Forum Discussion

Winter-aEvent's avatar
Winter-aEvent
New Contributor
3 years ago

Users of GotoWebinar getting immediate account locking when logging in..

I'm Founder/CTO at a service called aEvent. We help our (200+) business users increase their registrations/attendance/and results from their online events., mainly using GTW.

 

Long story short, some new GTW changes were implemented on Thursday night have prevented our users webinars from running.

 

I've been with support since Thursday but have no luck- and in the meantime our users are all out of business.

 

Support says our IPs are all blocked because they appear to be from a VPN. I explained them this is our in house data center and our mutual users logging into their accounts to host their webinars, answer questions, etc. 

 

They don't have a solution for me or my dozens of users and are slowly, slowly escalating me.

 

Anyone have any suggestions for a solution to this issue? Or for reaching someone on the tech support team that would be able to assist?

 

Thank you for your help!

 

Winter

  • GlennD's avatar
    GlennD
    3 years ago

    Hi,
    I have been talking with some internal teams and reviewing accounts in order to get a complete picture of what is happening.

    • We protect our customers by performing a risk assessment on every login - learn more here: https://support.goto.com/meeting/help/how-do-i-verify-my-login-g2m850064 
    • Recent improvements are more sensitive to account sharing and device re-use, which are common brute-force account take-over tactics
    • For the vast majority of our customers this will have little or no impact

    For customers sharing credentials, we see two common patterns appear high risk:

    1. From a single device, frequent logins with different credentials
    2. For a single email, multiple logins from differing devices (especially involving long distances between those devices)

    In both instances, explicitly marking a device as trusted will reduce the risk and subsequent logins will not be denied. Learn more about managing trusted devices here: https://support.goto.com/meeting/help/how-do-i-manage-my-trusted-devices-g2m850096 

     

    When a login is blocked, email verification is typically required to proceed. Repeated offenses will escalate to the system assuming the account has been compromised, requiring a password reset to proceed. The challenge with marking devices as trusted is that it needs to be done after a successful login. Either the person in control of the email needs to login and mark all their colleagues devices as trusted, or everyone sharing those credentials need access to the email to successfully respond to the email verification challenge.

     

    Once a device is trusted, it should not be denied access during subsequent logins. Also, devices cannot be trusted until one successful login attempt has been made.

     

    Currently, there is no way to make an exception for certain accounts and disabling the security check would leave all customers at risk.

     

  • SamRS's avatar
    SamRS
    Active Contributor

    Since the weekend, we keep getting blocked out of our 5 GoToWebinar accounts and need to reset password. Support says its because we are logging in from too many IPs/devices. We are a Team of 10 around the world- who have been using GTW for a decade.  But now this issue keeps repeating making our account unusable/

    What to do?

  • GlennD's avatar
    GlennD
    GoTo Manager

    Hi Winter,

     

    Our account security system monitors for any strange behavior on account and unfortunately, the way that you are using GoToWebinar looks very much like Bot Net behavior. Having multiple users signing in from different locations to the same accounts looks suspicious and results in the system challenging the sign in until the new device/location is marked as trusted in the account settings. Also one of the sign in locations is a data center, so that also raises a flag. 

     

    Would you be able to provide some more details about how exactly you work with these businesses? What is the typical work flow? 

     

    Regards,

     

    Glenn

    • Winter-aEvent's avatar
      Winter-aEvent
      New Contributor

      HI Glenn, Thanks for the speedy reply!   

       

      We don't have multiple users signing into the same accounts from different locations, we have the same user signing into their own accounts from different locations, and sometimes from our Data Center on their assigned desktop stand-alone computer.. (although I see how this could be seen as similar in code),    

      Some of our users have 10-20 employees that access their Goto accounts from different geographic locations, at the same time, different time etc.  

       

      We have implemented an SOP for our userbase with trusted devices in their accounts, etc. And by us teaching our users the trusted device processes,  this hasn't become an issue until this past Thursday.   

       

      I've had over 20 *and counting* users contact our support stating that they're being locked out of their accounts.  And this action is, when they try to login to their account, regardless of locale, or past trusted device status, is their accounts are immediately locked, and previous API keys invalidated, while sending them a 'Suspicious Login' email.   

       

      Our standard workflow: 

      User schedules webinar from our UI and we create webinar using API.  User generates traffic thru their channels, for people to register for their webinar.   They host their HTML pages, form submits to aEvent, we register the subscriber with the associated services (We're at about 40 integrations). 

