TLS 1.0 and 1.1 Deprecation for Specops Authentication
Transport Layer Security (TLS) is the security protocol used to encrypt and protect web traffic. You may know it as SSL (Secure Sockets Layer); TLS is an upgrade to SSL. There are multiple versions of TLS; as of today, only TLS 1.2 and TLS 1.3 are considered secure. Older versions are deprecated and should no longer be used.
On December 15, 2021, Specops will disable support for end users connecting to Specops Authentication using TLS 1.0 or 1.1. All connections will require TLS 1.2.
Note: TLS 1.3 support is on our roadmap for a future release
Specops Authentication is the MFA platform for Specops uReset, Specops Secure Service Desk, Specops Key Recovery and Specops Authentication for O365. Users of any of these solutions will be affected by this change.
Action Required? Probably Not
For the vast majority of organizations, no action will be required. All modern client operating systems and browsers support and use TLS 1.2 by default. Only outdates/legacy clients or systems where TLS 1.2 has not been enabled might be affected; if you have any such systems they should be upgraded to support TLS 1.2 immediately.
Many Enterprise services have already made a similar change. For example, Microsoft 365 has already introduced a requirement for TLS 1.2. If your users are able to access and use Microsoft 365 services, they are guaranteed to have TLS 1.2 support already, and no further action is required here.
Verifying TLS 1.2 Support
There are a number of third party resources that you can use to confirm if a particular client/browser supports TLS 1.2. For the purposes of this doc we will use https://browserleaks.com/ssl but there are plenty of others available. Visiting these sites will confirm (among lots of other other useful insights) the version(s) of TLS your browser supports. As long as TLS 1.2 is listed as ‘enabled’ or ‘supported’ you are good to go.
Specops Secured Browser
This section applies only to Specops uReset customers using the Specops Authentication client to provide password reset capabilities at the logon screen. When users use uReset here, the Specops Authentication client launches a purpose-build Secured Browser to take users to uReset to authenticate and reset their password.
You can launch the Secured Browser on your own from the command line. To truly mimic behavior of the Reset Password link, you should launch the Secured Browser from a command prompt running as the local SYSTEM account.
Specops Authentication clients 7.15 or earlier, or newer without WebView installed:
This test will verify the legacy Secured Browser (using the Internet Explorer engine) supports TLS 1.2. Run the following command to launch the Secured Browser:
In this test you will see a Security Warning on launch — this is expected behavior and NOT an indication of an issue with TLS 1.2. Click Yes to proceed.
Results showing TLS 1.2 is enabled, confirming no action is required. All that matter is the TLS 1.2 line says “enabled” here:
If the secured browser throws an error indicating the page could not be found, this is likely an indication that your client does not support TLS 1.2.
Confirm by loading https://browserleaks.com/ssl in Internet Explorer. You will get a slightly different error here, again expected if your client does not have TLS 1.2 enabled:
Specops Authentication clients 7.16 and newer with WebView2:
If you have installed version 7.16 or later alongside the Specops WebView2 Installer, verify TLS 1.2 support in the new Secured Browser V2 included in this client:
Results confirming TLS 1.2 is enabled and no further action is required.