2FA for Bitdefender central account


I am resubmitting a request made back in 2016 for two factor authentication for Bitdefender Central logins. I have to be honest, this issue is the single greatest point of consideration I have for my upcoming subscription renewal. Copy/paste from previous forum post: 


 


 



Quote



I would like to see two factor authentication implemented for Bitdefender Central accounts.


My reason behind this request is the critical nature of how compromised account information could potentially lead to the loss of all data on every machine associated with the account via malicious use of the anti-theft feature at BDCentral.


I certainly understand the intended value of this function but its just been nagging me lately how much of a ticking tomb bomb it could be given the fact that data breaches are a constant threat.


Maybe Bitdefender could partner with Google's widely used authentication network, develop a way to protect the data wipe function behind another type of elevated permission, or even offer a way to disable the feature altogether.


Given the fact that BDCentral usage is now mandatory with 2016 products I'd really appreciate the consideration.


Thanks.



 

Comments


  • Hi,


    We currently have this feature planned for implementation but i cannot currently share an official release timeframe.


    Thanks for your feedback!



  • 11 hours ago, Stefan I. said:



    Hi,


    We currently have this feature planned for implementation but i cannot currently share an official release timeframe.


    Thanks for your feedback!



    /index.php?/profile/213807-stefan-i/&do=hovercard" data-mentionid="213807" href="<___base_url___>/index.php?/profile/213807-stefan-i/" rel="">@Stefan I. Great to hear. I hope the dev team is looking at FIDO U2F. When I made my original feature request for 2FA back in 2016 the vulnerabilities in SS7 (SMS) didn't come off as too troubling and there hadn't yet been any major app based 2FA breeches. Well now its 2018 and the new standard in 2FA/MFA looks to be in U2F keys. But any 2FA is better than no 2FA.


  • +1, absolutely agree here.  It would be great to have a rough idea of the timeframe for 2FA.


    I just bought Bitdefender Total Security 2019, after using an ISP-provided Norton Internet Security for years (which has 2FA via their app).  I was really surprised how much Bitdefender allows doing remotely, especially all the anti-theft features.  But without 2FA, a simple password compromise would allow someone to stalk me, lock me out, and wipe my computers.   Startup Optimizer and Parental Controls could cause their own fun too.


    Until 2FA is supported I will only use Macs on my account (doesn't support these features), will use the free Bitdefender for my Windows PCs, and may consider going back to Norton (gasp) if the free Bitdefender doesn't cut it.  This is just the reality of the astonishing damage that could be done.  I'd actually prefer to turn off central management of all remote features if I could, and just use it for managing licenses.


    As another thread pointed out, it is ironic that forum accounts require 2FA but Bitdefender Central doesn't.  The forum's 2FA with Google Auth is just what I'm looking for btw (I use Authy).  Bitdefender Central features mentioned by others that would also be useful:


    • list of recently past login attempts

    • notifications on suspicious login activities

    • session cookies should expire, and be forced expired on password change


    Thanks.



  • On 1/29/2019 at 2:48 AM, Alan R said:



    +1, absolutely agree here.  It would be great to have a rough idea of the timeframe for 2FA.


    I just bought Bitdefender Total Security 2019, after using an ISP-provided Norton Internet Security for years (which has 2FA via their app).  I was really surprised how much Bitdefender allows doing remotely, especially all the anti-theft features.  But without 2FA, a simple password compromise would allow someone to stalk me, lock me out, and wipe my computers.   Startup Optimizer and Parental Controls could cause their own fun too.


    Until 2FA is supported I will only use Macs on my account (doesn't support these features), will use the free Bitdefender for my Windows PCs, and may consider going back to Norton (gasp) if the free Bitdefender doesn't cut it.  This is just the reality of the astonishing damage that could be done.  I'd actually prefer to turn off central management of all remote features if I could, and just use it for managing licenses.


    As another thread pointed out, it is ironic that forum accounts require 2FA but Bitdefender Central doesn't.  The forum's 2FA with Google Auth is just what I'm looking for btw (I use Authy).  Bitdefender Central features mentioned by others that would also be useful:


    • list of recently past login attempts

    • notifications on suspicious login activities

    • session cookies should expire, and be forced expired on password change


    Thanks.



