First, are you saying two-factor authentication is on for casupport.broadcom.com​

    I also had to do two factor auth for the Automic support page, yes.

    Edit:

    I tried it now again and now I don't have to. But then, my colleague tried the community login and didn't have to, so maybe it's cached longer than the five minutes it says on the form, and maybe it's cached by source IP, which everyone in my company shares. Who knows. Or it's a moving target and someone is fiddling with it as we speak. Bottom line, Friday two factor auth was active for the support portal.



    ------------------------------
    I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
    ------------------------------



  • 10.  RE: Two factor authentification settings

    Community Manager
    Posted Jan 07, 2020 10:56 AM
    Yes, another Community Member posted they were seeing it on casupport.broadcom.com and I tested with a non-employee account and validated.   I've escalated that to my manager asking for an exception.

    It is possible based on my P1 ticket last night that the two-factor has been removed from Community.   I would clear history or try a fresh browser to check.   I have not received a confirmation of removal but that does not mean the team has not turned it off based on my conversation.   Again, I'll post to both  the Community Issue and Support Issue when I know it has been resolved.  ~jm

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 11.  RE: Two factor authentification settings

    Posted Jan 07, 2020 11:21 AM
    Edited by Chris Bertagnolli Jan 07, 2020 11:21 AM
    I would agree the implementation could be better. Preferably it stays on but more streamlined and easy to use for all Broadcom access. My email is similar to others in that sometimes it can take 1-2 minutes to be received; ideally I'd have a choice of MFA like registering my OTP app (Authy, Google, whatever) or email with one set as default.

    Also, someone really needs to proofread and make the messages on multi-factor much shorter - both on the login screen and email message. It is the wordiest ones I've seen for just giving me an OTP. Thing like this sentence: "Please enter this code on prompted screen". At the very least put the code up front so that it is quick to glance at - this way a user can read it straight from the first line, not the 4th one down with double spacing.

    And a side-note, log in should really be two words when a verb :). I logged in. I did not "loginned". I was logging in when it prompted for a one time security code. I was not "loginning" when it prompted for a one time security code.

    Statements such as "immediately login into your" doesn't sound right because "login" as a verb just doesn't work.


  • 12.  RE: Two factor authentification settings

    Posted Jan 07, 2020 02:55 PM
    That is just a minor inconvenience for you guys.
    For me it is different, my email accounts are going to expire in early January.
    After that I cannot even receive those emails.
    As the login is the email it cannot be changed. Changing where the normal notifications are sent partially worked. (Still get them at the old address)
    Tried to create a new login more than a week ago. Not there yet.


  • 13.  RE: Two factor authentification settings

    Community Manager
    Posted Jan 07, 2020 05:01 PM
    @Martii Kinnuen -  Yes, that is correct.   If you move to a new company, you cannot update your email address.  You must create a new account separating you from the old account.   (security control)   If you do move to a new company or new email and create a new account, I can sync it with your legacy contributions on the Community so you do not lose anything.   Send me a PM at @Jason McClellan​​

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 14.  RE: Two factor authentification settings

    Community Manager
    Posted Jan 09, 2020 04:32 PM
    Multi-Factor Authentication Turned On (@FA) -  As some of you noticed, when you log in to Broadcom Support, Community, Service Desk and other Broadcom Apps the SSO system Okta is asking you to validate your email.    This is a new security measure since your logins are tied to company emails which in turn tie to contracts and purchases.    I asked for an exemption for the Community platform.   Initially, it was declined based on a configuration issue.   I'm reviewing with the security team so for now, we'll have to validate when logging in.   I've tested it with a few external test accounts and as long on you are on the same browser and device it will remember you.   I'll post an update if anything changes.

    Jason

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 15.  RE: Two factor authentification settings

    Posted Jan 28, 2020 04:32 AM
    Hi @Jason McClellan.

