MFA bypass

Hello,

We will try to reproduce and keep you posted.

Thanks

Hello,

The issue is reproduced, we will escalate to engineering right away.

Thanks again

Thank you!

Hello Stephane,
This is not as obvious to fix as it seems. Since the session is opened, the application has already the credentials in memory. RDM does not know that the 2FA is required. Perhaps we could add a setting to disable the autofill for embedded web entries after a period of inactivity. What do you think?

Regards

Salut David,

I understand the problem... I think your workaround would be a great idea! Personally I think autofill should be good for lets say 10-15 minutes (or something we could adjust manually). On my side, the autofill is only needed right away - otherwise the person only closes and reopens the session.

Merci!

Hello,

A restriction has been added on the auto fill button so that it won't work 90 seconds after starting your entry.

This change will apply starting from the next major version of RDM.

Regards,

Thank you!

Hello,

A lot of our users prefer this security feature to be off by default so we will be adding a GPO named "DisableWebsiteCredentialAutoFillAfterDelay" and a system setting.

The system setting can be found here : "System Settings -> Security Settings -> Disable website and web browser credential auto fill after delay"

If either of these settings is activated, you will get the prompt you have asked for which will ask you to reconnect to use the auto fill feature. These settings will be available starting from RDM 2021.1.20.0

Regards,

Thank you Michael :)