Re: Backup codes Check Point website

Martijn · ‎2023-08-29

Hi all,

Not sure this is the right place to post this, but I am hoping someone from Check Point is reading this.

Check Point removed the option to use backup codes when logging in in the Check Point websites when MFA is enabled. It seems only Google Authenticator and SMS is supported.

We have customers with a strict security policy and it is not allowed to bring mobile phones into the building. This means I have no access to the one-time code from Google Authenticator or SMS. That's why the backup codes are very usefull to me.

By removing this option, I am unable to access Check Point resources such as licenses, SK articles and software and this will limits me when supporting these Check Point customers.

Anyone else has the same issues now? Is there a work-around?

Regards,
Martijn

PhoneBoy · ‎2023-08-29

I’ll check with the relevant team and see what the situation is.

G_W_Albrecht · ‎2023-08-29

When MFA is enabled, you can either vote for using the MS Authenticator App or SMS. You can also skip the second step on devices you trust, such as your own computer. For me, i can in most cases log in using UN / PW, although after a certain time span or log off, i will have to use the MS Authenticator App for MFA to log in again.

So i would suggest that in cases you will visit customers with a strict security policy, log in using MFA before the visit as that should leave you on a trusted device for some time. Of course this is not an option if you have to use customers devices for accessing Check Point resources such as licenses, SK articles and software...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Martijn · ‎2023-08-29

I am not allowed to bring my own laptop and working on customer's computer to access internet.
That's why those backup codes where so usefull. Don't understand why they removed this option.

Hope they will bring it back.

the_rock · ‎2023-08-29

Maybe someone from Israel can comment. Honestly, I did not even know those backup codes existed, never heard of it.

Andy

G_W_Albrecht · ‎2023-08-29

You can add another mobile phone to CP MFA:

Registered Phones

After you sign in, a verification code will be sent to your registered phone. When registering multiple phones, you'll be asked to select the number you'd like to send the verification code to.

So for every customer, add a customer phone - user / pw is unknown to them...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2023-08-29

Unfortunately, this feature was removed when we changed the IdP used for UserCenter apps.
Not sure the precise reason for this, but the relevant team is now aware.
We are looking at passwordless authentication flows in the future.

In the meantime, I think you can remove and re-add your two factor and it should show you backup codes then.
I’ll have to double-check this.

PhoneBoy · ‎2023-08-29

Unfortunately, this feature was removed when we changed the IdP used for UserCenter apps.
Not sure the precise reason for this, but the relevant team is now aware.
We are looking at passwordless authentication flows in the future.

In the meantime, I think you can remove and re-add your two factor and it should show you backup codes then.
I’ll have to double-check this.

Martijn · ‎2023-08-30

Dameon,

Disabling and enabling MFA will not bring back the backup codes option. Just Google Authenticator and a registered mobile phone.

Martijn

Martijn · ‎2023-08-30

Hi all,

Got this from the Dutch Check Point office. Backup codes are removed for security reasons.

Backup Codes - Is no longer available.
Occasionally, customers who have enrolled in 2-Step Verification will not have access to their cell phone to receive a Verification Code.
If this happens, customers can request a backup code via Account Services by opening a SR Ticket.

For me it is not occasionally. I am onsite on a regular basis!

Not sure how I can open a SR with Account Services when I am unable to login or when Account Services is not available during the night. But we will see.

We check if re-enabling MFA will bring back the backup codes.

Regards,
Martijn

the_rock · ‎2023-08-30

I had something similar happen to me ages ago, not with backup codes, but something else mind you and Sales person put a note on customer's accound, so when you call, they would see pop-up show and not give you any issues opening a case.

Hopefully they can do something similar for you...

Andy

Martijn · ‎2023-08-30

Andy,

Thanks for all suggestions, tips and tricks. Much appriciated.

I have asked the local Check Point office how this will work in real life. Will they generate a code which is valid for one day, or will AS generate a OTP? I login to Check Point a couple of times a day when I am onsite, so OTP is not something I am looking forward to.

Let's see what they come up with.

Martijn

the_rock · ‎2023-08-30

Understood. Well, as you know, no matter what company is in question, though specially when it comes to security, employees have to follow procedures, so hopefully your local CP office can accomodate good solution in this case.

I hope they find suitable option for you.

Cheers mate.

Andy

Martijn · ‎2023-09-11

Hi all,

A small update from me.

It is possible to get backup codes from Account Services when you open a case with them. I got a couple of backup codes.
The bad part is, these codes are useless for the new login page because there is no option anymore to select backup codes as a different 2nd authentication step.

I have a work-around which is not working 100% unfortunately.

1. I go to the CheckMates website and sign in. This brings me to the old login page with backup codes as a different 2nd authentication step.

2. In another tab I go to support.checkpoint.com and I am signed in. I can access the knowledge base, download software and access the sales Product Catalog.

But I am unable to access User Center accounts, support cases or my profile. When I select one of those, I get redirected to the new login page and cannot continue because this page does not support the backup code.

Selected 'Don't ask for this computer again' but this did not help.

So, the basic stuff I can do, but opening/updating cases and generating/downloading licenses when I am onsite is not possible for customers with a strict security policy about mobile phones.

Will update the case with Account Services, but hopes someone from Check Point is also reading this.

Regards,
Martijn

the_rock · ‎2023-09-11

Wow, sounds like a catch 22 situation : - (

PhoneBoy · ‎2023-09-11

CheckMates and the rest of UserCenter/PartnerMap are now using different IdPs (in SAML terms).
In practice, it means SSO between CheckMates and UserCenter/PartnerMap no longer works.
The new IdP does not appear to have an option for the use of Backup codes.
We are looking at passwordless methods of access, but no ETA on that.

Are you a member of CheckMates?

Backup codes Check Point website