We support some of our clients via LogMeIn connections. Our clients give us a username and password. We may have several people that make connections. Some of our people are experiencing different connection scenarios to the same client. User A may be able to connect without any issues, but user B is told to use 2 factor authentication. Why should it be different if we're all using the same credentials?
The experience you are seeing may be because of a security function based upon the known 'devices' versus the current connection location. Once you clear a new location you should be good to go thereafter with those credentials.
This is a new "feature" of LMI Central that even the support people at LogMeIn have NO IDEA about when we first called about it a few weeks ago. After being blown off for months with support we finally managed to escalate this to a developer who confirmed the "features" but refused to remove them from our account.
Basically what happens is LogMeIn determines that someone at your company (regardless of MFA settings) appears be compromised, in our case from users entering their own password incorrectly a few times and locking the account.
Then what happens, no matter what the MFA policies state, LogMeIn will NOT provide access to these users until they access the email account on file to put in the special security feature code that LogMeIn silently implimented for it's customers. This is a MAJOR issue for us because our users do NOT have remote access to their email accounts for security purposes. We have ALL users on our accounts setup for MFA which should send their cell phones a login code however that is completely BYPASSED and the code is first sent to their email and then to their phones. This "feature" is completely wreaking havoc in our enviornment due to limited email capabilities of users until AFTER they are logged in with LMI.
Between this "feature" and LogMeIn deciding that they are going to randomly push Kaspersky on corporate owned computers without warning and even though we have an antivirus solution we feel that the company can no longer be trusted to be transparent about their intent or policies. We understand the need for security, hence the reason our users don't have access to email externally, however there is NO communication from LogMeIn on these things and most of it's done under the radar without their own support folks knowing about it. We don't have a small account, we will be moving ALL of our products (LMI, Remote Support, JoinMe, etc.) to another company. Trying to get someone at LMI who cares is a worthless endeavor.
@gerdawg It is true that LMI cannot disable this security function for anyone, as it is baked into the system itself. With regards to resolving it however, it is quite simple to make a new User Profile for anyone you plan to introduce, so they can use their own set of credentials. We can remember 10 specific IPs without having to run the security check, so as long as these users don't have more than 10 devices, then they should be squared away.
The problem is Ash, we have MFA setup to protect these users and it's completely bypassed by a LMI arbitrary "feature". We use their corporate email addresses to control access through central. The email addresses are sent to their corporate owned accounts which they don't have access to outside of the firewall. For users with cable modems who's ip's can change week by week, this feature raised helpdesk support calls for us internally and we have no way to go snooping through their email to provide them with the code, hence they cannot access their computers remotely.
We do not want to link users "personal email addresses" with our accounts whatsoever as our auditors would have a field day with this. It much less secure because the chances of our users having their email address compromised is much greater than their phone sim being spoofed. This was a poorly thought out feature and it boggles the mind why LMI decided to circumvent MFA to a text message on the users device and just send it to the email account instead despite centrals administratively defined MFA policies.
Frankly, what's more perplexing is that there was never any notice to LMI customers thats this would take place until well after we recieved tons of support calls from our userbase. A much more logical approach would have been to disable this feature for customers that have MFA policies defined rather than force a customer to MFA where LMI wants them to. Forcing our users to create personal gmail/hotmail accounts just to use your service isn't going to work for us and is way less secure.
In any event, we are already looking into alternative solutions for our users but it's sad after almost 10+ years as a customer this is the path we have to take because of some overzealous idea that doesn't make an ounce worth of sense for customers who are already using MFA on their accounts.