    I would like to see two-factor authorization added to Bitdefender for Netgear Armor as well.  Bitdefender for Netgear Armor has the same problem that if the Netgear password was compromised, a hacker could lock me out of all my devices or worse.



  • On 10/4/2018 at 11:24 AM, Stefan I. said:



    Hi,


    We currently have this feature planned for implementation but i cannot currently share an official release timeframe.


    Thanks for your feedback!



    Hi Stefan, its been about a year since you replied to this post with. Can you share any update on the efforts to bring multi-factor authentication to BitDefender Central? Thanks.


  • Is 2FA whether TOTP or FIDO/U2F going to roll out for Bitdefender central? That is by far a more important account to secure yet the this forum has 2FA support before the central management website.


  • +1


     


  • +1


    Would like to see this extry security layer for my Central Account.

  • subham
    subham ✭✭✭


    1.2FA is not crucial according to my opinion.There is no financial data stored within Central account that 2FA is crucial for safety. If Central account is hijacked one could easily reset the password with reset password link sent to the email ID.By login to Central account one can not reduce the validity of your reaming subscription or can read your inserted license key.If one email ID account and central account both get hacked or lost then only problem may occur.


    2. 2FA will make the login more laborious process.Especially who has several devices and has to login repeatedly.


    3. If 2FA is implemented don't force all your customers to accept 2FA.Rather ask for if one user want to opt for 2FA or not.Some like may be happy to live without 2FA.


    4.From my experience on Amazon is severely suffering after activating 2FA,there webpage ask for OTP but OTP delivered after 20-30 minutes later depends on high traffic or peak sell days.So OTP gets expired.Hence lots more OTP is requested by the same user within same hour making the Amazon OTP server to react more slower hour after hour.



  • 2 hours ago, subham said:



    1.2FA is not crucial according to my opinion.There is no financial data stored within Central account that 2FA is crucial for safety. If Central account is hijacked one could easily reset the password with reset password link sent to the email ID.By login to Central account one can not reduce the validity of your reaming subscription or can read your inserted license key.If one email ID account and central account both get hacked or lost then only problem may occur.


    2. 2FA will make the login more laborious process.Especially who has several devices and has to login repeatedly.


    3. If 2FA is implemented don't force all your customers to accept 2FA.Rather ask for if one user want to opt for 2FA or not.Some like may be happy to live without 2FA.


    4.From my experience on Amazon is severely suffering after activating 2FA,there webpage ask for OTP but OTP delivered after 20-30 minutes later depends on high traffic or peak sell days.So OTP gets expired.Hence lots more OTP is requested by the same user within same hour making the Amazon OTP server to react more slower hour after hour.



    Main problem with a hacked account is you can use Central to "track lost device" or perform a remote wipe. Whilst a long randomly generated password has a slim chance of being guessed correctly it is better to have a second line of defence. 


    As with amazon you won't have that problem if you choose to use an app/hardware key to generate the cods. 

  • subham
    subham ✭✭✭


    Ghost_Recon131 has replied with good reasoning and solution.


    "App/hardware key to generate the code" for 2FA is a good option,but BitDefender should consider making such app.


    Generally by websites 2FA introduced only depending on web and SMS server based OTP delivery.Our conversation should be considered before implementing 2FA on Central account.


  • /index.php?/profile/217325-subham/&do=hovercard" data-mentionid="217325" href="<___base_url___>/index.php?/profile/217325-subham/" rel="">@subham I don't understand where the Problem is.


    If you don't want to use it, just do not activate it.


    It should not be a must for everyone.


  • +1  ….when a protection company offers less protection then games...:ph34r: 's come out of the shadows


    when a protection company fails to implement an existing technology for years... <img class=" data-emoticon="" src="https://us.v-cdn.net/6031943/uploads/ipb_attachments/emoticons/default_angry.png" title=":angry:" /> customers wonder what the heck is this company doing???


    please don't be so late to use security features in the future? also why is it taking you guys soooo long to implement it? 


  • +1


    At least TOTP and YubiKey


  • So 2FA for Central is live.


    When did they release this feature?



  • 3 hours ago, Sinus said:



    Too bad we didn't get a text message authentication option, like all the other services (Facebook, Ebay, Google, PayPal,...) have to offer. Nevertheless, I guess this is ok (for now). The Central account lacked a 2FA of any kind for a long time.



    It's actually better to not offer verification code via text message due to increasing number of sim swapping attacks.