Disable "Keep me signed in" check box.

Is there a way to disable the "Keep me signed in" check box. Should a user loose his laptop, this is a HUGE security whole.

Find more posts tagged with

Comments

mmaus

I dont think it matters how you change the scenerio. If you can think of a situation where a stranger can easily log into another machine from a compromised machine using the "remember me" feature...then I consider this a security issue.

I think that is the best way I can summarize my issue with this feature.

DomLan

You are changing the scenario compared to what you stated at the beginning.

Your CCNA mentor would tell you not to use the option remember me; I did the same.

If the assumption is the delay between the conscience of losing the device and its real theft, even having a function that does exactly what you ask will be useless.

I probably will not be able to answer you further for this thread, I think I have provided you with my arguments. I would like to emphasize that I am not against having a function that does exactly what you ask; I'm saying, instead, that its absence is not comparable to a real security hole.

Regards

mmaus

The issues is, how much time will expire between the user realizing the device has been stolen and the user reporting it to proper management to disable the account.

The user could think they just misplaced the device, or perhaps left it at work in another safe place when in reality the device has fallen into the wrong hands.

As far as this not being considered a security hole. The an application has a login requirment...and there is a way to bypass the login requirment (as in a remember my password button)...this will always be flagged as a potential security hole for any respectable security admin.

This might seem minor, but the says has always been "Security admins have to get it right 100% of the time, the bad guys just have to get it right once."

Take this true story to heart. My CCNA instructor runs his own office supply company on the side of his technical career job. He will occassionally run delivers when his company needs. One day he was delivering some items and the company had him deliver the product and stack it next to once of the server run by this client. He noticed that the conlsole of the server was currently logged in and sitting at the admin prompt to the companies Cisco switch. He advised the staff to lock the computer so nothing would happen. They exclaimed "We arnt too worried about that. It takes a little work to shut that down". So he said "So if I were to type in erase nvram and erase startup-config real quick everything would be fine?" He said their faces when white. He then grabbed his rolling cart of printer paper and went back to his truck.
If he was someone trying to cause an issue. How long would it have taken for him to take this companies network down, with his knowledge...how many systems could he have caused damage to, how long would it take for the the staff to recover from this, and how long would it be before they realized this was all caused by an device that was already logged (or allowed auto login to another device) and was executed by the paper delivery guy?

Needless to say, when my instructor came back with the second cart load of paper, the console was locked out as it should have been in the first place.

Its this story that keeps me on my toes...again...because it only has to happen once for it to be a bad situation.

DomLan

I'm sorry, but I did not understand much of your last reply.

If your scenario is a stealed device, your first intervention should be to block the entire device and not just a partiality of its applications.

Imagine theft of a mobile phone with installed several applications with automatic access. Unable to contact all application managers; Better to intervene on the device in some way.

What I was trying to say to you to respond to your personal statement is that the absence of a feature like the one you described in your initial request can not be considered a security hole.

If you make a password change (www.teamviewer.com -> Login -> forgotten password), as described in my previous post, you will make the flag Remember me discussed here inefficient.

In any case this is just my opinion and is not absolutely a way to close the discussion. the community is just meant to discuss and happen to have different opinions.

Regards

mmaus

Since this is a fake problem: update your password and your problem is simply solved ... even if they've stolen your laptop.

I dont believe this is an issue that can be marked as solved...as it it not, the security threat is still there and needs to be addressed.

The "remember me" option in many tools is usually despised by those who care about safety issues.

Normal non-technical users are not interested in security..and for that mater some IT staff. They are more interested in convince...and convince and security do not float in the same boat. If we could trust that even a majority of users cared about safety issues, then we would not have Windows XP coming out with patches 3 years AFTER the end of its extended support date. XP would not currently be the 4th most popular version of version of Windows running on 1/3 of desktop computers still. We would not have hospitals affected by ransom-ware, etc.. If you want to make your users secure users...disable their accounts. Unfortunately that is not an option. When it comes down to it...is it easier to correct one compromised pc or correct one compromised pc and possibly every machine they have in their quick connect list? If I can disable a single button\option...I will choose to only work on the single compromised machine.

DomLan

Hi to all,

I read with great interest this thread and the various comments posted. It is certainly an interesting topic.

However, I find it difficult to focus attention on the flag in question, when in reality the main problem is accessibility to the entire operating system even before automatic access to TeamViewer.

Since this is a fake problem: update your password and your problem is simply solved ... even if they've stolen your laptop.

I do not think a simple thief, after stealing your PC, is primarily interested in gaining access to other PCs in your TeamViewer contact list. And in any case, to access it, he has to log on to your account (Windows, iOS, etc.), declaring that you've lost more than one PC.

The "remember me" option in many tools is usually despised by those who care about safety issues. As suggested by @jl, the alternative in these cases is to re-type the password at each access; to make this operation less tedious there are several tools that allow you to store this information securely, recalling as needed.

In any case, if that option is enabled, it is much more dangerous not when someone steals your laptop, but when you turn it on and connected to the network without the necessary precautions (firewall or something like that).

Regards.

Merciless

...Should a user lose not loose his laptop, this is a HUGE security HOLE....not whole.

mmaus

You are correct. This feature needs to go away or have a way for admins to disable it.

I was on the phone with support yesterday evening and have a feature request already submitted.

As stated above...im still just baffled that THIS would need to be requested in this day in age of security concerns and cyber attacks day after day.

FrankW

Hello mmaus,

I believe what you are asking for is a way to stop a user from enabling "keep signed in" in the first place, right?

If this is the case I am afraid this can not be restricted, but I would be glad to open a feature request.

mmaus

Yes the user would log back in manually, but then there is no way to stop them from setting up for it to login automatically again in the future...hence making me have to go back in and kick them out again...just for them to go back in and save the password or checking the Keep me logged in feature again...turning into just a never ending round robin game with the users.

FrankW

Hello mmaus,

You don't require to kick out the account over and over again. The lost device will not sign back in automatically, unless the password is entered manually.

Please elaborate your situation if there is a misunderstanding here.

kind regards,

Frank

mmaus

Thank you for the reply. Unfortunatly this would require me to constantly go in and kick them out and then does not provide a way to prevent them from just doing it again.

I am truely suprised this is still allowed with the issue that happened earlier this year where TeamViewer was blamed for being hacked. If I recall it turns out it was mainly due to people with poor password management and explointing security holes like this.

FrankW

Hello mmaus,

thank you for joining the TeamViewer Community!

An account with "keep me signed in" active can be kicked out. please try the following:

go to TeamViewer Management Console (https://login.teamviewer.com/LogOn) and sign in with the affected account
open profile settings (click on account name - top right corner - and select edit profile)
here you find the section "Active logins"
remove all entries, except your "current session", ( every row has an 'X' on the right side)

This will log out the account from all the devices that were removed above.

Any device or management console login that had keep signed in active will now have lost credentials and require new authentication.

I hope this Information is what you had been looking for.

Kind regards,

Frank

The keep me signed in button is optional and YES can present to be a huge security hole if the user loses his/her laptop or portable device, but is it convenient to have to sign in every single time if you are needing to do something really quick? No. My suggestion if you or the user you are talking about loses their device, login to teamviewer and disable that device. I believe there is a way to manage known devices. If I get that answer, I will reply back.

mmaus

Ugh....

...Should a user loose his laptop, this is a HUGE security HOLE....not whole.