https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46639#M41270 <HTML><HEAD></HEAD><BODY><P>Ah, sorry, I guess I could have explained it a little better.<BR />Ok, thanks. I guess, at least it should be made possible to turn this setting on/off (remove the possibility of selecting the GP icon), and/or include the fingerprint information (or whatever two-factor authentication used) with the GP authentication, if it's even possible(?).</P></BODY></HTML> Thu, 23 Oct 2014 12:11:18 GMT pasmartin 2014-10-23T12:11:18Z https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46635#M41266 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>While setting up a computer with fingerprint authentication+windows password, I discovered that after installing GlobalProtect I could circumvent the whole two-factor authentication by choosing to login with GlobalProtect(clicking the GP icon in the login screen of windows, instead of using the "security key"). The OS used was Windows 8.1 x64.</P><P><BR />Don't know if you're aware of this flaw, or if this is something that can be disabled in PANOS - though I don't think there's many people out there wanting this as a functionality :smileysilly: </P></BODY></HTML> Wed, 22 Oct 2014 08:34:57 GMT https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46635#M41266 pasmartin 2014-10-22T08:34:57Z https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46636#M41267 <HTML><HEAD></HEAD><BODY><P>Can you clarify what you mean about "clicking the GP icon in the login screen of windows". Is this an icon when you boot your Windows device?</P></BODY></HTML> Wed, 22 Oct 2014 15:09:22 GMT https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46636#M41267 lewis 2014-10-22T15:09:22Z https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46637#M41268 <HTML><HEAD></HEAD><BODY><P>It's the "sign in options" that you'll find in (at least) windows *8* and windows 2012 server - it's located below the password input. So, I can either choose the "key", which is the windows password (in this case two-factor with fingerprint), or I can choose GP, which then circumvents the whole fingerprint process, and lets me login using only the domain password, instead of domain password + fingerprint.</P><P><BR />This could be prevented by implementing two-factor authentication on GlobalProtect - but that's not how it should be :smileysilly:</P><P></P><P></P><P><IMG alt="2014-10-23 13.27.41.jpg" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/16540_2014-10-23 13.27.41.jpg" style="height: 465px; width: 620px;" /></P></BODY></HTML> Thu, 23 Oct 2014 11:44:46 GMT https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46637#M41268 pasmartin 2014-10-23T11:44:46Z https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46638#M41269 <HTML><HEAD></HEAD><BODY><P>ok, when i read your original post i thought you were just clicking the GP icon and it passed you in without a password. we&nbsp; have not tried 2 factor with a fingerprint reader yet but I will be following this thread to see if a answer is provided for you. </P></BODY></HTML> Thu, 23 Oct 2014 11:52:53 GMT https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46638#M41269 lewis 2014-10-23T11:52:53Z https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46639#M41270 <HTML><HEAD></HEAD><BODY><P>Ah, sorry, I guess I could have explained it a little better.<BR />Ok, thanks. I guess, at least it should be made possible to turn this setting on/off (remove the possibility of selecting the GP icon), and/or include the fingerprint information (or whatever two-factor authentication used) with the GP authentication, if it's even possible(?).</P></BODY></HTML> Thu, 23 Oct 2014 12:11:18 GMT https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/46639#M41270 pasmartin 2014-10-23T12:11:18Z https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/73180#M41366 <P>This is a Windows issue not GP. &nbsp;GP is using the windows authorized toolkit to allow VPN login from the main prompt. &nbsp;If this tool is built such that it bypasses two factor when implemented then MS will need to change the handling of the login request in Windows. &nbsp;There is nothing that GP can do to change this behavior.</P> Sat, 20 Feb 2016 13:25:29 GMT https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/73180#M41366 pulukas 2016-02-20T13:25:29Z https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/73263#M41387 <P>I agree with <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9524">@pulukas</a>. &nbsp;Seem like&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/34042">@pasmartin</a>&nbsp;should get ahold of your Enterprise TAM and get a ticket open with M$.</P> Mon, 22 Feb 2016 16:28:56 GMT https://live.paloaltonetworks.com/t5/general-topics/security-flaw-with-globalprotect/m-p/73263#M41387 Brandon_Wertz 2016-02-22T16:28:56Z