From the client program side, the attitude of a client application developer, we must unambiguously distinguish among a an actually invalid password, where the user entered the inaccurate password, and b some technical challenge or incompatibility with the domain setup. The reason why it’s essential to differentiate is as the error restoration is terribly different. In the first case a, I tell the user that his password is incorrect and he needs to enter it again. In the second one case b, I either perform a little fallback code or tell the user that I cannot support his account.
If I pick the wrong case, as the error code I get is wrong as during this case , then I’ll keep asking the user to re enter the passwords, that is absolutely dead, confusing, and can even lead him to enter other passwords, that’s bad. In any case, it’s a really bad end user experience. From the buyer software side, the perspective of a consumer application developer, we must unambiguously distinguish between a an really invalid password, where the user entered the inaccurate password, and b some technical problem or incompatibility with the domain setup. The explanation why it’s important to distinguish is as the error restoration is very various. In the 1st case a, I tell the user that his password is wrong and he must enter it again. In the second case b, I either do some fallback code or tell the user that I cannot assist his account.
If I pick the inaccurate case, as the error code I get is incorrect as during this case , then I’ll keep asking the user to re enter the passwords, that is completely lifeless, complicated, and might even lead him to go into other passwords, which is unhealthy. In any case, it’s a extremely bad end user event. We are using Azure VPN client with Azure MFA, and the buyer calls for the second one factor code via SMS only when the user connects for the first time. After that, each time we click the VPN icon, the VPN client connects instantly, ignoring the MFA requirement, even if we log out the user or turn off the PC. It seems that, after the first authentication with MFA, the buyer becomes a “one factor authentication” access, requiring only userid and password. If any individual obtains the Windows credentials for a user, an attacker with access to the laptop can attach remotely to the VPN using only the Windows credentials, what does not seem like a safe solution for remote access.
We would like to see a conduct more like other VPN answers, where users ought to enter the second factor each time they connect to the VPN. Thank you. We are using Azure VPN client with Azure MFA, and the buyer requires the second one factor code via SMS only when the user connects for the 1st time. After that, each time we click on the VPN icon, the VPN client connects automatically, ignoring the MFA requirement, even when we log out the user or turn off the PC. It seems that, after the first authentication with MFA, the buyer becomes a “one factor authentication” access, requiring only userid and password.
If anybody obtains the Windows credentials for a user, an attacker with access to the laptop can attach remotely to the VPN using only the Windows credentials, what doesn’t seem like a secure solution for remote access. We would want to see a conduct more like other VPN solutions, where users ought to enter the second factor every time they attach to the VPN. Thank you.