Hi @mcisar, welcome to the community.
If you try to sign in trough an incognito tab are you prompted? You're most likely still in an active sign-in session.
I find with the Desktop V5 software that if, I DO NOT sign out, I can get back in without adding credentials and 2FA. However, if I Sign Out, the next time I access the desktop software, I have to input username, pass, and then the codes from my 2FA authentication app, Google Authenticator in my case.
Yesterday I was prompted for 2FA in the browser but not in the desktop app. Today even in incognito mode the only point at which I was prompted for 2FA was when I went in to security settings to make sure enhanced security was turned on.
Other than that I've logged out of everything, closed the browser, manually killed any open Edge tasks, rebooted the machine. Still no prompt for 2FA in either browser or desktop app.
On my desktop, in the app, I'd be grumpy but maybe a little bit ok if it only prompted the password... but on my laptop for sure, I want that thing to prompt for 2FA each and every time I log in on the app... and certainly every time I log into a browser session on any machine (unless of course stay logged in is chosen).
Likewise if it were just getting into the "create a session" screen, not such a big deal... but when we start talking unattended access, and potentially unattended access with saved passwords... now we're talking about having a gateway into other computers. On that basis I wouldn't be upset to at least have the option of triggering even an extra (in addition to the at login time) 2FA prompt before accessing those.
It would appear that it has taken some sort of thumbprint that both my computer and laptop are coming from a happy place and don't need to bother me with 2FA right now. Unfortunately, in the case of GotoAssist, unlike a lot of other apps that I use, I really would prefer if it asked me each and every time as I think that's the correct security mantra for such an application. If the current behavior is intentional then maybe there needs to be an even more enhanced security level that does throw more 2FA prompts, for those users that would prefer it.
I won't mention that "keep me logged in" is the default state of the checkboxes when logging into the web interface which is kind of a hole in and of itself, unintended or not.