Bug with 2FA and multiple accounts

Remote Support and Access
1

This is quite a nasty bug - I was testing the group facility in SimpleHelp so I’d created a new test.user account to compliment my normal rob.nicholson account. I logged onto the technician client with the new test.user and it asked me to got through adding the TOTP account to Microsoft Authenticator. Thought nothing of it for several days when I happened to to have to authenticate again with my normal account and the authenticator didn’t work.

The reason is that when I added the second account for test.user, it overwrote the original account. It should have created a second account as other 2FA systems do. At this point, I was locked out of this account! Fortunately, the SimpleHelpAdmin account is only ever used on the server and it’s always logged in, so I was able to reset app authentication in the admin screen and I was then prompted to set-up 2FA. But imagine if also had 2FA on the SimpleHelpAdmin account and that had got overwritten…

image
image397×814 55 KB

What’s intriguing is I assume TOTP has this requirement in the specification as other systems (like Seafile cloud server) have created multiple entries.

If I had more time, I’d check it with Google authenticator. Later…

2

I have multiple 2 factor for SH setup in authy, so it works there. Sounds like an issue in the way that the microsoft account does things, not an SH issue.

Also you may want to think about removing image and reference to your actual username. I may be paranoid, but you gave your username and server address in the pic.

3

My name and company is hardly private esp. on here. I removed the others.

4

Yes but now there’s the info out there that that’s a login to a remote access tool. Previously, yes, that information was potentially available. Now, it’s a definite. Don’t make the hacker’ lives easier! And anything that they could use to get into a remote access tool, with access to your customers, is quite a catch. These people are vicious bastards and yes they will try and attack.

Anthony

5

yeah, I wasn’t trying to be a butt about it at all. I always just worry that if/when there is some vulnerability found in SH that things such as simply knowing the username could be enough to compromise your server. There’s just been too many things like that, and I’m paranoid about the amount of havoc that could be done with the large amount of machines that we have access to from our server.