Jump to content

Two Factor Authentication for the Client Area and Admin Area


Recommended Posts

This module allows you to add two factor authentication to both the client area and admin area of WHMCS.

 

For the client area, this module allows the primary account holder and sub accounts to setup an SMS verification number in the my details section of the client area. If enabled, upon login, they will be sent an SMS containing a security code and will be prompted to enter this code. Once the code is verified an encrypted cookie is saved which will authenticate that device for 30 days.

 

This module also adds this same feature to the admin area, admin users can setup an SMS verification number and will be prompted to verify each device they login using every 30 days.

 

This module requires an account with Twilio which is used to send the SMS messages. The cost to have an account with them is $1/month and most SMS messages cost just $0.01 per message. They provide support for a large number of global providers.

 

This module also requires the php mcrypt library/extention enabled.

 

This module will work on both WHMCS 5.0.3 and 5.1.2, the paid version is provided unencoded.

 

Order the 5 day free trial

 

Order for $15USD

Link to comment
Share on other sites

Here are some screen shots of the client area configuration page and the verification page for the client area and the admin area.

 

Both of the client area pages use a smarty template that can be easily changed to fit within your templates look/feel.

 

Google Chrome.jpg

Google Chrome 4.jpg

Google Chrome 3.jpg

Google Chrome 2.jpg

Link to comment
Share on other sites

I looked at DuoSecurity when designing this, but it could get expensive quickly if you are using this in the client area. The first 10 users are free, then they charge $3/user/month. By using SMS messages from Twilio, the cost will only be ~one cent a month per user per device they login with and even that is only if the client happens to login that month. The only monthly fee from Twilio is the $1/month for the phone number.

 

However, I'll look into making DuoSecurity as an option for those who wants to use it, I could see it being useful for the admin area since most don't have more than 10 admin users.

 

I also looked into Google Authenticator but it still seems like a much easier process for the end user to just receive a simple text message and not have to worry about installing an app.

Link to comment
Share on other sites

However, I'll look into making DuoSecurity as an option for those who wants to use it, I could see it being useful for the admin area since most don't have more than 10 admin users.

I'm not overly bothered about the client area but having DuoSecurity for the admin area would be awesome!

Link to comment
Share on other sites

can you force users to use it, or at least give them the option at registration?

Right now they will need to go into their profile and enable it similar to how most service providers are offering two factor auth. However, I was thinking in a future release adding a slash screen option upon login, if a user doesn't have two factor auth enabled it would give them an option to enable it or move on.

Link to comment
Share on other sites

That's awesome! Looking forward to it.

 

Will it support just SMS or their hardware tokens too?

 

It fully supports all Duo Security auth tokens, including the smartphone apps and hardware tokens. You just need to link the hardware token from the Duo Security control panel. Because of the way Duo Security works, you will be required to authenticate every time you login to the admin area.

 

I'm just implementing this as an admin area option for now as I don't think most would want to pay $3/month per user for the client area.

Link to comment
Share on other sites

Version 1.1 is now available.

 

This version includes an option to use Duo Security or Twilio SMS for your admin area two factor auth system.

 

The client two factor auth system will still use Twilio SMS either way and if you just want to use this for the admin area you can skip the step of adding the menu item to the client area.

Link to comment
Share on other sites

Awesome. I just purchased and installed but when it takes me to the twofactorverify.php page I just get a blank white box.... Any ideas?

Make sure that you can access https://yourwhmcsdomain.com/modules/addons/twofactorauth/Duo-Web-v1.bundled.min.js

It should just show some javascript code.

If that page doesn't load, make sure it is uploaded and the permissions are set correctly.

 

If that isn't the issue, double check that you entered the API Host name correctly in the module configuration. You can disable the addon to get back into the admin area by renaming the module folder, logging in, then renaming it back.

 

If you still have issues, please open a ticket by email support@serverping.net and I will take a closer look for you.

Link to comment
Share on other sites

Thanks. It was the .js file, I had to change the path on line 286 of twofactorverify.php .... My WHMCS installation is in a sub directory but it was looking in the main directory.

 

 

Make sure that you can access https://yourwhmcsdomain.com/modules/addons/twofactorauth/Duo-Web-v1.bundled.min.js

It should just show some javascript code.

If that page doesn't load, make sure it is uploaded and the permissions are set correctly.

 

If that isn't the issue, double check that you entered the API Host name correctly in the module configuration. You can disable the addon to get back into the admin area by renaming the module folder, logging in, then renaming it back.

 

If you still have issues, please open a ticket by email support@serverping.net and I will take a closer look for you.

Link to comment
Share on other sites

Thanks. It was the .js file, I had to change the path on line 286 of twofactorverify.php .... My WHMCS installation is in a sub directory but it was looking in the main directory.

 

I will get this changed in the download to automatically enter the full path to WHMCS on this line so no one else will have this issue and you will not need to worry about changing this for future updates.

Link to comment
Share on other sites

can this module be translated to other language?

 

thanks

 

Yes, for the client side you can edit the template files and translate the text into any language you would like. For the admin area you can also edit the php file used to verify the authentication since the full version is unencoded.

Link to comment
Share on other sites

Is it possible to require ALL admins and/or users to use the module, or if not, can we have a page to display the users who have it enabled/not-enabled?

 

Currently this is only supported if you are using DuoSecurity for the admin area, then all Admin users are required to setup and use Two Factor auth. In a future release we will be adding an option to redirect the user to the setup screen upon login for those who haven't setup two factor auth for the client and admin area.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated