Shaun11's avatar
Shaun11
New Member
10 years ago
Status:
New

Remove stored unattended credentials, prevent them being saved.

My company are currently going through a security audit and we would like to remove any stored credentials for computers in our unattend list so we cannot "auto-login" without a password. I can only find a way to update them not remove them.

Once we have removed the existing passwords we would also like to disallow the option to store the credentials if this is possible?

  • GlennD's avatar
    GlennD
    GoTo Manager
    Hi Shaun,

    Currently there isn't a way to remove them, all you can do is change the Password in Windows or have the client choose not to save them during set up. I'm going to set this as an Idea for consideration in a future update.
  • I am so surprised that this request has not been given more attention.  This is a HUGE security risk.  If a user's 2factor or computer is compromised, GTA is basically handing the bad actor access to all the customer's computers.  There is a LOT of damage that can be done in a short time.  For those users of GTA, think about what damage can be done to your company if a bad actor is able to access your GTA account.  Furthermore, GTA does not do 2 factor every time a user connects to a different computer.   This should be REQUIRED from a security standpoint.  We can no longer recommend this product until these security issues are addressed.

  • GlennD's avatar
    GlennD
    GoTo Manager

    Hi ccents, welcome to the community.

     

    This is not something that we have seen requested by our customers through the various feedback channels, in fact this Idea has received no votes from the community or any other comments. The feature itself is not a requirement, every GoToAssist customer has the option to store the credentials of their Unattended computers, or not. 

     

    In regard to our multi factor security, it applies to signing into the GoToAssist Remote Support account on the website or the Desktop Console application before you can access the devices list. We also monitor for any unusual login activity a number of different ways and will prompt the user to verify their identity again if we detect anything unusual. 

     

    With GoTo Resolve we have introduced Zero Trust Authentication which you can read more about here.