       

      When it comes time for their webinar, depending on the users desire and situtation, their webinar is held in a number of ways.  Some including our users accessing their Dedicated Desktop at our datacenter, to conduct their webinars, play their videos, answer the live chat questions, etc.   Some are done remotely, some done thru a number of different presenters, etc.   We open the ability for our users to conduct their needed webinars regardless of their situation * a LOT of our users, are traveling, doing Seminars, Conferences, Tradeshows, etc, etc. 

      Sometimes their connection isn't decent, etc.   A big USP that we offer, is the later situation, We can offer our mutual base,  a solid connection, so they can present/conduct/monitor/moderate their webinars without the worry of the organizer disappearing and webinar dying, or everyone being available, etc. 

       

      At the end of their webinar, we download the attendance data from Goto. and based upon the users setup, we help them with omni-channel messaging to maximize their desired outcome from their business/webinar efforts. 

      I hope this gives you an idea.  More or less Trusted Devices no longer works, or it's priority level was reduced in authority.   Yesterday, I signed into a Goto account of ours, from my home desktop.   I then signed into that account from my home laptop.  (same connection, computer 1' apart, IP @ my home hasn't changed in 3 years)  and, account immediately locked.   

      Something is weird.   Thank you for your help with this matter.  I've spent 10+ hours on the phone with your support the past 5 days, to no avail. 

       

      --Winter

      Founder/CTO - aEvent

       

      • SamRS's avatar
        SamRS
        Active Contributor

        GlennD 

        I spoke to support as well. We are aEvent users too (and unfortunately getting blocked)- but more than aEvent not working, we can no longer use GTW as we have for the past decade. We are a team of ~10 (USA, Hungary, Israel, Romania) with 5 GTW accounts. We login from different places. All trusted devices. And suddenly, nearly every time we log-in we get suspicious activity notice and need to reset password. I spent over an hour with support who acknowledged this is due to a new update and that many people are calling in. We did a live test on the phone- immediately getting locked out even after he approved my device. 
        This is unsustainable. 

        Please help.

        Sam from Really Successful
        Ticket # 17117758 for reference


  • There has definitely been a change in the aggressiveness of GoTo's security settings.  We have not had lock out issues but have recently been bombarded of having to verify and re-verify when logging in.

     

    Will this continue to persist or is this just a periodic change to re-verify what computers are being used to access an account?

     

    • GlennD's avatar
      GlennD
      GoTo Manager

      Hi,
      I have been talking with some internal teams and reviewing accounts in order to get a complete picture of what is happening.

      • We protect our customers by performing a risk assessment on every login - learn more here: https://support.goto.com/meeting/help/how-do-i-verify-my-login-g2m850064 
      • Recent improvements are more sensitive to account sharing and device re-use, which are common brute-force account take-over tactics
      • For the vast majority of our customers this will have little or no impact

      For customers sharing credentials, we see two common patterns appear high risk:

      1. From a single device, frequent logins with different credentials
      2. For a single email, multiple logins from differing devices (especially involving long distances between those devices)

      In both instances, explicitly marking a device as trusted will reduce the risk and subsequent logins will not be denied. Learn more about managing trusted devices here: https://support.goto.com/meeting/help/how-do-i-manage-my-trusted-devices-g2m850096 

       

      When a login is blocked, email verification is typically required to proceed. Repeated offenses will escalate to the system assuming the account has been compromised, requiring a password reset to proceed. The challenge with marking devices as trusted is that it needs to be done after a successful login. Either the person in control of the email needs to login and mark all their colleagues devices as trusted, or everyone sharing those credentials need access to the email to successfully respond to the email verification challenge.

       

      Once a device is trusted, it should not be denied access during subsequent logins. Also, devices cannot be trusted until one successful login attempt has been made.

       

      Currently, there is no way to make an exception for certain accounts and disabling the security check would leave all customers at risk.

       

      • SamRS's avatar
        SamRS
        Active Contributor

        Hi GlennD 
        Thanks for the reply.

        "Once a device is trusted, it should not be denied access during subsequent logins. Also, devices cannot be trusted until one successful login attempt has been made."

         

        This is where we are having trouble.  Trusted devices keep getting locked out. David (who I spoke to from support), went ahead and trusted my device. We then went to login and got locked out. We did this test in livetime and he agreed that there is an issue.

        Please advise what can be done.