Lack of Security and 2FA
My org has a current need to have multiple users remote into a single local account. We've provided the end-users with their own individual accounts and thought we'd be able to force them to enable 2FA, then change their permissions to disallow account changes. Easy.
Come to find out, if they use the desktop app, 2FA only triggers during the initial log in, and then any time they update their passwords or manually log out(do to the remember me). This is ineffective and unacceptable in terms of security, defeating the true purpose of 2FA. If the onus of security is on the end-user, then it is not a good implementation of security.
There have been a few settings I was completely dumbfounded by the lack of administrative management for an app marketed to corporations and enterprises.
1) Admin cannot enforce 2FA for a user, they must do it themselves than have the admin revoke privileges to turn it off
2) Having 2FA enabled does not require 2FA every time a remote connection is made. The browser level access does this, but the full application does not.
3) Admins do not have the ability to disable the "Remember me" feature, which would work to force a 2FA trip.
4) With all the above being said, there isn't even a way to enforce a 2FA timeout period?
I say all of this in the hopes someone will prove me wrong. TV has a terrible reputation due to the way the breach from '16 was handled, so I was astonished that these simple features aren't available in some capacity.
