Posted by FrankNicklin
Digon

Why is Captcha still used when 2 factor authentication is enabled

Why is is neccesary to have Captcha enabled when 2 factor authentication is enabled surely thats Overkill.

6 Replies
Posted by mLipok
Heptagon

Re: Why is Captcha still used when 2 factor authentication is enabled

You are asking ? or this is any kind of IDEAS .
Please be more specyfic == elaborate.

 

Regards,
mLipok , AutoIt MVP

Did my reply answer your question? Accept it as a solution to help others.
Find this helpful? Say thanks by clicking on the Thumbs Up button.

Posted by Senior Management
Senior Management

Re: Why is Captcha still used when 2 factor authentication is enabled

Hi FrankNicklin,

Thank you for your post and welcome to the Community.

I agree with you, having both – Captcha and two-factor authentication – is quite a lot of security. Yet while I see your point, I would not go so far as to call it an “overkill”. Our objective is simply to allow for the right amount of security. But more security features will almost always have an impact on the ease of use.

So let me point out why we do what we do:

What are Captchas?

Captchas – as you may know – are used on quite many websites because they are an effective means to prevent machines (bots) from trying out passwords to get access to user accounts. To do so Captchas generate and grade tests that bots will fail while humans can quite easily pass.

What is the Two-factor authentication?

The two-factor authentication for your TeamViewer account provides an extra layer of protection to secure your TeamViewer account against unauthorized access.

In addition to your password, a second factor (security code) is required to log on to your TeamViewer account. This will make sure that only a person, who has all the necessary information (i.e. email address, pass word and the security code) can access an account.

Why do we use both Captcha and Two-factor authentication to access the TeamViewer Management Console and the TeamViewer Community?

To answer this question, let me quote parts of a Community reply I posted some weeks ago:

"As an IT pro, you will most probably agree that IT security requires multiple layers to work best. And that is precisely what we have done by incorporating Captchas into the process. Because even though they may be perceived as a nuisance by some of our users they are a very efficient means to thwart unauthorized, machine-based access attempts.

As you may know, we recently introduced other security features to help us prevent cases of TeamViewer account abuse: The truth of the matter is that – while irksome to some of our users – the combination of these new features delivered comprehensive results and drastically cut account abuse.

That said, we certainly acknowledge your need for more ease of use. And in fact, there is something you can do to alleviate some of the burden that comes with the trusted devices feature: Simply activate the 2 factor authentication for your TeamViewer account. This will let you bypass the trusted device process, while maintaining the same level of security. And if the Captcha gives you too much of a headache you can simply log on to the Computer & Contacts list in the TeamViewer client and access the Management Console from within the client. This way, you will not be requested to completed the Captcha dialogue."

So yes, we clearly beefed up security there, but our motivation is certainly not to bother our users .We just feel that security needs priority when it comes to accessing TeamViewer accounts.

However, we most definitely know that everything in life is about finding the right balance. That is why your feedback matters to us, so thank you for sharing your thoughts and please keep them coming.

Best regards,
Eduardo Bernal
Senior Director Customer Satisfaction and Tech Support

Posted by stuey
Henagon

Re: Why is Captcha still used when 2 factor authentication is enabled

So I don't care quite so much about the two factor part of this discussion but I do want to point out that using Captcha can acutally make the login process less secure. The reason is that most security savvy people these days use SSO or a password manager, If you use one of these methods (and I recommend you do) while the browser is in that limbo state i.e. Password and username filled in but captcha waiting to be clicked, it is possible to Press F12, inspect the browser elements and view the password in clear text.

My company were hoping to use Secure Web Authentication via OKTA and authenticate our IT support folks in that way, without giving them a password they would know, so that if someone left the company we could cut their access via our normal procedures. However because the Captcha stalls the process, the user (or another user) could discover that password. So now we have to deprovision that user in another system (TeamViewer) as well as our SSO system and a few others too.  The ideal situation would be that TeamViewer did what most of the industry is now doing and provide SAML support, but while we wait for that I would love the option to disable that captcha thingy, at least on my own browsers.

Posted by Marcus2201
Photon

Re: Why is Captcha still used when 2 factor authentication is enabled

Now using Catcha with Teamviewer, i don't use it anymore... When trying to loging nothing is said if we right click or not. tried 30s .. .not succeed .. i just leave right now Teamviewer ..
The picture is not really clear...
Most of all site web do not use catcha... as FaceBook, gmail and so on ... and team viewer decide to use that ? lol
Have fun to logging now.
cu
Someone who is unpleased with this authentification

 

Posted by MyCC-BrianG
Henagon

Re: Why is Captcha still used when 2 factor authentication is enabled

@Eduardo wrote:

if the Captcha gives you too much of a headache you can simply log on to the Computer & Contacts list in the TeamViewer client and access the Management Console from within the client. This way, you will not be requested to completed the Captcha dialogue."


This. Brilliant. I don't know why I didn't find this myself sooner. I searched to this thread because after restarting Chrome several times today testing some chrome flag settings, then being asked to click the Captcha for the 4th time in a row, I was fed up and hoping for a fix.

In my browser, I logged off in the TeamViewer console. Then I opened my TeamViewer client, clicked Connection, Open Management Console. It didn't even ask me to log in or enter my 2-factor code, just opened straight to the console. Thank you @Eduardo

Posted by MyCC-BrianG
Henagon

Re: Why is Captcha still used when 2 factor authentication is enabled

The one major difference between logging in through the 2-factor and Captcha, versus popping it open via the "Open Management Console" shortcut from TeamViewer client: The login timeout. If I log in manually, I can come back throughout the day and my session seems to remain open for MUCH longer without finding I've been timed out. If I use the shortcut from the client, the timeout is very short and I am constantly having to go open it again from the shortcut. The timeout is annoying enough that I've gone back to the Captcha nonsense because at least that is a once-daily annoyance vs many times a day having to sign back in from being timed out. 

Overall, I do not like this being forced upon us without configuration. I already set up 2-Factor authentication. I already added this device as a trusted device to my account. You can certainly store a cookie in my browser noting that I checked the box to "Keep me signed in". There is already multiple ways I have asked that you remember ME on THIS browser. The Captcha on top of ALL of that is NOT welcome. The Captcha should only be presented to NON-Trusted devices, when a cookie does not yet exist, when someone has not yet checked the "Keep me signed in" box.