    I've tested it with a few external test accounts and as long on you are on the same browser and device it will remember you.  ​


    It remembers me for about 24 hours. Does this now mean 2FA via email will stay (despite the concerns of some other folks not only about bad design but potentially also about not being able to receive the emails), or is an excemption still being sought at Broadcom?

    Would appreciate a status update very much.

    Kind regards,


  • 16.  RE: Two factor authentification settings

    Posted Jan 22, 2020 02:52 AM
    Whoever designed this dialog box needs to take a refresher course in UI design.


    Here's the problem:
    • The email is not sent automatically. A second step is necessary (clicking the Send email button).
    • This button then changes to Sent and becomes inactive.
    • A moment later, the button changes to Resend Email.
    • The user is expected to enter the code in the box and click the blue Verify button. However, the button immediately to the right of the field where the code is entered is the one most people will assume submits the entry. Clicking this button invalidates the code the user just entered.

    The process flow should go top-down and left-to-right.

    Solution:
    • Either send the code email automatically or move the Send email button above the field where the code must be entered.
    • Move the blue Verify button to the right of the field where the code is entered.



  • 17.  RE: Two factor authentification settings

    Posted Jan 23, 2020 09:38 AM
    @Michael A. Lowry

    I agree. Although I have never had to design for RTL scripts, this design doesn't even make sense then. A simple top-down, single form element per row - in the right order - will work for basic web and mobile devices.

    As others have said, just drop email as the delivery mechanism and move to a more responsive mode - such as used by Google, Microsoft, and Amazon.  I can use the Google or Microsoft authentication apps for these and enter my code immediately.

    J.W.


    ------------------------------
    "No matter where you go, there you are." - TAoBB:AtED
    ------------------------------



  • 18.  RE: Two factor authentification settings

    Posted Jan 30, 2020 08:52 AM
    Hello,

    same there, first time I've waited 10 minutes (for email) until i saw that i have to request for code first :(

    ------------------------------
    If my answer fulfilled your question please mark the reply as "Make Best Answer"

    Kind Regards

    Marian
    ------------------------------



  • 19.  RE: Two factor authentification settings

    Community Manager
    Posted Jan 30, 2020 01:11 PM
    All,  I've shared this thread with the business to show them issues 2FA.  I am still working with the business on Okta settings and issues we are seeing.    Thank you for your patience.   Jason

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 20.  RE: Two factor authentification settings

    Posted Jan 31, 2020 08:36 AM
    It is a pain! I sometimes have had to ask for the code to be sent two times. The wait its too long!


  • 21.  RE: Two factor authentification settings

    Community Manager
    Posted Feb 01, 2020 01:20 PM

    I'm looking into authorization code email latency using external test accounts at different tines per day..  There are a few variables but five minutes is unacceptable. After logging in my first mistake was to think the email is auto sent.  It isn't, you have to choose "send email"  at that point it came 9 seconds later.  I was on tmobile cell no VPN or firewall. Clicking remember this device works if you use the same browser on that device.  I've asked the Okta team about cookie settings which sets the TTL.   I'll keep on it to we see some improvement.   Thanks Jason



    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 22.  RE: Two factor authentification settings

    Posted Feb 10, 2020 04:52 AM
    I notice 2FA is off today, and if that's persistent, I apologize ahead of time to the dead horse.

    But despite people's perception, email has not been designed as a real-time medium. The expectation that email arrives within seconds is usually fulfilled but in no way guaranteed. If I were to complain to our organisations' email server admins about email arriving late, this is surely what they'd tell me. Despite any latency testing, stuff can be stuck in progressive retries, in anti spam tarpits, in email quarantine, or any sort of thing the corporate appliance manufacturers come up with these days. As presently implemented, it's likely also not very safe.

    Email verification strictly speaking is not a great tool for truly busines critical application, such as the support portal. While email sure works most of the time and is also admittedly rather convinient, other tools like Google Authenticator seem like a natural (alternative) choice that is not hampered by many of email's problems.

