FLAW::: RingCentral web portal Login Security Script "does not recognize this device"

  • 2
  • 3
  • Idea
  • Updated 1 month ago
USA-based acct | 2287 Users | 3800 DID lines | 28 sites | all Polycom VVX500 phone handsets 

2018-04-30  Use Case - we pre-provision and activate user accounts from our centrally located Network Operations Center because we have thousands of users. 

The current way the security login challenge works via the web portal on a Samsung S8+ Galaxy phone with most current version Chrome Browser has a huge flaw. 

This is current hardware with the latest version of O/S and latest Chrome Browser.

Provisioning or moves adds changes can not longer be done on an Android smartphone via the web portal --- because of the way the Login Challenge Script works (DOESN'T WORK) 

Ring Central's security validation challenge locked me out all weekend when using the same device on the web portal that we use every day.

Clearly, RC does not store the unique mac address info for devices accessing the portal for admin purposes every day.

There  must be some other way to validate the credential beside using an email - such as send it to the device via TXT message or asking an onscreen question that will not require user to flip between their email app (to get the security code) and the "challenge window" which results in spawning another security code over and over. 

Was locked out of SuperAdmin all weekend because of the RingCentral Login validation script that forces you to get a security code via email   to login from the SAME DEVICE YOU USE ON RING CENTRAL EVERY DAY as an unrecognized device.   

Whatever token or info the RingCentral script is calling to "recognize" the device  is throwing up a message that would seem to indicate a "not recognized device"  answer for any device every time no matter what.  
Photo of Cecile Glassy

Cecile Glassy, Champion

  • 22,280 Points 20k badge 2x thumb
  • Super irritated

Posted 2 years ago

  • 2
  • 3
Photo of Peter Eastvold

Peter Eastvold

  • 90 Points 75 badge 2x thumb
I was having this problem all week with Chrome. Then finally I tried it with Microsoft Edge, and it worked... Something wrong with the programming there.
Photo of Mike Gustavson

Mike Gustavson

  • 1,626 Points 1k badge 2x thumb
I have this issue CONSTANTLY. It is so intermittent, but I see it on multiple machines - this isn't just an Android issue.

To date, I still haven't been able to use the Chrome extension, because it throws this error every time. When it happens, I can usually log in with Edge - and when I do that, it's 50/50 whether it even prompts for 2FA at all!

It's also very common that the 2FA code I get to e-mail just doesn't work.

So frustrating that this barely works. 


Photo of MyoVision

MyoVision

  • 80 Points 75 badge 2x thumb
RingCentral are we getting a resolution on this?
Photo of Jessica - Community Moderator

Jessica - Community Moderator, Official Rep

  • 13,506 Points 10k badge 2x thumb
Hi Everyone, 

I reached out to a Software Engineer and they advised that:
This usually happens when the Chrome browser has the "Ad Block" extension/plug-in installed, especially the one named - uBlock Origin. Since RingCentral is using the 3rd party service (iovation) to obtain the device ID, iovation's library name has the "snare" keyword that is blocked by some of the "Ad block". You see the following is an example for "uBlock Origin" that blocks the library that RC is using for 2-factor authentication.


Photo of Peter Eastvold

Peter Eastvold

  • 90 Points 75 badge 2x thumb
Cool!
It would be great if RingCentral Support reps knew this.
I wasted some massive time with them.
Photo of Mike Gustavson

Mike Gustavson

  • 1,626 Points 1k badge 2x thumb
This is good feedback - I do use UBlock Origin on some machines so will test without that.
Photo of Cecile Glassy

Cecile Glassy, Champion

  • 22,280 Points 20k badge 2x thumb


USA-based acct | 2287 Users | 3800 DID lines | 28 sites | all Polycom VVX500 phone handsets

2019-02-06  No add block extensions in use in our organization, other than the builtin one to Chrome.  It is a known flaw, and they really need to fix it.  Google is a Partner with RingCentral - we are a fully Google-based organization. 

Other security verification utilities are using TEXT the security verify code via SMS with an input window for entering the phone# to text it to -  INCLUDING  Google is using it.   The library RC uses for 2 factor needs to be either updated and provide an alternative. 

This is a huge roadblock for Enterprise Level customers who have to admin their RC system from various computers or devices. 
Photo of Jessica - Community Moderator

Jessica - Community Moderator, Official Rep

  • 13,506 Points 10k badge 2x thumb
Thanks for the clarification Cecile, I'll go back with this additional information and see what else I can find out for you. 
Photo of Mike Gustavson

Mike Gustavson

  • 1,626 Points 1k badge 2x thumb
Aside from the adblock issue - can we get true 2FA with an authenticator app, rather than call/text?

The text method is inherently less secure, as well as being slower and more cumbersome.

Is that on the roadmap at all?
Photo of Jessica - Community Moderator

Jessica - Community Moderator, Official Rep

  • 13,416 Points 10k badge 2x thumb
Hi Mike, 

I confirmed with our PMs that it's not currently called out on the roadmap, but a long term solutions is being researched. 
Photo of Phil Caplinger

Phil Caplinger

  • 60 Points
Still having the exact same issue with Chrome and my ability to login.  I'm emailed the security code and it still says "can't recognize this device"  This thread is over a year old!!  What the heck is going on?!
Photo of Scott Poest

Scott Poest

  • 118 Points 100 badge 2x thumb
This verification process has some serious issues.  It happens often to us, on browsers with no adblock installed. 

On my device using Chrome, I have had this issue several times.  I have totally removed any adblock and even set up a new profile with no ad-ons at all.

If you take a look at the F12 Network traffic diagnostics in Chrome, the 3rd party continuously returns the following: 

status: {success: false, code: 320, message: "Empty device id"}}
So something isn't right.  I rarely have issues on the hundreds of other sites I have to sign into, and when I do, simply disabling any adblock fixes them.  I understand the need for security, but this simply isn't working.

To post this, I had to go to another machine and use Chromium.  It let me sign in right away.  No clue why.  I'm in the same location.  Please help!
Photo of Scott Poest

Scott Poest

  • 118 Points 100 badge 2x thumb
I decided to spend some time troubleshooting this today.  This is a hardcore verification system and honestly overkill for a telephone system in my opinion, but I don't run Ringcentral.

This fraud detection system is used by many industries, and if your browser can't get to iesnare.com to load the script that verifies you, you can't get past the login verification.

In my case, there was an upstream DNS filtering system that was blocking access to that entire site.  You need to be able to access mpsnare.iesnare.com and iesnare.com in order to load the scripts.  This is in addition to turning off or whitelisting any adblockers.

Some firewalls will also simply reject traffic to these sites.  DNS filters apparently do because the service is also used by gambling sites.

Hope it helps someone!