|
Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc. |
|
Thread Tools |
2 Feb 2017, 04:03 PM | #1 |
Senior Member
Join Date: Feb 2010
Posts: 107
|
@RB: Are you playing with 2FA?
I just got redirected to https://runbox.com/mail when trying to log in from the main page, along with a message that my session has expired.
Plus, I now see a options page "Account --> Account Security". However, it doesn't look right. The login history on "Account --> Main Account" is gone. Any updates would be much appreciated . Best regards, gecko |
2 Feb 2017, 05:09 PM | #2 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
Yes, we have just deployed the latest version of the webmail. Some browsers seem to need the browser cache clearing, or a force reload of the page before they behave as expected.
If you continue to see problems please open a support ticket as it might be a specific combination of issues in your case causing problems. |
2 Feb 2017, 07:25 PM | #3 |
Senior Member
Join Date: Dec 2009
Posts: 104
|
I too am getting the new "session expired" page, asking me to log in manually.
I've been doing autologin for years. This is the first time it's failed. I did notice that the URL I was using was slightly different than what's listed today on the FAQ list in the support area; I changed it to what's current, but no luck. I have submitted a support ticket. |
2 Feb 2017, 08:23 PM | #4 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
We are working on the problem with auto-fill. Sorry for the inconvenience.
The logins are now shown under Account > Account Security. However, only a limited number are shown and we are going to add the option to show a specific time period. |
2 Feb 2017, 08:51 PM | #5 |
Senior Member
Join Date: Feb 2010
Posts: 107
|
Hello Dave,
Thanks for the update! After a brief look at the new features, everything looks great and seems to work as it should. One thing I noticed is that when 2FA is enabled, each login appears twice in the login history (maybe 1 line added when the password is recognised and 1 more when the correct OTP is entered?). Not wanting to cavil about the brand new 2FA functionality, so please allow me one more comment: IMHO it would make sense to secure more settings pages with the need to enter the password (and probably a new OTP token), e.g. all the pages under "Account" as well as the "Webmail preferences" page. Alternatively, one could have the one "real" password which should only be used on trusted machines, giving full access to the account vs a combination of OTP & an OTP-specific password. When logging in with OTP, no settings are available. A long time ago I was a FM customer and I faintly remember that they disabled (or at least allowed disabling) access to all options when logging in with an OTP. Don't get me wrong, these are just suggestions on how security could be improved even further. But the 2FA as it is now is a huge step forward. Thanks so much! Best regards gecko |
2 Feb 2017, 09:01 PM | #6 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
Hello gecko,
Very happy to receive your suggestions, and I can pass those on for you. We do want to secure more of the pages so we can definitely look at what you have said. Which of your logins are shown twice? Is it just the web logins or are any other service logins duplicated? |
2 Feb 2017, 09:19 PM | #7 |
Senior Member
Join Date: Feb 2010
Posts: 107
|
|
2 Feb 2017, 09:53 PM | #8 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
OK. I have just checked this out and what you are seeing is the initial login, plus the 2FA login. This is normal as it shows both parts of the authentication process.
|
3 Feb 2017, 10:58 AM | #9 |
Junior Member
Join Date: Oct 2015
Location: Vancouver Island, Canada
Posts: 19
|
Some services that implement 2FA do so in a way that makes browsers treat the 2FA code field as a password field, so auto-fill storage may kick in, and maybe you ended up saving that by mistake? Runbox's implementation suffered from this, at least initially. I didn't encounter the problem today when I logged in, though.
|
3 Feb 2017, 04:12 PM | #10 |
Senior Member
Join Date: Feb 2010
Posts: 107
|
Nope, autofill is not enabled here. If I understand Dave correctly, he confirmed my assumption that entering the correct password adds one entry to the login history and entering the correct OTP another.
|
3 Feb 2017, 05:06 PM | #11 |
Cornerstone of the Community
Join Date: Nov 2008
Location: UK
Posts: 549
Representative of:
Runbox.com |
Yes, there are effectively two steps in the authentication system.
Username/Password = "Unauthorised" but Password Correct TOTP/OTP = "Authorised" and Password Correct We are just showing both of these in the logs you see, and for a successful login both will show as "Success". |