• Luke Williams
    Hello, I'd like to say first that we quite like Cloudberry, despite some of the issues the run into. Overall its a very flexible backup system, and I've watched it become noticeably better over the years that we've been using it and providing feedback on it. That being said, while its good that the MBS offers some kind of 2FA, it could really use a couple improvements.

    1. Device trust - Its a real pain to re-enter a 6 digit code very day, and every hour when my session times out. And when 2FA/MFA is a pain like this, people tend to not use it. If you add capability to trust or remember a device thats used often, that would be of great benefit. Even just having an option to trust the device for 30 days would be great.

    2. Allow admins to force 2FA on other accounts - Currently we have to ask our employees to set up their own 2FA, and then trust that they've done it. It would be much better if a super admin can just enable / disable it on other user accounts.

    Let me know what you think.
  • David Gugick
    I could add a customer request to discuss the possibility of providing an admin-defined timeout period for connections to the console to avoid having the console time out too quickly. Would that help if we're able to add such a feature?

    Regarding 2FA, though, we'll have to discuss what options we might have. I do have concerns about extending approval times (30 days in your example) as it does provide an additional attack vector; something the 2FA is designed to minimize. What we may be able to do is look into supporting Security Keys, which are available and work over Bluetooth and / or USB. That way, you can use the hardware security key as a means to avoid having to type in the 2FA authentication code each time.

    Regarding your comments about enabling 2FA for admin accounts, I agree. It would be nice to be able to control this from the master admin account, enable it for any sub-admins when they are created, and disallow changes to 2FA on those accounts when logged in as a sub-admin (unless they are specifically assigned administrator control).

    I'll go ahead and discuss this with the team.

    Thanks for your feedback.
  • Luke Williams
    That would be great if you can add a customer request for changing the timeout period.

    As far as remembering / trusting devices goes, many others do this ... I understand that its not as simple as leaving a cookie on a device to trust it, but there are many ways to do it, that are effective enough for other companies to use. Take Teamviewer for example. Even if you don't use their 2FA, they still make you do captchas, add devices to a trusted list, and watch things like what IP you log in from. If you use some kind of fingerprint of the device, combined with the IP address its coming from, that should be pretty solid, should it not? The other thing to consider here is the adoption factor. Any 2FA is better than none at all, so while device trust may be somewhat of a compromise for 2FA effectiveness, if adding it makes more people use it, then isn't it overall still a good thing?
  • Sean
    Yes, as Luke said at the very least change the timeout period. I'd be happy even with several hours. I recently re-enabled 2-factor after disabling it awhile back because I couldn't handle how short the timeout period was paired with the msp dashboard responsiveness. It's not as bad now so I can live with it, but I agree with Luke and his suggestions.
  • David Gugick
    All suggestions have been submitted to the team for review. Should changes be scheduled, I'll go ahead and post something here. In the meantime, thank you for the great suggestions and feedback.
  • Melissa-92
    Hi, just wanted to check if enforcing 2FA for sub-admins is on the roadmap for implementation any time soon, or at least still on the team's radar?

    I create accounts for the Managed Backup Portal at our org, but I'm only a sub-admin myself--so might not have noticed if this was added for super admin.

    Thank you!
  • David Gugick
    That feature is there, sans enforcement. Go to Administrators logged in with the account you want to change, click on the sub-admin account and enable 2FA. My guess is the confusion happened because you can’t change a different account other than the one you’re logged in as. That’s because the 2FA requires access to a mobile device, so we leave it to the sub admin to enable 2FA on their account. On the other hand, if you were already aware of that and you’re just asking about the ability for the master account to enforce 2FA on sub-admin accounts, then I’ll have to check with the team to see if that’s on the roadmap.
  • Melissa-92
    I was asking about the latter, master account enforcing 2FA on sub-admin accounts (or a role for some sub-admin accounts to do so for others)--sorry about the vague phrasing.

    I can definitely understand the rationale, since we see extra volume of support requests any time 2FA is enabled without an experienced tech closely coordinating with the account holder. But in our situation, where everyone who would be accessing our portal as a sub-admin should be at minimum tier 1 service desk staff, and all of those accounts have administrative access on multiple levels for multiple tenants, and the time gap between account creation and introductory training dates for each system can vary depending on overall team capacity--it would bring significant peace of mind to be able to enforce 2FA.
Add a Comment

Welcome to MSP360 (CloudBerry) Forum!

Thank you for visiting! Please take a moment to register so that you can participate in the discussions!