This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn
Advisor
Advisor
‎2023-08-29 05:12 AM

Backup codes Check Point website

Hi all,

Not sure this is the right place to post this, but I am hoping someone from Check Point is reading this.

Check Point removed the option to use backup codes when logging in in the Check Point websites when MFA is enabled. It seems only Google Authenticator and SMS is supported.

We have customers with a strict security policy and it is not allowed to bring mobile phones into the building. This means I have no access to the one-time code from Google Authenticator or SMS. That's why the backup codes are very usefull to me.

By removing this option, I am unable to access Check Point resources such as licenses, SK articles and software and this will limits me when supporting these Check Point customers.

Anyone else has the same issues now? Is there a work-around?

Regards,
Martijn

15 Replies
PhoneBoy
Admin
Admin
‎2023-08-29 06:11 AM

I’ll check with the relevant team and see what the situation is.

G_W_Albrecht
Legend Legend
Legend
‎2023-08-29 06:26 AM

When MFA is enabled, you can either vote for using the MS Authenticator App or SMS. You can also skip the second step on devices you trust, such as your own computer. For me, i can  in most cases log in using UN / PW, although after a certain time span or log off, i will have to use the MS Authenticator App for MFA to log in again.

So i would suggest that in cases you will visit customers with a strict security policy, log in using MFA before the visit as that should leave you on a trusted device for some time. Of course this is not an option if you have  to use customers devices for accessing Check Point resources such as licenses, SK articles and software...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Martijn
Advisor
Advisor
‎2023-08-29 06:30 AM
In response to G_W_Albrecht

I am not allowed to bring my own laptop and working on customer's computer to access internet.
That's why those backup codes where so usefull. Don't understand why they removed this option.

Hope they will bring it back.

0 Kudos
the_rock
Legend
Legend
‎2023-08-29 06:33 AM
In response to Martijn

Maybe someone from Israel can comment. Honestly, I did not even know those backup codes existed, never heard of it.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-08-29 06:55 AM
In response to Martijn

You can add another mobile phone to CP MFA:

Registered Phones
After you sign in, a verification code will be sent to your registered phone. When registering multiple phones, you'll be asked to select the number you'd like to send the verification code to.
 
So for every customer, add a customer phone - user / pw is unknown to them...
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-29 02:09 PM

Unfortunately, this feature was removed when we changed the IdP used for UserCenter apps.
Not sure the precise reason for this, but the relevant team is now aware.
We are looking at passwordless authentication flows in the future.

In the meantime, I think you can remove and re-add your two factor and it should show you backup codes then.
I’ll have to double-check this.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-29 02:09 PM

Unfortunately, this feature was removed when we changed the IdP used for UserCenter apps.
Not sure the precise reason for this, but the relevant team is now aware.
We are looking at passwordless authentication flows in the future.

In the meantime, I think you can remove and re-add your two factor and it should show you backup codes then.
I’ll have to double-check this.

0 Kudos
Martijn
Advisor
Advisor
‎2023-08-30 03:52 AM
In response to PhoneBoy

Dameon,

Disabling and enabling MFA will not bring back the backup codes option. Just Google Authenticator and a registered mobile phone.

Martijn

Martijn
Advisor
Advisor
‎2023-08-30 03:31 AM

Hi all,

Got this from the Dutch Check Point office. Backup codes are removed for security reasons.

Backup Codes - Is no longer available.
Occasionally, customers who have enrolled in 2-Step Verification will not have access to their cell phone to receive a Verification Code.
If this happens, customers can request a backup code via Account Services by opening a SR Ticket.

For me it is not occasionally. I am onsite on a regular basis!

Not sure how I can open a SR with Account Services when I am unable to login or when Account Services is not available during the night. But we will see.

We check if re-enabling MFA will bring back the backup codes.

Regards,
Martijn

the_rock
Legend
Legend
‎2023-08-30 03:50 AM
In response to Martijn

I had something similar happen to me ages ago, not with backup codes, but something else mind you and Sales person put a note on customer's accound, so when you call, they would see pop-up show and not give you any issues opening a case.

Hopefully they can do something similar for you...

Andy

0 Kudos
Martijn
Advisor
Advisor
‎2023-08-30 04:02 AM
In response to the_rock

Andy,

Thanks for all suggestions, tips and tricks. Much appriciated.

I have asked the local Check Point office how this will work in real life. Will they generate a code which is valid for one day, or will AS generate a OTP? I login to Check Point a couple of times a day when I am onsite, so OTP is not something I am looking forward to.

Let's see what they come up with.

Martijn

the_rock
Legend
Legend
‎2023-08-30 04:04 AM
In response to Martijn

Understood. Well, as you know, no matter what company is in question, though specially when it comes to security, employees have to follow procedures, so hopefully your local CP office can accomodate good solution in this case.

I hope they find suitable option for you.

Cheers mate.

Andy

0 Kudos
Martijn
Advisor
Advisor
‎2023-09-11 02:31 AM

Hi all,

A small update from me.

It is possible to get backup codes from Account Services when you open a case with them. I got a couple of backup codes.
The bad part is, these codes are useless for the new login page because there is no option anymore to select backup codes as a different 2nd authentication step.

I have a work-around which is not working 100% unfortunately.

1. I go to the CheckMates website and sign in. This brings me to the old login page with backup codes as a different 2nd authentication step.

2. In another tab I go to support.checkpoint.com and I am signed in. I can access the knowledge base, download software and access the sales Product Catalog.

But I am unable to access User Center accounts, support cases or my profile. When I select one of those, I get redirected to the new login page and cannot continue because this page does not support the backup code.

Selected 'Don't ask for this computer again' but this did not help. 

So, the basic stuff I can do, but opening/updating cases and generating/downloading licenses when I am onsite is not possible for customers with a strict security policy about mobile phones.

Will update the case with Account Services, but hopes someone from Check Point is also reading this.

Regards,
Martijn

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 04:11 AM
In response to Martijn

Wow, sounds like a catch 22 situation : - (

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-11 11:04 AM
In response to Martijn

CheckMates and the rest of UserCenter/PartnerMap are now using different IdPs (in SAML terms).
In practice, it means SSO between CheckMates and UserCenter/PartnerMap no longer works.
The new IdP does not appear to have an option for the use of Backup codes.
We are looking at passwordless methods of access, but no ETA on that. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top