Why do OAUTH and Google Authenticator require a monthly fee?

[Dr. McKay]

We already pay either a monthly fee or a one-time fee + yearly support/updates fee for the use of the WHMCS software.

 

I upgraded to the lastest version of WHMCS today (5.2.1) and was pleasantly surprised to discover that two-factor authentication had been added. I clicked over to the page in in the admin control panel and then found out that it costs $1.50 monthly to enable OAUTH and Google Authenticator support.

 

Why is this the case? Would it not be better to offer a feature that provides additional security at no cost to all customers for free?

[WHMCS Chris]

Hello,

 

This is an optional service, much like the Project Manager, License Manager, or other alternative third party addons. Alternatively, a Yubikey (which I use for everything) can also be integrated using WHMCS which is a one time $25 fee through Yubico for the Yubikey stick.

[haner]

I agree with the OP. I was appalled to find out that WHMCS is even more greedy and wants a monthly fee for two factor authentication. Given the security breaches this company had, they should be promoting this and including it in their product. Every other product out there that has two factor authentication provides it for free since it is enhancing their own product. It makes me sick to my stomach that this company wants to nickle and dime the customers that support it.

 

When other companies have security breaches, they've offered free credit monitoring and a range of other solutions to their customers. Not one thing came from WHMCS and now they want $1.50 a month for something that in the end, will provide security for all users of this software.

[brianr]

Seriously?! An open source solution with open protocols and an open client and they want to charge for it?!

 

/boggle

[Dr. McKay]

Hello,

 

This is an optional service, much like the Project Manager, License Manager, or other alternative third party addons. Alternatively, a Yubikey (which I use for everything) can also be integrated using WHMCS which is a one time $25 fee through Yubico for the Yubikey stick.

 

This is different. This is not an addon, this is part of the software. This is intentionally crippling security features in the software and forcing paying customers to pay extra in order to offer their users additional security features.

 

Charging a fee for SMS codes is completely understandable and justified. SMS messages are not free to send. Google Authenticator/OAUTH, however, takes no more than a few hours to integrate into most solutions and is open-source.

Edited March 13, 2013 by Dr. McKay

[LDHosting]

I'd have to agree with the other comments here, that's a pretty shady move.

 

One of the major highlights of this release is the introduction of Two-Factor Authentication. Both yours and your clients' security is of the utmost importance to us

 

Our security is of the utmost importance to you, just not quite as important as making money off an open source service?

Edited March 13, 2013 by LDHosting

[easyhosting]

why pay for Oath, ive had this as an addon for ages now and it was free http://whmcsaddon.com/products/oauth

[disgruntled]

In part i agree, IF and thats the only cause for me to agree, they have done some intensive re-factoring of the source code and made it function better than the original then yes charge for it, but if this is simply a case of, lets take some free code and charge for its usage, then remove it from the code and we can all stick to the free source code thanks.

 

 

Further more, whats with this upgrades fees, if your going to keep on charging me for upgrades what was the point in having me pay for an owned license. The point in me buying it was to have no more outlay for the product. If i wanted to keep paying for the software time and time and again i would have just gone with the monthly licensing and not had an upgrade fee to pay!

 

 

Just ran some calculations and actually the deal may not be so bad after all.

 

on an unbranded owned license with annual upgrade fees it would take about 30 years to match the cost of monthly for 10 years. I guess that in itself is reason enough to buy an owned license

Edited March 15, 2013 by disgruntled

[easyhosting]

well you could do the upgrades yourself and then you would save that money

[LDHosting]

I don't know, to me it just seems wrong to charge a premium for security features that have been promised for since the breach last year, especially when the security feature is an open source service that would have taken a couple of hours to integrate. To me, this clearly shows that WHMCS is more interested in lining their pockets than they are in customer security.

 

I could understand it slightly easier if it was a 1.50 one off charge to help cover coding costs (they would still profit doing this, just not huge recurring profits), or if it was costing WHMCS for SMS charges or something. This just feels a little like being held to ransom "Want us to make your billing system more secure? Pay us!". Would you charge a premium for encrypting passwords in the database and leave them in plaintext for those that won't pay?

 

Just my opinion, no doubt others will have their own.

[ditto]

Seriously?! An open source solution with open protocols and an open client and they want to charge for it?!

 

/boggle

 

I agree with you on this. I find it sickening that they encrypt their own software so that we can't fix things and contribute back, and then they take open source code and integrate it AND charge a monthly fee for it! I am speechless. I wish there was more competition, then they might not have done this.

[ljesh]

I was appalled too when I saw they charge for OATH. I paid for it, I need it, but it's the shadiest thing I have ever experienced.

I know it's not ethical, I just don't know if it's legal.

[WHMCS Chris]

I find it sickening that they encrypt their own software so that we can't fix things and contribute back.

 

Encrypting the software introduces a number of benefits that I doubt you're seeing here. It helps keep malicious users from releasing trojan injected versions of the software out, and malicious users from exploiting the software - these are just to name a few. Ultimately, it's the right of any software provider to ship their product encrypted, or open sourced if they wish. You're welcome to use the API to expand WHMCS to fit your needs so editing core files shouldn't be necessary.

[easyhosting]

Hi Chris

 

so how would the two-factor authentication work when i already have OAUTH and Google Authenticator as no good me paying £1.50 a month for something i already have

[ditto]

Encrypting the software introduces a number of benefits that I doubt you're seeing here. It helps keep malicious users from releasing trojan injected versions of the software out, and malicious users from exploiting the software - these are just to name a few. Ultimately, it's the right of any software provider to ship their product encrypted, or open sourced if they wish. You're welcome to use the API to expand WHMCS to fit your needs so editing core files shouldn't be necessary.

 

@WHMCS Chris - do not quote me and edit the quote and take it out of context! Shame on you!

 

You quoted this:

 

"Originally Posted by ditto

I find it sickening that they encrypt their own software so that we can't fix things and contribute back."

 

Thats not correct! You removed it out of context AND replaced the comma with a period at the end! I am sich of this. This is what I wrote:

 

"I agree with you on this. I find it sickening that they encrypt their own software so that we can't fix things and contribute back, and then they take open source code and integrate it AND charge a monthly fee for it! I am speechless. I wish there was more competition, then they might not have done this."

Edited March 16, 2013 by ditto

[brianr]

... But 2 Factor auth is infact something we've been looking at and working on for a few months now, and DuoSecurity is just one possible option that we're looking at adding support for, but there are 2 other completely free solutions we've implemented that I'm sure will be the most popular.

 

(Emphasis Added)

 

No comment needed, quote stands on its own.

[malfunction]

So I guess that's their new tag line, "WHMCS, where security is always optional".

 

I really don't know how, after all they have put us through in the last couple years right up to the current security drama, that they would even begin to think this was OK.

[Bubka3]

https://www.serverping.net/clients/cart.php?gid=3

Two Factor Auth, 15 bucks. Has more features and is not monthly, one time. I currently use it.

 

So I guess that's their new tag line, "WHMCS, where security is always optional".

This made me laugh, which on this forum, has been a very long time! Thank you.

[MemoryX2]

I agree with the OP as well. This is a very ridiculous move, from a company which as stated earlier has had many security issues recently.

 

Just another strike for me, I hope more billing options come along soon!

[easyhosting]

https://www.serverping.net/clients/cart.php?gid=3

Two Factor Auth, 15 bucks. Has more features and is not monthly, one time. I currently use it.

The also do a free trial of this, so anyone can try it out before purchasing, I will look at this once i upgrade to 5.2, but as i already have OAUTH and Google Authenticator i should not need it