Forum Discussion

Winter-aEvent's avatar
Winter-aEvent
New Contributor
3 years ago

Users of GotoWebinar getting immediate account locking when logging in..

I'm Founder/CTO at a service called aEvent. We help our (200+) business users increase their registrations/attendance/and results from their online events., mainly using GTW.   Long story short, so...
Problem
  • GlennD's avatar
    GlennD
    3 years ago

    Hi,
    I have been talking with some internal teams and reviewing accounts in order to get a complete picture of what is happening.

    • We protect our customers by performing a risk assessment on every login - learn more here: https://support.goto.com/meeting/help/how-do-i-verify-my-login-g2m850064 
    • Recent improvements are more sensitive to account sharing and device re-use, which are common brute-force account take-over tactics
    • For the vast majority of our customers this will have little or no impact

    For customers sharing credentials, we see two common patterns appear high risk:

    1. From a single device, frequent logins with different credentials
    2. For a single email, multiple logins from differing devices (especially involving long distances between those devices)

    In both instances, explicitly marking a device as trusted will reduce the risk and subsequent logins will not be denied. Learn more about managing trusted devices here: https://support.goto.com/meeting/help/how-do-i-manage-my-trusted-devices-g2m850096 

     

    When a login is blocked, email verification is typically required to proceed. Repeated offenses will escalate to the system assuming the account has been compromised, requiring a password reset to proceed. The challenge with marking devices as trusted is that it needs to be done after a successful login. Either the person in control of the email needs to login and mark all their colleagues devices as trusted, or everyone sharing those credentials need access to the email to successfully respond to the email verification challenge.

     

    Once a device is trusted, it should not be denied access during subsequent logins. Also, devices cannot be trusted until one successful login attempt has been made.

     

    Currently, there is no way to make an exception for certain accounts and disabling the security check would leave all customers at risk.

     

Winter-aEvent's avatar
Winter-aEvent
New Contributor

HI Glenn, Thanks for the speedy reply!   

 

We don't have multiple users signing into the same accounts from different locations, we have the same user signing into their own accounts from different locations, and sometimes from our Data Center on their assigned desktop stand-alone computer.. (although I see how this could be seen as similar in code),    

Some of our users have 10-20 employees that access their Goto accounts from different geographic locations, at the same time, different time etc.  

 

We have implemented an SOP for our userbase with trusted devices in their accounts, etc. And by us teaching our users the trusted device processes,  this hasn't become an issue until this past Thursday.   

 

I've had over 20 *and counting* users contact our support stating that they're being locked out of their accounts.  And this action is, when they try to login to their account, regardless of locale, or past trusted device status, is their accounts are immediately locked, and previous API keys invalidated, while sending them a 'Suspicious Login' email.   

 

Our standard workflow: 

User schedules webinar from our UI and we create webinar using API.  User generates traffic thru their channels, for people to register for their webinar.   They host their HTML pages, form submits to aEvent, we register the subscriber with the associated services (We're at about 40 integrations). 

 

When it comes time for their webinar, depending on the users desire and situtation, their webinar is held in a number of ways.  Some including our users accessing their Dedicated Desktop at our datacenter, to conduct their webinars, play their videos, answer the live chat questions, etc.   Some are done remotely, some done thru a number of different presenters, etc.   We open the ability for our users to conduct their needed webinars regardless of their situation * a LOT of our users, are traveling, doing Seminars, Conferences, Tradeshows, etc, etc. 

Sometimes their connection isn't decent, etc.   A big USP that we offer, is the later situation, We can offer our mutual base,  a solid connection, so they can present/conduct/monitor/moderate their webinars without the worry of the organizer disappearing and webinar dying, or everyone being available, etc. 

 

At the end of their webinar, we download the attendance data from Goto. and based upon the users setup, we help them with omni-channel messaging to maximize their desired outcome from their business/webinar efforts. 

I hope this gives you an idea.  More or less Trusted Devices no longer works, or it's priority level was reduced in authority.   Yesterday, I signed into a Goto account of ours, from my home desktop.   I then signed into that account from my home laptop.  (same connection, computer 1' apart, IP @ my home hasn't changed in 3 years)  and, account immediately locked.   

Something is weird.   Thank you for your help with this matter.  I've spent 10+ hours on the phone with your support the past 5 days, to no avail. 

 

--Winter

Founder/CTO - aEvent

 

SamRS's avatar
SamRS
Active Contributor
3 years ago

GlennD 

I spoke to support as well. We are aEvent users too (and unfortunately getting blocked)- but more than aEvent not working, we can no longer use GTW as we have for the past decade. We are a team of ~10 (USA, Hungary, Israel, Romania) with 5 GTW accounts. We login from different places. All trusted devices. And suddenly, nearly every time we log-in we get suspicious activity notice and need to reset password. I spent over an hour with support who acknowledged this is due to a new update and that many people are calling in. We did a live test on the phone- immediately getting locked out even after he approved my device. 
This is unsustainable. 

Please help.

Sam from Really Successful
Ticket # 17117758 for reference