Two-factor authentication

Hi Support Team,

The issue is regarding two-factor authentication. I am able to login on my web server by just providing the token key with an already stored password. However, whenever I edit the first file opened from the WinSCP explorer and save it, WinSCP asks for authentication again. At this time, WinSCP asks for both password and token.

This bug is very similar to "Minor problem with ssh google two-factor authentication". I am attaching the debug logs for your reference.

Thanks and Regards,
Amit Ruhela

And what is the expected behavior? Do you expect no prompt at all (reusing password and token)? Or is the token one-time only, and you expect no password prompt, but you need a token prompt for a new token?

Since a user has already logged in to the remote server, therefore, I expect WinSCP not to ask the authentication again while doing file modification. If not possible for some reason, then, for the ease of users, WinSCP should use the already stored password and only ask for the token to be entered.

WinSCP never asks for second time authentication until all files are only read. Only, when a file is modified, it requests for second time authentication. Once credentials are verified, one can modify several files without any further authentications.

aruhela wrote:

Since a user has already logged in to the remote server, therefore, I expect WinSCP not to ask the authentication again while doing file modification. If not possible for some reason, then, for the ease of users, WinSCP should use the already stored password and only ask for the token to be entered.

Files saved in an editor are put to a transfer queue for an upload. The queue (must) uses a different connection, so it needs a new authentication. WinSCP actually remembers the token (assuming it's a password) and re-tries it for the authentication. That fails (I assume the token is one-time only) and WinSCP restarts the authentication from the scratch, not using a stored password, as it does not know what caused failed authentication (which of the two "passwords"). Try turning off Remember password for duration of the session:
https://winscp.net/eng/docs/ui_pref_security

Thanks, Martin for the information and the suggestion.

Is it possible to create both the connections beforehand (at the time of first connection creation)?

Amit

@aruhela: No. Would that even help? I understood that you need a separate token for each. So you would still have to type a token twice. And you would possibly even not know, which token belongs to which connection, right?

Hi Martin,

Several times, I have opened two windows (one PuTTY and another WinSCP) using the same token. It depends upon how fast you enter the token which remains the same for about 30 seconds. I believe it is possible to open two sessions in the background within WinSCP using the same token. if you can generate a temporary executable, I can give it a try.

Thanks,
Amit

This request has been added to the tracker:
Issue 1681 – Create background queue connection right after session starts

I'm sending you an email with a development version of WinSCP to the address you have used to register on this forum.

Thanks, Martin for the quick fix. I really appreciate your efforts.

Is it possible to download the development version? If yes, can you point me the weblink?

Amit

Hello there,

You mention in [url*]https://winscp.net/tracker/1681[/url] that the simultaneous creation of the background queue could be enabled with a hidden setting somewhere.

Is there anywhere I could find instruction on how to do this?
This is something I have wanted to do for a very long time.

@CallumWalley: That was a development version that I tried. You would have to contact @Martin to get the feature status and hidden setting.

@CallumWalley: The option is Interface\QueueBootstrap=1
For instructions for setting it, see https://winscp.net/eng/docs/rawconfig

Thanks Martin!

Hello,

I would also like to simultaneously create this background queue but I do not see the Interface\QueueBootstrap=1 option at the link above, nor could I find any way to enable this in the preferences window. Is it possible to enable this? Thank you in advance.

Best regards,
Kris

@kstopka3: While the link does not explicitly document Interface\QueueBootstrap, it shows how to set such option, no matter what it is.
https://winscp.net/eng/docs/rawconfig#example
See also
https://winscp.net/eng/docs/commandline#rawconfig
You can also just edit it in Windows registry (or INI file).

Hi Martin,

Thank you for your response. I am not very familiar with this type of syntax, unfortunately, and I am unsure how to implement this. I saw that I could choose "Automatic INI file" under the storage option but this file gets overwritten when changes are made to it (i.e., when I do something in WinSCP like close the program). Could you please tell me exactly how I would go about making a change to the Windows registry (step by step)? Thank you in advance.

Best regards,
Kris

@kstopka3: You will find zillions of articles/videos online on changing Windows registry.

And as you already know how to get the INI file: Well, just close WinSCP before you make the changes to the INI file!