Continuous retry causing password lock-out
Posted: Fri Aug 05, 2022 4:03 am
At work we're using Viscosity (we have a 70-seat license) to access a corporate VPN which uses some kind of Azure VPN "server", with the user authentication tied to the corporate "Azure AD". The "Azure AD" requires everybody to reset their passwords every 90 days, and _without fail_, after each user resets their password, the first time they try to use Viscosity to connect, their account ends up being locked for "excessive login attempts". The front-line support guys are able to do password resets, but they don't know anything about Viscosity (they're on the corpoprate side, but this VPN is limited to R&D people - they manage the user accounts and passwords but we manage the VPN "server" itself.)
I don't normally have to deal with this, I have a hardware device on my desk which maintains its own VPN connection to the R&D network and just connect my workstation to that.
Turns out I had to reset my own password earlier today, after having to help a user with this. Out of curiosity, I wanted to see if maybe the problem was with the user rather than with the VPN, so after changing my password I grabbed a laptop and tried to connect to the R&D VPN using Viscosity, using the same process we tell other users without the hardware VPN devices to do.
Suggestions:
I don't normally have to deal with this, I have a hardware device on my desk which maintains its own VPN connection to the R&D network and just connect my workstation to that.
Turns out I had to reset my own password earlier today, after having to help a user with this. Out of curiosity, I wanted to see if maybe the problem was with the user rather than with the VPN, so after changing my password I grabbed a laptop and tried to connect to the R&D VPN using Viscosity, using the same process we tell other users without the hardware VPN devices to do.
- When Viscosity tried to connect, it failed - but rather than telling the user there was a problem, Viscosity just tried over and over. The log doesn't show any kind of "authentication failed" message, it just showed that the remote end just plain hung up without responding each time.
- NOTHING in the app told me that there was any problem, until after about 45 seconds, when it occurred to me that it doesn't usually take this long, and that's when happened to notice it flipping between "Connecting" and "Authenticating" over and over again on the menu bar pull-down menu.
- From what I can tell, Viscosity had been trying over and over, 2-3 times per second, for a little over a minute. The corporate AD locked my account after ten attempts.
Suggestions:
- If a connection attempt gets "hung up on", DON'T KEEP TRYING OVER AND OVER ... at least not without asking the user first. Maybe this can be configurable as well - some connections may not lock their account out for multiple retries, so doing this may not cause problems, I don't know ... but if it doesn't connect, the user should be notified.
- In the Viscosity "Preferences" window's list of connections, add a way to change or "forget" a connection's username or password. This could be as simple as a "forget password" item on the right-click menu, or a button in the connection's Properties dialog's "Authentication" tab, or whatever - but forcing users to dig into "Keychain Access" because they need to update a stored password is ridiculous.
- As an alternative, give the users a way to EASILY correlate the VPN connection profiles in the app, against the "connection numbers" used in the Keychain entries. This could be as simple as adding an "ID" column to the list of connections, adding something like "(8)" at the end of each connection's name, or adding a label with the number on the connection's Properties page "General" tab.