    Maybe HL has a plugin for that, I truly don't know.

    Br,


  • 23.  RE: Two factor authentification settings

    Posted Feb 04, 2020 01:55 PM
    Thanks for looking into this.  Any idea if the "5 minutes" in  "Do not challenge me on this device for 5 minutes" is a typo?  If it is not a typo, then it looks like Broadcom wants 2FA to kick in every 5 minutes?

    Neil



  • 24.  RE: Two factor authentification settings

    Community Manager
    Posted Feb 09, 2020 07:35 PM
    Edited by Jason McClellan Feb 10, 2020 09:19 AM
    All,
    2FA changes were rolled out over the weekend that I am told will resolve a few of the issues with time and double emails.  I've asked for clarification on what was updated and what we should expect.   Thank you  ~jm



    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 25.  RE: Two factor authentification settings

    Community Manager
    Posted Feb 19, 2020 12:44 PM
    Update on when Okta MFA login is required:

    I have been working with the Okta team to explain when Okta is triggered.   See below:

    The configuration which is implemented is based on Device Behavior change (no time limit).. If any of the following "change" then the MFA will be requested:
    • Country
    • IP
    • Device "Cookie" (not browser session cookie)
    This means if you are at work on your notebook and go home and swap from your corporate LAN to home WIFI/Router - you will be forced to the Okta Login Screen.  I know - I have to do the same.

    Jason

    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 26.  RE: Two factor authentification settings

    Posted Feb 21, 2020 04:28 AM
    Hi Jason,

    It appears this is now the case, albeit this appears to be a recent change done by them. As of yesterday, I didn't need to renew the 2FA login.

    Thanks for taking care of this!

    Best,
    Carsten


  • 27.  RE: Two factor authentification settings

    Posted Feb 21, 2020 04:35 AM
    Oh &%$!§.

    That was Opera.

    I just tried IE11 (yes, I know, but it's the default browser the company forces on me). I need to do 2FA there for the community yet again, even though I did so yesterday.

    Our outgoing IP is always the same (as far as I, and whatsmyip.com know), it's accepting Cookies and this part of Germany hasn't been under new management for at least 70 years so ... no :(

    Sorry.


  • 28.  RE: Two factor authentification settings

    Posted Feb 27, 2020 06:12 AM
    Hi @Jason McClellan.

    I still need to regularily re-auth with 2FA with the company-mandated IE11. The fix only seems to work with other browsers. Is this known?

    Thanks.​


  • 29.  RE: Two factor authentification settings

    Posted Mar 01, 2020 11:56 AM

    Two factor authentication according to a LinkedIn post




  • 30.  RE: Two factor authentification settings

    Community Manager
    Posted Mar 01, 2020 12:26 PM
    Yes,  Internet Explorer 11 poses problems not only with Okta but many other 3rd party systems and custom applications.   That being said Okta should have a workaround for it since many Enterprise companies, Banks and so forth still use it.  There is a helper download on the Okta site.    I'll ask our internal Okta team.



    ------------------------------
    Thank you
    Jason
    Community Platform Owner, IT
    ------------------------------



  • 31.  RE: Two factor authentification settings

    Posted Mar 01, 2020 02:33 PM
    There are links to plugins/addons for other browser at that site, too.


  • 32.  RE: Two factor authentification settings

    Posted Mar 24, 2020 04:59 AM
    Edited by Carsten Schmitz Mar 24, 2020 04:59 AM
    Hi @Jason McClellan

    This morning, company-mandated default browser IE demands the code, but I am NOT getting an email. I don't know if the problem is here or with Broadcom, but I am getting other emails fine (edit: I also got the email about this post itself from Broadcom). I was trying to answer a customer's question on a product.

    I looked at the site you linked to, and it has no download for any IE plugin. It says I need to get it from the Octa User Dashboard. I have no clue where that would be (it's beyond me why they'd not link to it), but this is all a moot point as my company will not allow me to install any plugins anyway.

