Two-factor authentication is a major problem with WinSCP

Two-factor authentication is a major problem with WinSCP

Hello,
My institution uses 2-factor authentication (password + code generated on my phone). I like to open 2 instances of WinSCP, 2 Putty, and them move files back and forth my computer. This means that I need to input the code from my phone at least 6 times! It takes me 3 minutes just to start working.

The response of the tech support is as follows:
"The problem lies in the behaviour of WinSCP. What happens when you try to edit a file or upload a new one is that the program starts a new ssh-session to the server. It will reuse the username and password but will ask for a new code as this in fact a new connection. As this is a new session you can not reuse the code. This also mean that you will not be able to fix this regardless of how long the code is valid, not even through scripting."

Is there anything that you can do to address this problem? Maybe I can use an older version of WinSCP? I have been using WinSCP for 20 years and want to keep using it, but it doesn't work well with this two-steps authentication procedure.

Thank you,
Drakan

Drakan wrote:

This also mean that you will not be able to fix this regardless of how long the code is valid

Actually, afaik, people do reuse the codes, at least if they edit the first file soon enough after the session is started.

martin wrote:

Drakan wrote:

This also mean that you will not be able to fix this regardless of how long the code is valid

Actually, afaik, people do reuse the codes, at least if they edit the first file soon enough after the session is started.

Sorry, I don't understand your answer. Edit which file? I have to put in the OTP to first connect with WinSCP, then again when I open putty, then again when I open a file to edit.

Drakan wrote:

Sorry, I don't understand your answer. Edit which file? I have to put in the OTP to first connect with WinSCP, then again when I open putty, then again when I open a file to edit.

The first file. Usually the code is not required if you are opening another connection from the same IP within some interval. So if you edit (and mainly save) the first file right after opening the main session, you will not need to enter another code. The connection for uploading edited files is preserved on the background, so WinSCP will not open any new session for later files.

martin wrote:

Drakan wrote:

Sorry, I don't understand your answer. Edit which file? I have to put in the OTP to first connect with WinSCP, then again when I open putty, then again when I open a file to edit.

The first file. Usually the code is not required if you are opening another connection from the same IP within some interval. So if you edit (and mainly save) the first file right after opening the main session, you will not need to enter another code. The connection for uploading edited files is preserved on the background, so WinSCP will not open any new session for later files.

I feel that there is a miscommunication. Here is how I connect to WinSCP (version 5.15.3; build 9925). Higher versions don't work well. Please see this show video and you can understand the problem.
<invalid hyperlink removed by admin>
Thank you again for your help,
Drakan

Drakan wrote:

I feel that there is a miscommunication. Here is how I connect to WinSCP (version 5.15.3; build 9925). Higher versions don't work well.

What is wrong with the higher version?

Other than that, I understand your workflow. But there's not much I can help you with. Of course I could re-implement WinSCP to optionally upload the edited file on a foreground connection. But that's a huge change and I'm unlikely to do that unless there's a more demand.

As I wrote above, I believe that most similar systems allow consecutive logins without additional authentication. Talk to your administrators if you want that. There's nothing WinSCP can help you with on this side (unless I've misunderstood something).

It also seems that you have problem with the background session expiring. Did you try to enable session keepalives?
https://winscp.net/eng/docs/ui_login_connection

The problem with the higher version was exactly the keep alive issue, it didn't work so well. It would have asked me for the password when i wanted to copy files. In this version it worked better. it just bugs me about the OTP. I am using "Sending of null SSH packets." I had 10 seconds, i reduced it to 5 seconds.

I was hoping that some old WinSCP version would work for me. The problem, is that WinSCP creates a new session every time i open a putty or open file, which requires this OTP.

I hope other users who have the same problem would speak up.

Drakan wrote:

The problem with the higher version was exactly the keep alive issue, it didn't work so well. It would have asked me for the password when i wanted to copy files.

Can you please post session log files from both versions, showing the authentication when copying files?

I am using "Sending of null SSH packets." I had 10 seconds, i reduced it to 5 seconds.

Did you try the other mode?

I was hoping that some old WinSCP version would work for me. The problem, is that WinSCP creates a new session every time i open a putty or open file, which requires this OTP.

I hope you understand, that there's nothing we can do about PuTTY authentication. It's a different application.
WinSCP does not create a new session every time you open a file. It creates a session the first time you save any file. And then only, if the session expires (what can be prevented). If yoiu have a different experience, please post session log file.