Two Factor Authentication for the Client Area and Admin Area

[jclarke]

This module allows you to add two factor authentication to both the client area and admin area of WHMCS.

 

For the client area, this module allows the primary account holder and sub accounts to setup an SMS verification number in the my details section of the client area. If enabled, upon login, they will be sent an SMS containing a security code and will be prompted to enter this code. Once the code is verified an encrypted cookie is saved which will authenticate that device for 30 days.

 

This module also adds this same feature to the admin area, admin users can setup an SMS verification number and will be prompted to verify each device they login using every 30 days.

 

This module requires an account with Twilio which is used to send the SMS messages. The cost to have an account with them is $1/month and most SMS messages cost just $0.01 per message. They provide support for a large number of global providers.

 

This module also requires the php mcrypt library/extention enabled.

 

This module will work on both WHMCS 5.0.3 and 5.1.2, the paid version is provided unencoded.

 

Order the 5 day free trial

 

Order for $15USD

[thebyp]

Got any screenshots of the user area?

[jclarke]

Here are some screen shots of the client area configuration page and the verification page for the client area and the admin area.

 

Both of the client area pages use a smarty template that can be easily changed to fit within your templates look/feel.

 

[Daniel]

Very nice

 

Any chance of a DuoSecurity mod in the future with token support?

[jclarke]

I looked at DuoSecurity when designing this, but it could get expensive quickly if you are using this in the client area. The first 10 users are free, then they charge $3/user/month. By using SMS messages from Twilio, the cost will only be ~one cent a month per user per device they login with and even that is only if the client happens to login that month. The only monthly fee from Twilio is the $1/month for the phone number.

 

However, I'll look into making DuoSecurity as an option for those who wants to use it, I could see it being useful for the admin area since most don't have more than 10 admin users.

 

I also looked into Google Authenticator but it still seems like a much easier process for the end user to just receive a simple text message and not have to worry about installing an app.

[openmind]

However, I'll look into making DuoSecurity as an option for those who wants to use it, I could see it being useful for the admin area since most don't have more than 10 admin users.

I'm not overly bothered about the client area but having DuoSecurity for the admin area would be awesome!

[thebyp]

can you force users to use it, or at least give them the option at registration?

[Daniel]

I'm not overly bothered about the client area but having DuoSecurity for the admin area would be awesome!

 

Indeed. I purchased a few hardware tokens with the idea of integrating it into the admin area but have not got around to it.

[jclarke]

can you force users to use it, or at least give them the option at registration?

Right now they will need to go into their profile and enable it similar to how most service providers are offering two factor auth. However, I was thinking in a future release adding a slash screen option upon login, if a user doesn't have two factor auth enabled it would give them an option to enable it or move on.

[jclarke]

Just a quick update regarding DuoSecurity, I have this working for the admin area, I just need to do some more testing and clean up the html and I should be releasing an update for this sometime today.

[Daniel]

That's awesome! Looking forward to it.

 

Will it support just SMS or their hardware tokens too?

[jclarke]

That's awesome! Looking forward to it.

 

Will it support just SMS or their hardware tokens too?

 

It fully supports all Duo Security auth tokens, including the smartphone apps and hardware tokens. You just need to link the hardware token from the Duo Security control panel. Because of the way Duo Security works, you will be required to authenticate every time you login to the admin area.

 

I'm just implementing this as an admin area option for now as I don't think most would want to pay $3/month per user for the client area.

[jclarke]

Version 1.1 is now available.

 

This version includes an option to use Duo Security or Twilio SMS for your admin area two factor auth system.

 

The client two factor auth system will still use Twilio SMS either way and if you just want to use this for the admin area you can skip the step of adding the menu item to the client area.

[BryanB]

Awesome. I just purchased and installed but when it takes me to the twofactorverify.php page I just get a blank white box.... Any ideas?

 

[jclarke]

Awesome. I just purchased and installed but when it takes me to the twofactorverify.php page I just get a blank white box.... Any ideas?

Make sure that you can access https://yourwhmcsdomain.com/modules/addons/twofactorauth/Duo-Web-v1.bundled.min.js

It should just show some javascript code.

If that page doesn't load, make sure it is uploaded and the permissions are set correctly.

 

If that isn't the issue, double check that you entered the API Host name correctly in the module configuration. You can disable the addon to get back into the admin area by renaming the module folder, logging in, then renaming it back.

 

If you still have issues, please open a ticket by email support@serverping.net and I will take a closer look for you.

[BryanB]

Thanks. It was the .js file, I had to change the path on line 286 of twofactorverify.php .... My WHMCS installation is in a sub directory but it was looking in the main directory.

 

 

Make sure that you can access https://yourwhmcsdomain.com/modules/addons/twofactorauth/Duo-Web-v1.bundled.min.js

It should just show some javascript code.

If that page doesn't load, make sure it is uploaded and the permissions are set correctly.

 

If that isn't the issue, double check that you entered the API Host name correctly in the module configuration. You can disable the addon to get back into the admin area by renaming the module folder, logging in, then renaming it back.

 

If you still have issues, please open a ticket by email support@serverping.net and I will take a closer look for you.

[Daniel]

All installed and working perfectly - loving the Duosecurity integration

 

Nice work jclarke

[jclarke]

Thanks. It was the .js file, I had to change the path on line 286 of twofactorverify.php .... My WHMCS installation is in a sub directory but it was looking in the main directory.

 

I will get this changed in the download to automatically enter the full path to WHMCS on this line so no one else will have this issue and you will not need to worry about changing this for future updates.

[sleepybaby]

can this module be translated to other language?

 

thanks

[jclarke]

can this module be translated to other language?

 

thanks

 

Yes, for the client side you can edit the template files and translate the text into any language you would like. For the admin area you can also edit the php file used to verify the authentication since the full version is unencoded.

[jclarke]

Version 1.2 is now available.

 

This version adds support for authy.com for both the client area and the admin area. Authy offers a free service for up to 100,000 users.

[robb3369]

Is it possible to require ALL admins and/or users to use the module, or if not, can we have a page to display the users who have it enabled/not-enabled?

[Daniel]

Unless I've missed something it isn't possible for admins to opt-out of this, it's enabled for all admins.

[jclarke]

Is it possible to require ALL admins and/or users to use the module, or if not, can we have a page to display the users who have it enabled/not-enabled?

 

Currently this is only supported if you are using DuoSecurity for the admin area, then all Admin users are required to setup and use Two Factor auth. In a future release we will be adding an option to redirect the user to the setup screen upon login for those who haven't setup two factor auth for the client and admin area.

[Bubka3]

Can we use this and force this for just admins?