Dec 2022 UPDATE: Single Sign On using Microsoft or Google is now available when logging into eTool. Please refer to this support post for more information: Single Sign On
Background
Due to increasing pressure from our customers and continually improving security standards eTool have introduced some additional security measures for all users. We have followed a pattern that attempts to detect suspicious behaviour and then requests an additional step prior to logging in.
Jump to the following sections in this post:
Process
eTool users will be required to enter a temporary pin in addition to their password if:
- Your device has not been previously recognised by eTool (note this may include subtle changes to your device like operating system upgrades or changes to the monitor size)
- You log in from a location (estimated with IP Address) that is a significant distance from your last login (this could be triggered by the use of a VPN)
- Concurrent sessions are detected
- You’re part of an enterprise in eTool and your enterprise admins have activated compulsory two factor authentication
The temporary pin is sent to the email you’ve registered your eTool account with. Once you’ve received the email and your temporary pin, please ensure that you enter that pin into the first field as shown below.
OR you can click on the link as provided in the email.
Note that you must enter this temporary pin within the allocated 5 minutes so remember to check your spam folders in case they were delivered there. If the email is taking longer than that to arrive in your inbox, please notify your IT department to consider the below guidance:
Trouble Shooting Delayed Pins
White-listing
Ensure that the pin number email from our app has been white-listed to expedite their delivery. The subject will always be “eTool temporary login pin” and the ‘from’ address will be admin@etoolglobal.com (note that we send this transactional email from the app via Mandrill so the ‘from’ address in the detailed email header will be from a mandrill app server). Note that in the first few weeks after introducing this feature we monitored it carefully and had over 250 separate users successfully login (and approximately 1000 different user/device/location combinations where pins were required, successfully retrieved and entered). During this time only two people reported issues logging in due to delays in receiving the pin.
Additional Information for IT Teams Using Mimecast:
- At last count there have been 1000’s of successful pin recoveries and logins by hundreds of users and only three customers with late pin arrivals.
- The issue was resolved for each affected customer by changing to an alternative email address (eg gmail, hotmail, yahoo etc).
- Investigation of the affected customers over time revealed that all were using Mimecast email servers. The Mimecast servers were responding to our email server with a 451 “server busy” message which caused our server to re-attempt the send operation at 10 minute intervals until successful.
- The Mimecast 451 “Server Busy” response to the initial send attempt appears to be related to a crude spam filter greylisting process affecting unrecognised IP and email address combinations (see this article about Mimecast email greylisting policies).
- The recognition of the IP and email address combination appears to be reset for a given email each time a new IP is used (that is if a IP sending IP addresses alternates each new email will be greylisted).
- The email header of the eventual successful message will appear to be delayed from eTool’s server (mandrill / mailchimp) however the email header doesn’t include information regarding previous send attempts.
- Although the Mimecast support article indicates that whitelisting domains or specific emails should prevent the “server busy” messages (by adding them to the “always allow” configuration) in some cases the greylisting continued. In this situation the issue was resolved by whitelisting the Mandrill / MailChimp IP addresses.
- In addition to the Mandrill / MailChimp IP addresses in the link above (may get updated so please follow the link for the most updated info), please ensure that our domains below are whitelisted:
If you are still having issues receiving your temporary pin after your asking your IT team to action the above please contact us directly via lcdsupport@etoolglobal.com using the same email address that your eTool account is registered with.
Related Posts: Activating Single Sign On