Responding to increased attacks against MSPs, Pulseway has enhanced the two-factor authentication (2FA) technology that protects its suite of managed services solutions, and plans to make using that feature mandatory.
The new implementation, which updates functionality added at no extra cost to the Pulseway platform approximately two years ago, lets users logging into the vendor’s RMM, PSA, BDR, and other systems authenticate themselves by responding to push notifications in the Pulseway mobile app or employing one-time passwords from popular third-party apps like Google Authenticator. The original 2FA feature only supported authentication via codes sent in email.
“That’s not the easiest, most convenient, way to do it,” notes Pulseway CEO Marius Mihalec, who says enabling 2FA takes most users under a minute. “We’ve tried to make it extremely simple to setup,” he says.
Pulseway is currently in the early stages of a process that will ultimately make utilizing 2FA mandatory. At present, the system simply encourages people not already using 2FA to enable it immediately.
“We’re trying to educate them and make them aware about the risk,” Mihalec says. Starting in a few weeks, administrators will gain the ability to enforce 2FA across their user base. Pulseway itself will begin enforcing 2FA for all of its partners several weeks after that.
That policy, and the upgrades to Pulseway’s 2FA feature, come as cyberthieves are increasingly targeting RMM and PSA applications, which usually contain tempting supplies of end user credentials. The Department of Homeland Security issued a warning about that threat, in fact, last year.
“We’ve seen MSPs becoming targeted by ransomware attacks and all sorts of other attacks,” Mihalec says.
None of Pulseway’s customers has reported a breach to date, but partners of other vendors, including Kaseya, ConnectWise, and Continuum among others, have been caught up in successful attacks. ConnectWise discussed stepped-up security measures in its development process with ChannelPro in June, as did Datto.
2FA is one of several techniques Pulseway uses to safeguard its platform. The suite also impedes brute force attacks by forcing delays between logins if multiple attempts fail, and automatically issues alerts every time someone attempts to sign in from an unfamiliar location.
“Every time something changes regarding security, you’re either being prompted or challenged,” says Mihalec, who notes that detailed event logging makes auditing easier as well.
“We keep track of everything that happens and every single action,” he states, noting that even administrators can’t delete or alter Pulseway’s logs.