VMware Communities
rothb
Enthusiast
Enthusiast
‎05-21-2021 12:12 AM

Two Factor Authentication bypass through login on to "communities.vmware.com" first?

Hi all,

I've noticed that I can actively bypass the enabled 2FA Authentication of my "My VMware" Account.

When I login on "communities.vmware.com" first, I don't get asked to provide the 2FA code. Then accessing "my.vmware.com" gets me right in my "My VMware" account, which usually asks for 2FA codes when accessed directly. I think this is an issue.

Best regards,
Bjoern

0 Kudos
7 Replies
wila
Immortal
Immortal
‎05-21-2021 02:26 AM

Something for @ericnipro to look into perchance?

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos
ericnipro
Community Manager
Community Manager
‎07-30-2021 08:23 PM

Hi,

I will let IT know this,  suspect it's just they haven't gotten around to enabling TFA on all the consumers of the myvmare authentication API set we consume on the community platform.

Do you know if this is still working that way?

Thanks

Eric

 

Community.... upload 1 .. download 10.
0 Kudos
MadproNetwork
Contributor
Contributor
‎04-11-2022 01:15 PM

I have discovered the same issue that is persisting when first logging in on customerconnect.vmware.com and bypassing all 2fa prompts. 

0 Kudos
rothb
Enthusiast
Enthusiast
‎04-13-2022 12:54 AM

Hi,

 

sorry for not getting back. Complete lost focus on this topic 😉

Yes it is still working that way. Logged in on community forums without 2FA and can access https://customerconnect.vmware.com/dashboard which should require 2FA.

Thanks

Bjoern

0 Kudos
MadproNetwork
Contributor
Contributor
‎04-13-2022 02:23 AM

I think it’s a little more than just the customer connect. On one certain page on customerconnect it asks for your username and password in the page itself and doesn’t ask for 2FA. Once you are logged in on this page ANY VMware site that requires authentication can then be accessed, including the accounts management page and products management page. Personally I would like to see this issue fixed relatively quickly as it completely bypasses 2FA on any the account

0 Kudos
wila
Immortal
Immortal
‎04-13-2022 04:16 AM

Hi,

It doesn't look like anyone from VMware is picking up on this.
I don't work for VMware.. so can't help either, however I can suggest what to do.

Please forward the issue to security@vmware.com and I think you will find the people down there more responsive and hopefully they know who to contact within VMware to get this addressed.

--
Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
MadproNetwork
Contributor
Contributor
‎04-13-2022 04:24 AM

just sent it off now and hopefully it gets fixed ASAP