Kaseya Community

Mandatory 2FA is NOT Acceptable

  • Hi All,

    The only issue that I have with 2FA from kaseya is that you are not able to whitelist a IP Range so that when connecting from a specific IP Range that it doesnt ask you for 2FA into the application.

    Kaseya say that they can do this through AuthAnvil but if you setup Authanvil you have to log in through a different URL that you are used to. So if Kaseya could provide an option to whitelist IP Range within the Mandatory option would be great help I think to alot of people.

  • , you don't need to log into a different address.   The same one works fine.  You might be thinking of SSO, which is possible, but not a requirement.   The problem with the new setup, is that EVEN if you are whitelisted in AuthAnvil, you will be FORCED to setup Google/TOTP 2FA, so in effect, there is no ability to white-list.

  • Hi Chris,

    If Kaseya offer Whitelisting through AuthAnvil, but Native 2FA is enabled (version 9.5.1 onwards) you will be required to 2fa in even if you whitelist within AuthAnvil. I have tested this 100% and there doesnt seem to be away around this.

  • Exactly what I said above.

  • Hi,

    We updated one of our VSAs to 9.5.1 the past weekend.

    It was a desperate situation, but we were almost got locked outside.

    Don't know other experiences. but none of our admin credentials could go beyond 2FA.

    By fortune we found one, and with it could delete the enrollment for everyone.

    But what happens if we didn't find an Admin with Master Role to do that?

    I think that at least the localhost should bypass the 2FA.

    If someone reaches the localhost, 2FA gives you any advantage?

    Regards,

    Jose

  • Not sure what poor cell service has to do with MFA - if you have the MFA Key, you can generate the MFA Code in software. Our automated support software actually logs into a VSA interactively, performs MFA, and then updates the necessary VSA components, and our software certainly doesn't have a cell phone. (plus, the computer room where these systems live has no cell service!)

    Using software to generate an MFA access key is a pretty common method where support teams need interactive login access using a single support account - you can't send the MFA request to multiple cell phones, so you have a secure app to do this. Heck, you can do this with Google Authenticator, which is how we validated the concept before developing our own secure app..

    We log into dozens of customer VSA platforms each day and mandatory MFA, while mildly inconvenient, hasn't been an issue for our support team. Our own primary VSA is private-network as well with no external access.

  • Jose, not sure what you experienced?   If you DIDN'T have an enrollment in 2FA, then it would have simply prompted each user to set it up. (No more "ignore").   If you DID have 2FA already setup, then you should have been able to use the same code, nothing really changed there.

  • @chris I was locked out of 2fa after the .29 update. Had a non-2fa admin account still around, luckily. @kaseya, What’s the new process??
  • , Almost all of our admins were enrolled with 2FA and working.

    Post upgrade, none of us could login. The 2FA fails verifying the code despite what authenticator's opinion.

    Then I remembered an old Admin with Master role generated for Kaseya Support, that it was not enrolled yet.

    With it I manage to remove all enrollments, and regain access.

    It was not time sync related.

  • We had a situation when I moved our kaseya instance and SQL to new servers in Azure.  It broke the 2fa that had already been established for all users, so no-one could login.  It took me a bit, but I found there is a way, editing the SQL tables directly, to reset that and require users to setup 2fa again on the next login.  That let everyone login again with their current credentials and just resetup 2fa.

  • , sorry that happened to you (and anyone else).   We didn't have any issues upgrading 4 servers.  3 of them are AuthAnvil though.

  • They should make the IP whitelist feature available for non Authy users. It is a shame you need to buy this product for getting IP whitelisting to work!

  • I think you're right Chirs. But I suppose it's a big challenge for users not used to 2FA. 

    Matthew Gierc
    Check out our latest blog: What is SCADA? 

  • Hi,

    I currently have the same issue whereby all my admin accounts have been locked out of 2FA and it doesn't recognise the codes we are entering. Are you able to provide the way that you managed to disable it via SQL please so I can give that a try. I have been looking at it for a while now but can't seem to find the right table(s). Thanks in advance

  •  Especially if you just did an upgrade to your VSA, be sure to try another browser and/or clear all your cookies and cache.  We have found that when 2FA codes are not accepted, clearing browser cookies and cache fixes the problem.  Simple solution, but often overlooked...good luck.