    Please don't take this personal, as you are doing a commendable job of replying and I think also being sensible, but please get Broadcom to focus on sorting out the various existing issues, but especially those that can be easily corrected: like simply disabling 2FA on a forum that virtually anyone can get access to. Patience with Broadcom as a whole is running very thin with me, and undoubtedly others over such things.

    Best regards,
    Carsten

    ------------------------------
    These contain very good advise on asking questions and describing supposed bugs (no, you do not need to go to StackExchange for Automic questions, but yes, the parts on asking detailed, useful questions ARE usually relevant):

    http://www.catb.org/~esr/faqs/smart-questions.html

    https://www.chiark.greenend.org.uk/~sgtatham/bugs.html

    I will not respond to PM asking for help unless there's an actual reason to keep the discussion off of the public forums.
    ------------------------------



  • 33.  RE: Two factor authentification settings

    Community Manager
    Posted Mar 24, 2020 08:52 AM
    I'll send your post to my internal Okta team to ask for recommendations either for your config of browser or your IT Department who controls options for users in the master config for IE 11.  As I mentioned above IE 11 is used either to allow certain applications to run and or just to reduce risk due possible config settings on the backed.  Stay tuned.

    ------------------------------
    Thank you
    Jason
    Broadcom Community Platform Admin, IT
    ------------------------------



  • 34.  RE: Two factor authentification settings

    Posted Mar 24, 2020 08:55 AM
    Thx


  • 35.  RE: Two factor authentification settings

    Community Manager
    Posted Mar 24, 2020 09:39 AM
    @Carsten Schmitz  - the team is checking the logs in okta.  In the meantime, please check with your IT department to ensure emails from selfregistration.no-reply at sso.broadcom.com are whitelisted. * also sent via PM

    ------------------------------
    Thank you
    Jason
    Broadcom Community Platform Admin, IT
    ------------------------------



  • 36.  RE: Two factor authentification settings

    Posted Mar 24, 2020 09:52 AM
    Hi @Jason McClellan,

    thanks. I don't believe we do any gateway spam filtering, but I have sent a request to check and if we do, whitelist​​ it, to the service provider. As this is outsourced, it might take a while to get any answer though.

    Best,


  • 37.  RE: Two factor authentification settings

    Community Manager
    Posted Mar 25, 2020 02:43 PM
    @Carsten Schmitz - Great -  I have seen a few tickets coming in via Support regarding MFA emails not coming through - I've added myself to the watch list to see if there is a wider issue.   Stay tuned.  ~jm ​

    ------------------------------
    Thank you
    Jason
    Broadcom Community Platform Admin, IT
    ------------------------------



  • 38.  RE: Two factor authentification settings

    Posted Mar 26, 2020 04:33 AM
    Hi Jason!

    Thanks!

    Also, if you could your IT department have a look into the mail logs, that should conclusively answer this. Either the mail is generated and handed off to the mail exchanger in our "jurisdiction", then the fault is with us. Or it isn't, then the issue lies with Broadcom.

    But if the communication lines to your "mail people" are possibly as lenghty as mine are to ours, then we're in the same boat here ;)

    Best,
    Carsten


  • 39.  RE: Two factor authentification settings

    Posted Mar 30, 2020 06:01 AM
    Hi Jason.

    I had several talks with some people. We implemented some white-listing, but I understand it's not as straight forward as plainly "white listing" something centrally. There's multi stage spam prevention, with IP based rules from blacklists at SMTP handshake, an appliance with keyword and score filtering, and also rules that our provider plainly refuses to whitelist (e.g. rules for office attachments or an additional virus checking step).

    In short, I've now done what's possible. Should it happens again, people need to look at the mail logs and identify the problem, or fix the need for the mails altogether.

    However, even before we begun whitelisting, a mail this morning went through, so whatever (or where ever) the problem was, it's been resolved in the mean time. Were there any further findings on Broadcoms end?

    Br,