EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Runbox Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc.

Reply
 
Thread Tools
Old 2 Feb 2017, 04:03 PM   #1
gecko
Member
 
Join Date: Feb 2010
Posts: 98
@RB: Are you playing with 2FA?

I just got redirected to https://runbox.com/mail when trying to log in from the main page, along with a message that my session has expired.

Plus, I now see a options page "Account --> Account Security". However, it doesn't look right.

The login history on "Account --> Main Account" is gone.

Any updates would be much appreciated .

Best regards,
gecko
gecko is offline   Reply With Quote

Old 2 Feb 2017, 05:09 PM   #2
dbowdley
Cornerstone of the Community
 
Join Date: Nov 2008
Location: UK
Posts: 505

Representative of:
Runbox.com
Yes, we have just deployed the latest version of the webmail. Some browsers seem to need the browser cache clearing, or a force reload of the page before they behave as expected.

If you continue to see problems please open a support ticket as it might be a specific combination of issues in your case causing problems.
dbowdley is offline   Reply With Quote
Old 2 Feb 2017, 07:25 PM   #3
adam1991
Member
 
Join Date: Dec 2009
Posts: 87
I too am getting the new "session expired" page, asking me to log in manually.

I've been doing autologin for years. This is the first time it's failed.

I did notice that the URL I was using was slightly different than what's listed today on the FAQ list in the support area; I changed it to what's current, but no luck.

I have submitted a support ticket.
adam1991 is offline   Reply With Quote
Old 2 Feb 2017, 08:23 PM   #4
dbowdley
Cornerstone of the Community
 
Join Date: Nov 2008
Location: UK
Posts: 505

Representative of:
Runbox.com
We are working on the problem with auto-fill. Sorry for the inconvenience.

The logins are now shown under Account > Account Security. However, only a limited number are shown and we are going to add the option to show a specific time period.
dbowdley is offline   Reply With Quote
Old 2 Feb 2017, 08:51 PM   #5
gecko
Member
 
Join Date: Feb 2010
Posts: 98
Hello Dave,

Thanks for the update!

After a brief look at the new features, everything looks great and seems to work as it should.

One thing I noticed is that when 2FA is enabled, each login appears twice in the login history (maybe 1 line added when the password is recognised and 1 more when the correct OTP is entered?).

Not wanting to cavil about the brand new 2FA functionality, so please allow me one more comment: IMHO it would make sense to secure more settings pages with the need to enter the password (and probably a new OTP token), e.g. all the pages under "Account" as well as the "Webmail preferences" page. Alternatively, one could have the one "real" password which should only be used on trusted machines, giving full access to the account vs a combination of OTP & an OTP-specific password. When logging in with OTP, no settings are available.

A long time ago I was a FM customer and I faintly remember that they disabled (or at least allowed disabling) access to all options when logging in with an OTP.

Don't get me wrong, these are just suggestions on how security could be improved even further. But the 2FA as it is now is a huge step forward. Thanks so much!

Best regards
gecko
gecko is offline   Reply With Quote
Old 2 Feb 2017, 09:01 PM   #6
dbowdley
Cornerstone of the Community
 
Join Date: Nov 2008
Location: UK
Posts: 505

Representative of:
Runbox.com
Hello gecko,

Very happy to receive your suggestions, and I can pass those on for you. We do want to secure more of the pages so we can definitely look at what you have said.

Which of your logins are shown twice? Is it just the web logins or are any other service logins duplicated?
dbowdley is offline   Reply With Quote
Old 2 Feb 2017, 09:19 PM   #7
gecko
Member
 
Join Date: Feb 2010
Posts: 98
Quote:
Originally Posted by dbowdley View Post
Which of your logins are shown twice? Is it just the web logins or are any other service logins duplicated?
So far I've only tried Web logins and they show up twice.
gecko is offline   Reply With Quote
Old 2 Feb 2017, 09:53 PM   #8
dbowdley
Cornerstone of the Community
 
Join Date: Nov 2008
Location: UK
Posts: 505

Representative of:
Runbox.com
OK. I have just checked this out and what you are seeing is the initial login, plus the 2FA login. This is normal as it shows both parts of the authentication process.
dbowdley is offline   Reply With Quote
Old 3 Feb 2017, 10:58 AM   #9
DigitalOrchard
Junior Member
 
Join Date: Oct 2015
Location: Vancouver Island, Canada
Posts: 19
Quote:
Originally Posted by gecko View Post
So far I've only tried Web logins and they show up twice.
Some services that implement 2FA do so in a way that makes browsers treat the 2FA code field as a password field, so auto-fill storage may kick in, and maybe you ended up saving that by mistake? Runbox's implementation suffered from this, at least initially. I didn't encounter the problem today when I logged in, though.
DigitalOrchard is offline   Reply With Quote
Old 3 Feb 2017, 04:12 PM   #10
gecko
Member
 
Join Date: Feb 2010
Posts: 98
Quote:
Originally Posted by DigitalOrchard View Post
Some services that implement 2FA do so in a way that makes browsers treat the 2FA code field as a password field, so auto-fill storage may kick in, and maybe you ended up saving that by mistake?
Nope, autofill is not enabled here. If I understand Dave correctly, he confirmed my assumption that entering the correct password adds one entry to the login history and entering the correct OTP another.
gecko is offline   Reply With Quote
Old 3 Feb 2017, 05:06 PM   #11
dbowdley
Cornerstone of the Community
 
Join Date: Nov 2008
Location: UK
Posts: 505

Representative of:
Runbox.com
Yes, there are effectively two steps in the authentication system.

Username/Password = "Unauthorised" but Password Correct
TOTP/OTP = "Authorised" and Password Correct

We are just showing both of these in the logs you see, and for a successful login both will show as "Success".
dbowdley is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 01:58 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy