Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-22-2014 01:34 AM
Hi,
While setting up a computer with fingerprint authentication+windows password, I discovered that after installing GlobalProtect I could circumvent the whole two-factor authentication by choosing to login with GlobalProtect(clicking the GP icon in the login screen of windows, instead of using the "security key"). The OS used was Windows 8.1 x64.
Don't know if you're aware of this flaw, or if this is something that can be disabled in PANOS - though I don't think there's many people out there wanting this as a functionality :smileysilly:
02-20-2016 05:25 AM
This is a Windows issue not GP. GP is using the windows authorized toolkit to allow VPN login from the main prompt. If this tool is built such that it bypasses two factor when implemented then MS will need to change the handling of the login request in Windows. There is nothing that GP can do to change this behavior.
10-22-2014 08:09 AM
Can you clarify what you mean about "clicking the GP icon in the login screen of windows". Is this an icon when you boot your Windows device?
10-23-2014 04:44 AM
It's the "sign in options" that you'll find in (at least) windows *8* and windows 2012 server - it's located below the password input. So, I can either choose the "key", which is the windows password (in this case two-factor with fingerprint), or I can choose GP, which then circumvents the whole fingerprint process, and lets me login using only the domain password, instead of domain password + fingerprint.
This could be prevented by implementing two-factor authentication on GlobalProtect - but that's not how it should be :smileysilly:
10-23-2014 04:52 AM
ok, when i read your original post i thought you were just clicking the GP icon and it passed you in without a password. we have not tried 2 factor with a fingerprint reader yet but I will be following this thread to see if a answer is provided for you.
10-23-2014 05:11 AM
Ah, sorry, I guess I could have explained it a little better.
Ok, thanks. I guess, at least it should be made possible to turn this setting on/off (remove the possibility of selecting the GP icon), and/or include the fingerprint information (or whatever two-factor authentication used) with the GP authentication, if it's even possible(?).
02-20-2016 05:25 AM
This is a Windows issue not GP. GP is using the windows authorized toolkit to allow VPN login from the main prompt. If this tool is built such that it bypasses two factor when implemented then MS will need to change the handling of the login request in Windows. There is nothing that GP can do to change this behavior.
02-22-2016 08:28 AM
I agree with @pulukas. Seem like @pasmartin should get ahold of your Enterprise TAM and get a ticket open with M$.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
