RMM Pulseway makes two-factor authentication mandatory – and easier to use

Pulseway has made 2FA available as an option for years, but the growing trend toward phishing and other attacks on users have led them to make it mandatory. So they also completely revamped the system to make it more user-friendly.

Mobile-first remote monitoring and management [RMM] software Pulseway has announced an enhanced two-factor authentication [2FA] system to better protect their MSPs and end-user customers. The previous system was optional (but recommended –  and had about a 50 per cent adoption rate. Pulseway now believes growing threats require that it be made mandatory. But along with this they have also completely revamped the 2FA system to make it much easier to use.

“We have enhanced the two-factor authentication mechanism that we had in place pretty much from the beginning,” said Marius Mihalec, Pulseway’s founder and CEO.

The two-factor authentication complements the foundational security that is built into the platform.

“There is de factor transfer security, and we do not compromise on that, and there is also message security that is encrypted,” Mihalec said. “Those are foundational to the platform.”

While the 2FA security has been an ‘add-on’ to these core capabilities, Mihalec said that trends in the industry has made it more important.

“At some point, the human actor becomes the weakest point in security, with keyloggers and the use of trickery to steal credentials,” he said. “So we have encouraged two-factor authentication.”

Now, they will be doing more than encouraging it. While Pulseway isn’t explicitly stating that going forward, two-factor authentication will be required, in point of fact, going forward, two-factor authentication will be required,

“We had been seeing some success in the adoption of our previous two-factor method, but in light of the growing number of bad actors, the trend in RMM has been to step it up to make our RMMs more secure,” Mihalec said. “That’s on us as much as them.”

Pulseway’s original 2FA had about a 50 per cent adoption rate, but they are determined that this one will be 100 per cent.

“To get that, we had to make it more comfortable and convenient to use,” Mihalec said. “That included making it much easier to set up. That wasn’t really that complex before, but operationally, there could be some delays. For example, it could take 10 seconds more than you would like for the code to arrive. So we completely revamped that.”

Mihalec explained how the new 2FA system works

“Because we are a mobile-first RMM, our customers use our mobile app on their devices to perform certain tasks,” he said. “They get push notifications to alert them. So if someone tries to log in, we send push notifications on those devices. The user will see a brief summary of the notification and where the request came from, and will get an option to allow and approve. This takes two seconds and off you go. If the request is rejected by the user, it is denied. That’s the first step.”

The second step is a one-time passcode log-in, a TOTP [ime-based One-Time Passcode] app like Google Authenticator, Authy or 1Password.

“To enroll in this new 2FA, it takes between 10 and 20 seconds,” Mihalec said. “It takes a few seconds to copy the backup code, which can only be used once.

“What we also did is that every time a new mobile device is installed, we add the device in quarantine. So you can’t see or manage any of the endpoints until you log into the Web application, and pass a challenge there. This way if you have an older version of the app, for every new device, you will be required to pre-authorize in the Web application. Every new device will be declined access until this is done.”

All this, Mihalec stressed, is designed to make the 2FA effective, while making it quick and not clunky to use.

“We made it as simple as possible, to be very convenient for users on a day-to-day basis,” he said. “We tried it on our best customers, and got great feedback for being secure without interfering in day-to-day business.”

The new 2FA will have a slow roll-out, but at the end of that, it will no longer be optional.

“We are taking the extra security very seriously in terms of being proactive,” Mihalec said. “We will be rolling out over 2-3 weeks, so the customers have time to learn how to use it and enable it. After this slow rollout to get familiar with it, we will then be enforcing it on every single account. It’s a gradual rollout, but we will mandate it.”

Mihalec noted that some additional major news is on the way.

“We will have quite a few new additions soon, including a new service that we are working on,” he said. “We are about a month and a half from talking about it.”