Kaseya Community

Mandatory 2FA is NOT Acceptable

  • This latest patch release Kaseya is mandating that 2FA be implemented.  While this may sound like a good idea, it needs to be optional.

    We run our on-premise VSA on a private VLAN accessible only by select IP addresses.  Not to mention multiple layers of firewalls between us and the outside world.

    We're in a building with near zero cell phone signal, making text impossible.  We would not want to have to wait for an email 2FA credential to reach us.

    As many of you know Remote Control is buggy and you have to exit and reenter multiple times sometimes as it is.  The timeout for the login is already very quick and it's already annoying to have to retype password many many times a day.   Adding 2FA would make this unbearable.

    I encourage anyone that feels the same to contact their account rep and let them know mandatory 2FA is not acceptable to you.

  • Couple of suggestions. If you're on-prem extend the timeout values for sessions and for MFA use an OTP code setup versus a SMS based one. These can ease the pain of MFA.

    Up to you for pushing for no 2FA, but more and more regulations and industries are going to mandate it. We are required to use it.

  • 100% agree. Mandatory 2FA for on-prem is a BAD idea.

    This should be entirely up to the client admins.

  • 2fa is basically not an option anymore... customers and regulations require it already and that is only growing. use OTP

  • Reached out to our account manager.  This is the response "Thank you for your feedback here. I understand your concern and I know that it is not an ideal situation, however I wanted to explain the reasoning. It is a hacker’s dream to obtain access to your VSA and it can destroy companies if they are able to get through. All RMM providers are mandating 2FA, not just Kaseya. "

    This should be a customer setting.

  • What Kaseya and most of you are missing here, is that it is not only a MSP tool. Companies are using it on-prem for their own infrastructure.

  • Hey,

    We have Kaseya VSA setup as Single Sign on With Azure AD, which DOES MFA.

    Even the Kaseya VSA can demand in the claims MFA is mandatory.

    a second  MFA on top of that is not something we are looking forward to.

    Kind Regards,

    Aswin

  • Correct, and that's my point.  We manage 220~ clients 100% internally on our own private network.   We don't need it, nor desire it.  Certainly if we were a MSP it would almost be mandatory, but it should be an option for us corporate guys.

  • I dont get it. Tick "remember me on this computer" at login - 2fa challenges me once a month. not multiple times a day.

    2fa is no hassle at all.

  • On Saas, "Remember me" still asks for 2FA once a day. A Trusted Device setting would be nice. And a much longer timeout.

  • I've used both on-prem and cloud based Kaseya 2FA. The cloud instance seems to respect the 2FA remember option, the on-prem setup has issues with it (once a day or multiple times a day prompting)

    Last case opened about this with support indicated there were issues and they were 'working on it'.

  • I have a user that upgraded their cell phone. Now I have to turn off 2fa so they can log in. How do I reset their 2fa so they can create a new one?

  • Go to System > Logon Policy - In Two Factor Authentication settings click Remove user(s) from 2FA enrollment. Choose user from the popup list and click remove. Then the user can start over to enroll again.

  • Personally, I have a problem with requiring someone to use their personal cell phone for what is a corporate application ('cause we're a small shop and we don't have corporate cell phones).

    And if it were just me, I'd install the latest version that forces me into that position. But we allow our end users to access the VSA so they have full access to Ticketing, and I'm not going to require my end-users to use their personal cell phones to access the Ticketing module.

    Seems like there are other potential solutions out there to do MFA without requiring the use of a personal cell phone.

    I get around the problem of having to login multiple times a day by configuring the Logon Policy to allow 9 hours of inactivity before a user session expires. I have work to get done and I need the VSA to make my job easier, not more complicated.

  • , you could load Authy on the user's workstation and use that.

    I have no problem with Kaseya forcing 2FA.    It is a minor annoyance at worst.    ALL MSP products should require mandatory 2FA, if for no other reason, to protect us from ourselves!    Until something better comes along TOTP 2FA is here to stay.    I think it is easier (safer?) than emailing a code.

    AuthAnvil allowed whitelisting, which would be the solution for those of you on an internal network, but they would need to implement that for TOTP.